Re: [Ntp] New rev of the NTP port randomization I-D (Fwd: New Version Notification for draft-gont-ntp-port-randomization-01.txt)
Danny Mayer <mayer@ntp.org> Tue, 28 May 2019 19:41 UTC
Return-Path: <mayer@ntp.org>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 422D71200A3 for <ntp@ietfa.amsl.com>; Tue, 28 May 2019 12:41:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.889
X-Spam-Level:
X-Spam-Status: No, score=-1.889 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Werd6MDkT4Km for <ntp@ietfa.amsl.com>; Tue, 28 May 2019 12:41:10 -0700 (PDT)
Received: from chessie.everett.org (chessie.everett.org [IPv6:2001:470:1:205::234]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 502EF1200CC for <ntp@ietf.org>; Tue, 28 May 2019 12:41:10 -0700 (PDT)
Received: from l34097ous.rpega.com (unknown [198.22.153.34]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by chessie.everett.org (Postfix) with ESMTPSA id 45D42s4B2GzL7N for <ntp@ietf.org>; Tue, 28 May 2019 19:41:09 +0000 (UTC)
To: ntp@ietf.org
References: <155841904754.12856.3727925672753047210.idtracker@ietfa.amsl.com> <9d21f083-4cba-1dd1-f5bb-c95984d3127b@si6networks.com>
From: Danny Mayer <mayer@ntp.org>
Message-ID: <9d74c6e3-244e-fdd7-184a-0572f4f144cd@ntp.org>
Date: Tue, 28 May 2019 15:41:08 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0) Gecko/20100101 Thunderbird/60.6.1
MIME-Version: 1.0
In-Reply-To: <9d21f083-4cba-1dd1-f5bb-c95984d3127b@si6networks.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/n09Sb61WkH03lSRtamkELXwEQN4>
Subject: Re: [Ntp] New rev of the NTP port randomization I-D (Fwd: New Version Notification for draft-gont-ntp-port-randomization-01.txt)
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 May 2019 19:41:12 -0000
I'm formally objecting to adopting this draft since it accomplishes nothing. RFC5905 specifically states in Section 8 paragraph 5 that the origin timestamp should be checked with what was sent from the NTP Client: "A packet is bogus if the origin timestamp t1 in the packet does not match the xmt state variable T1. " The origin timestamp is a 64-bit quantity that must be returned by the server that is providing timestamps for the NTP Client to process. An offpath attacker would have a hard time guessing even the correct number of seconds never mind the other 32 bits of the timestamp. Randomizing the port number adds another 16 bits which is overkill when you cannot even guess the first 64 bits. Furthermore you should try and have more than one source which would add a minimum of another 64 bits of nonce. While we are at it the CERT specified in the draft is similarly invalid because of the above. Danny On 5/21/19 2:21 AM, Fernando Gont wrote: > Folks, > > We have published a rev of our I-D on NTP port randomization, based on > the feedback we've received so far: > https://www.ietf.org/internet-drafts/draft-gont-ntp-port-randomization-01.txt > > At this point we'd like the wg to consider our document for wg adoption. > > Thanks! > > Cheers, > Guillermo & Fernando > > > > > -------- Forwarded Message -------- > Subject: New Version Notification for > draft-gont-ntp-port-randomization-01.txt > Date: Mon, 20 May 2019 23:10:47 -0700 > From: internet-drafts@ietf.org > To: Fernando Gont <fgont@si6networks.com>, Guillermo Gont > <ggont@si6networks.com> > > > A new version of I-D, draft-gont-ntp-port-randomization-01.txt > has been successfully submitted by Fernando Gont and posted to the > IETF repository. > > Name: draft-gont-ntp-port-randomization > Revision: 01 > Title: Port Randomization in the Network Time Protocol Version 4 > Document date: 2019-05-20 > Group: Individual Submission > Pages: 7 > URL: > https://www.ietf.org/internet-drafts/draft-gont-ntp-port-randomization-01.txt > Status: > https://datatracker.ietf.org/doc/draft-gont-ntp-port-randomization/ > Htmlized: > https://tools.ietf.org/html/draft-gont-ntp-port-randomization-01 > Htmlized: > https://datatracker.ietf.org/doc/html/draft-gont-ntp-port-randomization > Diff: > https://www.ietf.org/rfcdiff?url2=draft-gont-ntp-port-randomization-01 > > Abstract: > The Network Time Protocol can operate in several modes. Some of > these modes are based on the receipt of unsolicited packets, and > therefore require the use of a service/well-known port as the local > port number. However, in the case of NTP modes where the use of a > service/well-known port is not required, employing such well-known/ > service port unnecessarily increases the ability of attackers to > perform blind/off-path attacks, since knowledge of such port number > is typically required for such attacks. This document formally > updates RFC5905, recommending the use of port randomization for those > modes where use of the NTP service port is not required. > > > > > Please note that it may take a couple of minutes from the time of submission > until the htmlized version and diff are available at tools.ietf.org. > > The IETF Secretariat > > > _______________________________________________ > ntp mailing list > ntp@ietf.org > https://www.ietf.org/mailman/listinfo/ntp > >
- [Ntp] New rev of the NTP port randomization I-D (… Fernando Gont
- Re: [Ntp] New rev of the NTP port randomization I… Danny Mayer
- Re: [Ntp] New rev of the NTP port randomization I… Fernando Gont
- Re: [Ntp] New rev of the NTP port randomization I… Gary E. Miller
- Re: [Ntp] New rev of the NTP port randomization I… Fernando Gont
- Re: [Ntp] New rev of the NTP port randomization I… Majdi S. Abbas
- Re: [Ntp] New rev of the NTP port randomization I… Fernando Gont
- Re: [Ntp] New rev of the NTP port randomization I… Fernando Gont
- Re: [Ntp] New rev of the NTP port randomization I… Harlan Stenn
- Re: [Ntp] New rev of the NTP port randomization I… Harlan Stenn
- Re: [Ntp] New rev of the NTP port randomization I… tglassey@earthlink.net
- Re: [Ntp] New rev of the NTP port randomization I… tglassey@earthlink.net
- Re: [Ntp] New rev of the NTP port randomization I… Harlan Stenn
- Re: [Ntp] New rev of the NTP port randomization I… Harlan Stenn
- Re: [Ntp] New rev of the NTP port randomization I… Fernando Gont
- Re: [Ntp] New rev of the NTP port randomization I… Fernando Gont
- Re: [Ntp] New rev of the NTP port randomization I… Fernando Gont
- Re: [Ntp] New rev of the NTP port randomization I… Fernando Gont
- Re: [Ntp] New rev of the NTP port randomization I… Miroslav Lichvar
- Re: [Ntp] New rev of the NTP port randomization I… Harlan Stenn
- Re: [Ntp] New rev of the NTP port randomization I… Fernando Gont
- Re: [Ntp] New rev of the NTP port randomization I… Danny Mayer
- Re: [Ntp] New rev of the NTP port randomization I… Danny Mayer
- Re: [Ntp] New rev of the NTP port randomization I… Danny Mayer
- [Ntp] Antw: Re: New rev of the NTP port randomiza… Ulrich Windl
- [Ntp] Antw: Re: New rev of the NTP port randomiza… Ulrich Windl
- Re: [Ntp] New rev of the NTP port randomization I… Harlan Stenn
- Re: [Ntp] New rev of the NTP port randomization I… Fernando Gont
- Re: [Ntp] Antw: Re: New rev of the NTP port rando… Harlan Stenn
- Re: [Ntp] New rev of the NTP port randomization I… Fernando Gont
- Re: [Ntp] Antw: Re: New rev of the NTP port rando… Miroslav Lichvar
- Re: [Ntp] New rev of the NTP port randomization I… Harlan Stenn
- Re: [Ntp] Antw: Re: Antw: Re: New rev of the NTP … Ulrich Windl
- Re: [Ntp] Antw: Re: New rev of the NTP port rando… Harlan Stenn
- Re: [Ntp] Antw: Re: Antw: Re: New rev of the NTP … Harlan Stenn
- Re: [Ntp] Antw: Re: Antw: Re: New rev of the NTP … Hal Murray
- Re: [Ntp] Antw: Re: Antw: Re: New rev of the NTP … Harlan Stenn
- Re: [Ntp] New rev of the NTP port randomization I… tglassey@earthlink.net
- Re: [Ntp] New rev of the NTP port randomization I… tglassey@earthlink.net
- Re: [Ntp] Antw: Re: Antw: Re: New rev of the NTP … Hal Murray
- Re: [Ntp] New rev of the NTP port randomization I… Danny Mayer
- Re: [Ntp] New rev of the NTP port randomization I… Fernando Gont
- Re: [Ntp] New rev of the NTP port randomization I… Harlan Stenn
- Re: [Ntp] New rev of the NTP port randomization I… Fernando Gont
- Re: [Ntp] New rev of the NTP port randomization I… Fernando Gont
- Re: [Ntp] New rev of the NTP port randomization I… Watson Ladd
- Re: [Ntp] New rev of the NTP port randomization I… Ask Bjørn Hansen
- Re: [Ntp] Antw: Re: Antw: Re: New rev of the NTP … tglassey@earthlink.net
- Re: [Ntp] New rev of the NTP port randomization I… Fernando Gont
- Re: [Ntp] New rev of the NTP port randomization I… Fernando Gont
- [Ntp] Antw: Re: New rev of the NTP port randomiza… Ulrich Windl
- Re: [Ntp] New rev of the NTP port randomization I… Miroslav Lichvar
- Re: [Ntp] New rev of the NTP port randomization I… Fernando Gont
- Re: [Ntp] New rev of the NTP port randomization I… Harlan Stenn
- Re: [Ntp] Antw: Re: Antw: Re: New rev of the NTP … Tony Finch
- [Ntp] New rev of the NTP port randomization I-D (… Loganaden Velvindron
- Re: [Ntp] New rev of the NTP port randomization I… Fernando Gont
- Re: [Ntp] New rev of the NTP port randomization I… Aanchal Malhotra