Re: [Ntp] Benjamin Kaduk's Abstain on draft-ietf-ntp-interleaved-modes-06: (with COMMENT)

[Miroslav Lichvar <mlichvar@redhat.com>]

(I'm sorry for late response.)

On Wed, Jul 14, 2021 at 12:28:40PM -0700, Benjamin Kaduk via Datatracker wrote:
> Benjamin Kaduk has entered the following ballot position for
> draft-ietf-ntp-interleaved-modes-06: Abstain

Thank you for your review, comments, and suggestions. I think most of
the issues you point out could be fixed.

Some comments below.

> The discussion of "user space"/"kernel", "system call", and the like
> seems to implicitly assume a certain architecture and may not be
> applicable to fully all devices speaking NTP.  But these are certainly
> common architectures and abstractions, and I don't expect that using
> this framing for the discussion will hamper readability.

Those terms are used only in the introduction and there is a sentence
leading to that part with "a software NTP implementation running on an
operating system". It's meant as an example. The document does not
make any assumptions about the system or NTP implementation, or where
exactly the timestamp is actually captured.

> There seem to be some scenarios where packets can be sent in both basic
> mode and interleaved mode within the same association, and it cannot
> always be predicted whether a response or "next message" will be in
> interleaved mode or not.  It seems like this could present significant
> implementation complexity in terms of deciding whether or not to process
> a packet "now" as a basic-mode packet or wait for a follow-up that
> includes the more-accurate interleaved-mode timestamp, or some more
> complicated combination of the two.  Is there any implementation
> guidance that we can give about how to process packets when there may or
> may not be a later follow-up with a correction to it?

It should process all valid packets and apply the filters it has, no
matter if the response was basic or interleaved. It should never rely
on the next response being interleaved (or there being a response at
all).

The document has a paragraph starting with "Clients MAY filter
measurements based on the mode.". There is no extra complexity
necessary. You can think of a basic response as a packet that was
delayed in the network by several extra microseconds. An NTP client is
expected to drop measurements impacted by significant delay. In
RFC5905 there is the clock filter for that. If the network delay is
stable enough, the filter will prefer interleaved measurements.
Otherwise they will be mixed with basic measurements as the impact of
the interleaved mode is not significant when compared to the network
jitter.

> Section 1
> 
>    Requests and responses cannot always be formed in interleaved mode.
>    Servers, clients, and peers are required to support both interleaved
>    and basic modes.
> 
> I'm not sure I understand the intended statement of requirement here.
> Are we proposing (by virtue of Updates: 5905) that all NTP
> implementations are required to support interleaved mode?  Or just that,
> in order to use interleaved mode, all parties are required to have
> support for it?

It's supposed to avoid an expectation that basic mode can be ignored
and not implemented. Basic mode is always needed. Interleaved mode is
optional.

> Section 2
> 
> Breaking this up into subsections might help readability.

Others have suggested that too. As it is currently written, I don't
see clear boundaries that would make nicely separated sections. Some
reordering and rewriting might be necessary. I'll see what we can do.

>    A client request in the interleaved mode has an origin timestamp
>    equal to the receive timestamp from the previous server response.  A
>    server response in the interleaved mode has an origin timestamp equal
>    to the receive timestamp from the client's request.  The transmit
>    timestamps correspond to the previous packets that were sent to the
>    server or client.
> 
> Please provide a lot more precision about what "transmit timestamps
> correspond to the previous packets" means -- I might guess that it's
> just (client, server) using the same transmit timestamp used by the
> (client, server) to generate the initial exchange that preceded
> interleaved mode, but I also might guess a lot of other things.

Ok, makes sense.

>    The transmit and receive timestamps in server responses need to be
>    unique to prevent two different clients from sending requests with
>    the same origin timestamp and the server responding in the
>    interleaved mode with an incorrect transmit timestamp.  If the
> 
> IIUC (having read the rest of the document), the requirement here is
> that if we take the union of all transmit timestamps and all receive
> timestamps generated by the server, there must be no duplicates.

Such a requirement would be too strong unnecessarily. I think we care
only about the interval where it makes a difference for the client
using interleaved mode. We should find a better way to describe it.

There are different reasons for a non-unique timestamp to exist. There
can be multiple threads reading the same clock, or the timestamp
randomization below precision is too wide to prevent two consecutive
reads giving the same timestamp. The server needs to save the
timestamps in this interval to prevent two clients from getting the
same timestamp.

Another reason for duplicity is a backward clock step. If the server
runs 10 minutes ahead and then jumps back to the current time, it
could possibly give the same timestamp to a different client in that
10 minute interval. The first client could then get the transmit
timestamp of the response to the second client. There could be a
positive or negative error somewhere in the microsecond range. To
prevent that, the server would have to save all timestamps it has ever
used and keep them across restart. Obviously, we don't want NTP
servers to do that.

>From the client's point of view the server already failed when it was
serving wrong time before it jumped back, with an error larger by many
orders of magnitude.

>    A response in the interleaved mode MUST contain the transmit
>    timestamp of the response which contained the receive timestamp
>    matching the origin timestamp from the request.  [...]
> 
> "contain" doesn't say much about containing *where*; I suggest being
> very clear that it contains in the transmit timestamp field the same
> transmit timestamp used in the previous response.

It's not supposed to be the same transmit timestamp. It should be a
more accurate transmit timestamp corresponding to the same packet.

>    The first request from a client is always in the basic mode and so is
>    the server response.  It has a zero origin timestamp and zero receive
>    timestamp.  Only when the client receives a valid response from the
>    server, it will be able to send a request in the interleaved mode.
> 
> While this is true of the first request ever, it's not quite true for
> the first request of a given exchange, since RFC 5905 allows the client
> to send the transmit timestamp from a previous server response as the
> origin timestamp.  We do mention at the end of the section that
> draft-ietf-ntp-data-minimization recommends sending zero as the origin
> timestamp, but that's of course not something that can be strongly
> relied upon.  I'd actually suggest just noting here that the first
> request has to be detected to be in basic mode, and forward-reference a
> dedicated subsection at the end of the section that talks about how to
> identify such requests.

I don't quite follow here. In RFC5905 the origin timestamp is always
set to a non-zero value except when the association is started (i.e.
there is no previous response the request could refer to). SNTP
clients use a subset of the protocol, i.e. set the origin timestamp to
zero at any time.

A server that supports the interleaved mode is trying to detect
interleaved requests. If it doesn't have a matching timestamp, it's
assumed to be in the basic mode. It does not matter if it was actually
interleaved. The server does not have a more accurate timestamp that
it could provide in an interleaved response.

>    When the client receives a response from the server, it performs the
>    tests described in RFC 5905.  Two of the tests are modified for the
>    interleaved mode:
> 
> Indicating more precisely exactly which tests are modified (e.g., that
> these are the numbered tests from figure 22 of RFC 5905) could be
> useful.
> 
>    1.  The check for duplicate packets SHOULD compare both receive and
>        transmit timestamps in order to not drop a valid response in the
>        interleaved mode if it follows a response in the basic mode and
>        they contain the same transmit timestamp.
> 
>    2.  The check for bogus packets SHOULD compare the origin timestamp
>        with both transmit and receive timestamps from the request.  If
>        the origin timestamp is equal to the transmit timestamp, the
>        response is in the basic mode.  If the origin timestamp is equal
>        to the receive timestamp, the response is in the interleaved
>        mode.
> 
> If I understand correctly, ignoring either of these SHOULDs would result in
> completely failing to use interleaved mode.  Does that mean that they're
> MUSTs?

No, it would not fail completely. Without the first modification it
wouldn't work only if the server responded in interleaved mode
without actually providing a more accurate timestamp. The second
modification is needed to be able to process both interleaved and
basic responses. An implementation doesn't have to support that. It
is free to limit itself to interleaved responses if configured as
such. Not a good idea, but it doesn't have an impact on the other side
of the association, so it's just a SHOULD, right?

>    A check for a non-zero origin timestamp works with clients that
>    implement NTP data minimization [I-D.ietf-ntp-data-minimization].  To
>    detect requests in the basic mode from clients that do not implement
>    the data minimization, the server can encode in low-order bits of the
>    receive and transmit timestamps below precision of the clock a bit
>    indicating whether the timestamp is a receive timestamp.  If the
>    server receives a request with a non-zero origin timestamp which does
>    not indicate it is a receive timestamp of the server, the request is
>    in the basic mode and it is not necessary to save the new receive and
>    transmit timestamp.
> 
> In the vein of my earlier comment, I'd suggest rewording this
> significantly and making it a dedicated subsection on detecting if a
> request is in basic or interleaved mode.  That might look something like
> this:

The paragraph above was meant as an optimization to avoid frequent
lookups of the timestamp when most of the clients don't use the
interleaved mode.

> % As part of request processing, the server must determine whether a
> % given request is in basic or interleaved mode (and thus whether or not
> % to respond in basic or interleaved mode).  A request with a zero
> % origin timestamp is unambiguously in basic mode, but RFC 5905 allows a
> % client to send a request with a non-zero origin timestamp copied from
> % the transmit timestamp of a previous response from that server.  While
> % [I-D.ietf-ntp-data-minimization] recommends always using zero for the
> % request's origin timestamp, that is not a behavior that the server can
> % rely upon, and so an additional mechanism is needed in order to detect
> % whether a request with non-zero origin timestamp is in basic mode.

This seems backwards to me. Basic mode should be the default. The
server is trying to detect interleaved requests.

>    In order to prevent the peer from matching the transmit timestamp
>    with an incorrect packet when the peers' transmissions do not
>    alternate (e.g. they use different polling intervals) and a previous
>    packet was lost, the use of the interleaved mode in symmetric
>    associations requires additional restrictions.
> 
> Though the specific "restrictions" are enumerated as specific conditions
> below (scare quotes since they are only "SHOULD"-level requirements),
> the subsequent discussion suggests that in practice there are also
> implications on the relationship between the polling intervals of the
> two peers.  Should we say something here about how the polling intervals
> should be within a factor of (1.5? 2?) of each other in order for
> interleaved mode to be feasible?

The polling intervals need to be the same. That's what NTP peers
normally try to do. Their polls lock to each other. It's only
when one of them has minpoll larger than the other maxpoll interleaved
mode cannot both in both directions.
> 
>    A peer A SHOULD send a peer B a packet in the interleaved mode only
>    when all of the following conditions are met:
> 
> What happens if I violate this SHOULD?

The transmit timestamp could be matched with a wrong packet, causing a
large error in the measured offset and delay.

>    The peers SHOULD compute the offset and delay using one of the two
>    sets of timestamps specified in the client/server section.  They MAY
>    switch between them to minimize the interval between T1 and T4 in
>    order to reduce the error in the measured delay.
> 
> One of the sets of timestamps doesn't use T1, so I'm not sure what is
> supposed to be minimized here.

I don't see the issue. Both sets have timestamps named T1, T2, T3, T4.

> Section 4
> 
>    If the difference is larger than a specified maximum (e.g. 1 second),
>    the packet SHOULD NOT be used for synchronization.
> 
> Not used at all, or used only in basic mode?

Not used in the interleaved mode. It can still be used in the basic
mode. That's up to the implementation.

> Section 7
> 
>    Clients using the interleaved mode SHOULD randomize all bits of both
>    receive and transmit timestamps, as recommended for the transmit
>    timestamp in the NTP client data minimization
>    [I-D.ietf-ntp-data-minimization], to make it more difficult for off-
>    path attackers to guess the origin timestamp.  [...]
> 
> I would suggest going into a little more detail on the scope of
> consequences if an off-path attacker does successfully guess the origin
> timestamp.

It basically allows the attacker to inject an arbitrary offset to the
measurement. It's explained in the SECNTP document referenced in the
Security considerations.
> 
>    Protecting symmetric associations in the interleaved mode against
>    replay attacks is even more difficult than in the basic mode.  The
>    NTP state needs to be protected not only between the reception and
>    transmission in order to send the peer a packet with a valid origin
>    timestamp, but all the time to not lose the timestamps which will be
>    needed to complete a measurement when the following packet in the
>    interleaved mode is received.
> 
> Is there some existing guidance on how to protect symmetric associations
> that we can refer to (and would be effective under these constraints)?

No, AFAIK there is not. They cannot be fully protected, as explained
in the SECNTP document. Ignoring timestamps from past can protect
clocks that are already synchronized and don't step back. To not get
stuck if a step does happen (when there is no attack) requires more
state than what is described in RFC5905. With interleaved mode the
state gets even larger and more complex. It might be an idea for a new
I-D, but as we want to drop the symmetric mode in NTPv5, I'm not sure
if it's worth the trouble.

-- 
Miroslav Lichvar