Re: [Ntp] New rev of the NTP port randomization I-D (Fwd: New Version Notification for draft-gont-ntp-port-randomization-01.txt)

Danny Mayer <mayer@ntp.org> Tue, 28 May 2019 19:41 UTC

Return-Path: <mayer@ntp.org>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 422D71200A3 for <ntp@ietfa.amsl.com>; Tue, 28 May 2019 12:41:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.889
X-Spam-Level:
X-Spam-Status: No, score=-1.889 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Werd6MDkT4Km for <ntp@ietfa.amsl.com>; Tue, 28 May 2019 12:41:10 -0700 (PDT)
Received: from chessie.everett.org (chessie.everett.org [IPv6:2001:470:1:205::234]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 502EF1200CC for <ntp@ietf.org>; Tue, 28 May 2019 12:41:10 -0700 (PDT)
Received: from l34097ous.rpega.com (unknown [198.22.153.34]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by chessie.everett.org (Postfix) with ESMTPSA id 45D42s4B2GzL7N for <ntp@ietf.org>; Tue, 28 May 2019 19:41:09 +0000 (UTC)
To: ntp@ietf.org
References: <155841904754.12856.3727925672753047210.idtracker@ietfa.amsl.com> <9d21f083-4cba-1dd1-f5bb-c95984d3127b@si6networks.com>
From: Danny Mayer <mayer@ntp.org>
Message-ID: <9d74c6e3-244e-fdd7-184a-0572f4f144cd@ntp.org>
Date: Tue, 28 May 2019 15:41:08 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0) Gecko/20100101 Thunderbird/60.6.1
MIME-Version: 1.0
In-Reply-To: <9d21f083-4cba-1dd1-f5bb-c95984d3127b@si6networks.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/n09Sb61WkH03lSRtamkELXwEQN4>
Subject: Re: [Ntp] New rev of the NTP port randomization I-D (Fwd: New Version Notification for draft-gont-ntp-port-randomization-01.txt)
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 May 2019 19:41:12 -0000

I'm formally objecting to adopting this draft since it accomplishes
nothing. RFC5905 specifically states in Section 8 paragraph 5 that the
origin timestamp should be checked with what was sent from the NTP
Client: "A packet is bogus if the origin timestamp t1 in the packet does
not match the xmt state variable T1. "

The origin timestamp is a 64-bit quantity that must be returned by the
server that is providing timestamps for the NTP Client to process. An
offpath attacker would have a hard time guessing even the correct number
of seconds never mind the other 32 bits of the timestamp. Randomizing
the port number adds another 16 bits which is overkill when you cannot
even guess the first 64 bits.

Furthermore you should try and have more than one source which would add
a minimum of another 64 bits of nonce.

While we are at it the CERT specified in the draft is similarly invalid
because of the above.

Danny

On 5/21/19 2:21 AM, Fernando Gont wrote:
> Folks,
>
> We have published a rev of our I-D on NTP port randomization, based on
> the feedback we've received so far:
> https://www.ietf.org/internet-drafts/draft-gont-ntp-port-randomization-01.txt
>
> At this point we'd like the wg to consider our document for wg adoption.
>
> Thanks!
>
> Cheers,
> Guillermo & Fernando
>
>
>
>
> -------- Forwarded Message --------
> Subject: New Version Notification for
> draft-gont-ntp-port-randomization-01.txt
> Date: Mon, 20 May 2019 23:10:47 -0700
> From: internet-drafts@ietf.org
> To: Fernando Gont <fgont@si6networks.com>om>, Guillermo Gont
> <ggont@si6networks.com>
>
>
> A new version of I-D, draft-gont-ntp-port-randomization-01.txt
> has been successfully submitted by Fernando Gont and posted to the
> IETF repository.
>
> Name:		draft-gont-ntp-port-randomization
> Revision:	01
> Title:		Port Randomization in the Network Time Protocol Version 4
> Document date:	2019-05-20
> Group:		Individual Submission
> Pages:		7
> URL:
> https://www.ietf.org/internet-drafts/draft-gont-ntp-port-randomization-01.txt
> Status:
> https://datatracker.ietf.org/doc/draft-gont-ntp-port-randomization/
> Htmlized:
> https://tools.ietf.org/html/draft-gont-ntp-port-randomization-01
> Htmlized:
> https://datatracker.ietf.org/doc/html/draft-gont-ntp-port-randomization
> Diff:
> https://www.ietf.org/rfcdiff?url2=draft-gont-ntp-port-randomization-01
>
> Abstract:
>    The Network Time Protocol can operate in several modes.  Some of
>    these modes are based on the receipt of unsolicited packets, and
>    therefore require the use of a service/well-known port as the local
>    port number.  However, in the case of NTP modes where the use of a
>    service/well-known port is not required, employing such well-known/
>    service port unnecessarily increases the ability of attackers to
>    perform blind/off-path attacks, since knowledge of such port number
>    is typically required for such attacks.  This document formally
>    updates RFC5905, recommending the use of port randomization for those
>    modes where use of the NTP service port is not required.
>
>
>
>
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org.
>
> The IETF Secretariat
>
>
> _______________________________________________
> ntp mailing list
> ntp@ietf.org
> https://www.ietf.org/mailman/listinfo/ntp
>
>