Re: [ntpwg] Comments on various NTS drafts
Florian Weimer <fweimer@redhat.com> Wed, 15 April 2015 04:10 UTC
Return-Path: <ntpwg-bounces+ntp-archives-ahfae6za=lists.ietf.org@lists.ntp.org>
X-Original-To: ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com
Delivered-To: ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4BAF41B2BA3 for <ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com>; Tue, 14 Apr 2015 21:10:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ya8Uwi3JJv11 for <ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com>; Tue, 14 Apr 2015 21:10:24 -0700 (PDT)
Received: from psp3.ntp.org (psp3.ntp.org [149.20.68.23]) by ietfa.amsl.com (Postfix) with ESMTP id D83E11B2BA1 for <ntp-archives-ahFae6za@lists.ietf.org>; Tue, 14 Apr 2015 21:10:24 -0700 (PDT)
Received: from psp3.ntp.org (localhost.ntp.org [127.0.0.1]) by psp3.ntp.org (Postfix) with ESMTP id 3920C39E9A for <ntp-archives-ahFae6za@lists.ietf.org>; Tue, 14 Apr 2015 21:09:59 -0700 (PDT)
X-Original-To: ntpwg@lists.ntp.org
Delivered-To: ntpwg@lists.ntp.org
Received: from mail1.ntp.org (mail1.ntp.org [IPv6:2001:4f8:fff7:1::5]) by lists.ntp.org (Postfix) with ESMTP id B99B386D33C for <ntpwg@lists.ntp.org>; Sun, 12 Apr 2015 05:49:45 +0000 (UTC)
Received: from mx1.redhat.com ([209.132.183.28]) by mail1.ntp.org with esmtps (TLSv1:AES256-SHA:256) (Exim 4.77 (FreeBSD)) (envelope-from <fweimer@redhat.com>) id 1YhAm1-000C6W-8Z for ntpwg@lists.ntp.org; Sun, 12 Apr 2015 05:49:45 +0000
Received: from int-mx09.intmail.prod.int.phx2.redhat.com (int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.22]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id t39BYkSi032153 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Thu, 9 Apr 2015 07:34:46 -0400
Received: from oldenburg.str.redhat.com (oldenburg.str.redhat.com [10.33.200.60]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id t39BYifF006012 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 9 Apr 2015 07:34:45 -0400
Message-ID: <552663D3.7040005@redhat.com>
Date: Thu, 09 Apr 2015 13:34:43 +0200
From: Florian Weimer <fweimer@redhat.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: dieter.sibold@ptb.de
References: <551D1150.5080500@redhat.com> <OF1F8E2A91.0B970EC7-ONC1257E22.00357A53-C1257E22.00381DAC@ptb.de>
In-Reply-To: <OF1F8E2A91.0B970EC7-ONC1257E22.00357A53-C1257E22.00381DAC@ptb.de>
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.22
X-SA-Exim-Connect-IP: 209.132.183.28
X-SA-Exim-Rcpt-To: ntpwg@lists.ntp.org
X-SA-Exim-Mail-From: fweimer@redhat.com
X-SA-Exim-Version: 4.2
X-SA-Exim-Scanned: Yes (on mail1.ntp.org)
Subject: Re: [ntpwg] Comments on various NTS drafts
X-BeenThere: ntpwg@lists.ntp.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: IETF Working Group for Network Time Protocol <ntpwg.lists.ntp.org>
List-Unsubscribe: <http://lists.ntp.org/options/ntpwg>, <mailto:ntpwg-request@lists.ntp.org?subject=unsubscribe>
List-Archive: <http://lists.ntp.org/pipermail/ntpwg/>
List-Post: <mailto:ntpwg@lists.ntp.org>
List-Help: <mailto:ntpwg-request@lists.ntp.org?subject=help>
List-Subscribe: <http://lists.ntp.org/listinfo/ntpwg>, <mailto:ntpwg-request@lists.ntp.org?subject=subscribe>
Cc: ntpwg@lists.ntp.org
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: ntpwg-bounces+ntp-archives-ahfae6za=lists.ietf.org@lists.ntp.org
Sender: ntpwg <ntpwg-bounces+ntp-archives-ahfae6za=lists.ietf.org@lists.ntp.org>
On 04/09/2015 12:12 PM, dieter.sibold@ptb.de wrote: > thanks for your comments and recommendations. We'll carefully look into > your comments. We already addressed some of your comments (see inline). Thanks. > Regarding DTLS. Please keep in mind that DTLS requires a layer 3 > communication. With PTP we also have to consider layer 2 communication > channels where DTLS is not applicable. I think this is based on a misconception. DTLS requires a datagram transport, and it has its own fragmentation support, so it should be perfectly possible to run it on top of a layer 2 transport which has sufficient frame size (such as Ethernet). Per-client server-side state would only need to be maintained during the initial handshake, and not to answer subsequent time queries from clients (but maintaining such state may be a performance optimization). >> Section 5.6.1 requires frequent key refresh. This is impossible to >> implement in practice (ultimate keys cannot be refreshed without >> operator intervention), and not necessary as long as sufficiently strong >> cryptographic primitives (non-broken algorithms) are used. > > We don't see a problem with this requirement. You do not periodically refresh asymmetric keys used for the initial handshake. > For clarification. Do you propose to abandon key refreshment at all? Yes, the message rate is not sufficiently high that this would pose a problem. You just have to use cryptographic primitives which are not known to be broken. >> In addition, RFC 7384, Section 3.2.10 indicates that securing the time >> source of an entire organization from an external source is out of >> scope. However, this is likely the most common application of a security >> time protocol. > > Please note, that 3.2.10 refers to the connection of reference time (such > as GPS, Radio transmitter, ...) to the PTP grandmaster or NTP stratum 1 > server. These are basically non-IP or non-Ethernet connections and > therefore out of scope. I expect that rather soon, there will be a requirement to import time in a secure way from one of the national time sources such as PTB or NIST. (NIST already offers an authenticated time service.) I still haven't read the relevant regulation, though, and it's likely still ambiguous in this regard. >> * The integrity checks on the server_assoc response are unclear. It is >> not specified if host name verification is performed. (D) > > This should be ensured via CMS. But we will check this. Host name checks are out of scope for CMS, so you have to specify something on your own. >> * Client certificate management is a red flag for many organizations. It >> would be better if the protocol would not use a client certificate at >> all, and some other key agreement scheme (e.g., application key >> extraction with TLS/DTLS, without client certificates, or a TLS response >> containing an encrypted session key). (D) > > We want to have certificates in order to have a mean to provide > authorization. I think it would be best to make them optional. >> * With a server without per-client state, the HMAC key setup has to be >> performed on each response. This is quite costly. A different MAC >> could be quite a bit cheaper in terms of CPU overhead. > > Which MAC do you propose? I'd have to do some research on this matter and will report back. Not all technical choices will be acceptable to the IETF. >> * I have doubts about the use of TESLA. > For us TESLA seems to be an appropriate approach. Do you know a good > alternative? I'm afraid I do not. (To be clear: If you do not have operational experience with TESLA that says otherwise, I suspect it will not work in practice.) >> * Requiring a new OID in the Extended Key Usages attribute of >> certificates (section 4) means that the browser PKI cannot be used to >> authenticate hosts. This seems quite wrong. > > Please describe the problem in more detail. The existing guidelines for browser CAs discourage signing subscriber certificates with strange extKeyUsage fields, see these requirements documents: <https://cabforum.org/baseline-requirements-documents/> >> # draft-ietf-ntp-using-nts-for-ntp-00 >> >> * There is no cookie protection of server_assoc/server_cook responses, >> as explained above. This is quite bad. (D) > > What exactly do you mean by cookie protection? This is the lack of a Photuris cookie mentioned above. -- Florian Weimer / Red Hat Product Security _______________________________________________ ntpwg mailing list ntpwg@lists.ntp.org http://lists.ntp.org/listinfo/ntpwg
- [ntpwg] Comments on various NTS drafts Florian Weimer
- Re: [ntpwg] Comments on various NTS drafts Richard Welty
- Re: [ntpwg] Comments on various NTS drafts Florian Weimer
- Re: [ntpwg] Comments on various NTS drafts Richard Welty
- [ntpwg] Antwort: Re: Comments on various NTS draf… dieter.sibold
- [ntpwg] Antwort: Comments on various NTS drafts dieter.sibold
- Re: [ntpwg] Antwort: Comments on various NTS draf… Florian Weimer
- Re: [ntpwg] Antwort: Re: Comments on various NTS … Florian Weimer
- Re: [ntpwg] Comments on various NTS drafts Florian Weimer
- [ntpwg] Antwort: Re: Comments on various NTS draf… dieter.sibold
- [ntpwg] Antw: Re: Antwort: Re: Comments on variou… Ulrich Windl
- Re: [ntpwg] Antw: Re: Antwort: Re: Comments on va… Florian Weimer
- Re: [ntpwg] Antwort: Re: Comments on various NTS … Florian Weimer
- Re: [ntpwg] Antw: Re: Antwort: Re: Comments on va… kristof.teichel
- Re: [ntpwg] Antw: Re: Antwort: Re: Comments on va… Florian Weimer