IETF Logo Mail Archive

Re: [Ntp] Antwort: Re: WGLC: draft-ietf-ntp-using-nts-for-ntp

Harlan Stenn <stenn@nwtime.org> Sun, 09 December 2018 05:48 UTC

Return-Path: <stenn@nwtime.org>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF573130E57 for <ntp@ietfa.amsl.com>; Sat, 8 Dec 2018 21:48:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nhFHYTVhL_La for <ntp@ietfa.amsl.com>; Sat, 8 Dec 2018 21:48:13 -0800 (PST)
Received: from chessie.everett.org (chessie.everett.org [IPv6:2001:470:1:205::234]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6DA61130DC8 for <ntp@ietf.org>; Sat, 8 Dec 2018 21:48:11 -0800 (PST)
Received: from [192.168.1.16] (71-93-229-51.dhcp.mdfd.or.charter.com [71.93.229.51]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by chessie.everett.org (Postfix) with ESMTPSA id 43CFcB38vWzL7K; Sun, 9 Dec 2018 05:48:10 +0000 (UTC)
To: kristof.teichel@ptb.de
Cc: ntp@ietf.org
References: <4e9efcc4-0285-72c1-9119-7cbd167847d0@nwtime.org> <FF5E07A6-6F59-4D45-A186-7FC7C9B4A41C@isoc.org> <0DAD4C5F-EAFA-4A3D-A3E4-55F34A7C1BFE@isoc.org> <AM0PR0602MB3730B2389832592B5A1D2647FFA90@AM0PR0602MB3730.eurprd06.prod.outlook.com> <OF03487E97.EB065354-ONC125835D.006E9262-C125835D.00717024@ptb.de>
From: Harlan Stenn <stenn@nwtime.org>
Openpgp: preference=signencrypt
Autocrypt: addr=stenn@nwtime.org; prefer-encrypt=mutual; keydata= xsDNBFI2xmQBDACrPayw18eU4pIwCvKh7k0iMkAV9cvzs49kBppM+xoH+KKj4QWmkKELD39H ngQnT3RkKsTLlwxyLqPdUmeQNAY2M5fsOK+OF6EvwLPK9hbmE3Wx2moX+sbEUxJ2VzFhKSKb OPZALXwk1XxL0qBedz0xHYcDwaSAZZkEFXURv2pDIdrmnoUnq2gdC8GpoFJiXoUaCLSYzzaY ac4Njw7Mue8IqfzRQb70aMjXl/qmsmfmEVAyGXywDdc/ler4XSgiuYOV7Kf69bj9PFZZSMdJ MWgEyZH6lJ0TU5ccR2zp5ZRmWzQQkxJMyH2th7q0Nmz3aX4A0K4yE0Ba9/5Dr7ctpF15BrMF aEo4s5lwI6tUnkgMWo265mMzCz4mAPV/ac0w0OXQg7r9E2r0+dRapnzUlG43D0JLDqDr9uRR L6IrRQqoCWUC75lfmPYQYSlaTJaK68r3lXd0z1cXJUgVtEL5H3/Z71R2B20twcQVAnw2iIH6 L5vdrsIjHrMmkqRVbs9nNyEAEQEAAc0nSGFybGFuIE0gU3Rlbm4gKFBGQ1MpIDxoYXJsYW5A cGZjcy5jb20+wsD8BBMBAgAmAhsvBwsJCAcDAgEGFQgCCQoLBBYCAwECHgECF4AFAlI2xr0C GQEACgkQyIwAt1pH+kDfsQv/Q8fSJks4uNNyLf0O2kX9cepWExSTBpSgc1wsr65ldAx3fuPT ci+gymO0qs1PlGYPYuMFEVmIRpJFy/tUVXZIGIZtlOURAHXjov0NbdwyZnOahEaja3jL+bBH GGJpRtmD+CCAVkj1UEUNF2mLqUgwEQarvHLCI6j1xz5+kxzdXsF3jVAlLMRkpScOfZ2NiHq7 Dp8ClCcEALI+lU2sUIP8dGTqNCM03ma0M5T53PIzkD8tRMNa5Dznv6E3+eFE6xefm5uMzCWs XEzxxaaoVnkoFxyrJpHBkDuIl5MKhcyG0lcmmVeM35MoZpJXE6fgqvbq9XZccSQUcpY1OrwM mc2CjjTsm5K9IFDyD7yRA6xh4Z/ExSFBnwky2JwMJtJgqDRsLFkSvYCq+m+Zc3YWP8rGbmdR Lk57eZ3hdt9MuUX879LyjAKHWm5aFbCs5vsq2n8XWrxJMVHVOUy5pQlzAz5fa+5yjba9YM7L 4DMefzQZ9Q3P+TfBofmsQSbH54rkK/WAzsDNBFI2xmQBDADXLsBkI7CSa5UXlrNVFJQHER1V xRBKqjWWCh/8Qv9v3p3NrIc2UnhoZ1uWQ2voBGty5Xfy9k4afV5kWwDyRDUIb7PX+Tj4HjVV r7qvnOVe/0KzZpNq0Azd0ggFbsM+8mydktHIwJykW0NUsGwPRYuDOA0Lro0ohb5IiCt3sSQi 1X1hYjo7O1Vmn8Gy/XYOnhnMux+5zDPO2yTkCNX5PocYi9IJJy6pMq1yQV4Y2Dl8KtQzvtq5 5vCUxx6n0MMzFViGwNW6F4ge9ItO4tDScsgowDrHa208ehwOpv/iwjf93lCClQ6vaKmOBX87 2K/tdY/hwhxPPjgl1bcrOwMRYVemOPPehwnXH5bwclk1hvDQdkJQ5pJOkE4VCryTF/iDAt4g 2QnHocUwt3b6/ChUUWmj2GZ22OR12rbnCtLedwp0DpViKPUCQHBOvpgXdzE/L9zWar9fqM0E REMgfWbsJc9028qluCcFLIN1gYsq4cC+YGAcOu7HOI5orBBV4m9jXfsAEQEAAcLCfgQYAQIA CQUCUjbGZAIbLgGpCRDIjAC3Wkf6QMDdIAQZAQIABgUCUjbGZAAKCRDfCQ/G52/8P/uWDACe 7OEM+VETDRqjQgAwzX+RjCVPvtgrqc1SExS0fV7i1mUUxr/B8io3Y1cRHFoFKmedxf8prHZq 316Md5u4egjFdTT6ZqEqkK0hvv+i0pRpCa5EX9VIStcJStomZp8FcY34grA+EOWITaLQ4qNZ UP7rf2e7gq1ubQTj7uLr6HZZvMZ5em+IvrOWEuWDI6yOiI6px04wRDfkoR2h6kgdw4V0PT4N jK9WYYKrVCf1bjLlVImNBEcXfvlUTrIYO8y6ptvoUsBQky5pQRvP99Pn42WfyLy50aII6+vy udD4T0yLjXAz4KteUttxtIte64m/F9/7GEIZAxTUcLyOq/7bP4leh39jBckwc62iYzeK/VkU /bMMh2D68Z3QylMnhhcW27BcgQHPKsHhmFa2SNytYcuQiSdf9+pj4i32ETz1nJAvYAAqgTF/ 0PL+8ZNQoEpe/n9woMKrlZrqD4EgFmhQ3bNVhlaXz1nuTZDrwPt1yMxBuUNbCF4jFnaruwrS iGTRoIfUZQwAjQglahrV4/mcjfnvbNoseHX0PKd9q+wjg7MIjWqrf2CI8Fa6MdanqwYphz43 I2yXANKFZuMWsWqyQYlvGuPUlUUcAL3stp24RkzDB1Q+JS0IZJSTT2JSu0aTfUdWVNqr2UI1 9eX+zxbOTckSi3Ng14ezG8ZX194ZH10b8JzntQOwmA20pd5JDhugzQfASER+CZDiPPcQ4mvC 4y7rMrfV6XGQbDynC3ekDxo8SC5SvjaczXMwXg6SZ8iFtEWmEwW9r7zPjjIPDrX8w5LXBgxA rM5o/HbERpc2EdAvMh1D7LC0SvmoE7fBKxsicVBe4h6vXjEZ+LLr/wuZiBld9OnxAUIpwptb BspO6WKTQYvgFH2OeDG27hiE5P4Xs4WSp5j9ez8OVB1iZnA2nCQ+tNTjO8c+C/P92vPLx5+b pGRXTXMNaLh34PS3ZsYoUDkKZNhczRZUWJ7nynSbeeyF+QW7SLwAqY7O7dyk9LFTsfJqRQJ7 tWnIAjJPCwmSgQ8Kl0UJ
Message-ID: <b558b0de-a451-f233-e86c-26f4b065c164@nwtime.org>
Date: Sat, 08 Dec 2018 21:48:05 -0800
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <OF03487E97.EB065354-ONC125835D.006E9262-C125835D.00717024@ptb.de>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/n5gXQmcSn90AWjjrcsjXSrD48rE>
Subject: Re: [Ntp] Antwort: Re: WGLC: draft-ietf-ntp-using-nts-for-ntp
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 09 Dec 2018 05:48:16 -0000

Hence my objections remain.

H

On 12/8/2018 12:39 PM, kristof.teichel@ptb.de wrote:
> I'm on my browser mail client and sadly can't respond in-line without making a 
> mess of the formatting.
> 
> The summary of my response is: yes, we have seen most or all of the here-cited 
> concerns of yours before, and dismissed them.
> Sorry if that was not always communicated clearly enough - although I have a 
> feeling that in most cases, it was.
> 
> In any case, let me give short-ish versions of replies regarding the mentioned 
> points:
> 
> - The "earmarked" EF type thing: to me it looks like you're basically trying to 
> have NTS make people adhere to an NTF-internal numeration system (the only place 
> I know of where it is "standardized" is the Autokey RFC?). That, I oppose.
> 
> - Being "monolithic": this seems like a mere impression that you have that is 
> also mostly false (e.g. a client could choose to send no cookie placeholders and 
> ignore all fresh cookies - though I do not advertise this idea). I can only 
> guess what you would like us to do about your concern, and the things I am 
> guessing (such as dividing AEAD and fresh cookies off into some kind of optional 
> sub-mode), I definitely oppose.
> 
> - TCP matters: are you seriously suggesting for NTS to rest until a number of 
> other drafts potentially reach RFC status? If not, what exactly are you 
> suggesting? If so, I oppose.
> 
> - The "one cookie/placeholder per field" issue: could someone who has 
> implemented this please elaborate on the typical size of a cookie? In any case, 
> a placeholder must by design be as large, so I'm not convinced there is any 
> issue here. In either case, I don't see an actionable suggestion (I can guess at 
> one, bit for that one I would still need to be convinced there is an issue in 
> the first place).
> 
> - The "all modes or bust" issue: I remember giving you a lengthy response to 
> this previously. Please stop insisting this concern has never been adressed. 
> Also, what is you actionable suggestion? Put everything on hold, until solutions 
> have been found that everyone including you can agree on, for modes that are 
> used significantly less than the one adressed? If so, I oppose.
> 
> - The "Dave has a viable alternative" claim: what is the proposed "solution" of 
> which you speak? I remember a document skeleton which barely had more than 
> headlines for its sections, and I remember a lengthy document that switched 
> between a vague critique of mixed NTS versions and a proposal for what a 
> proposal might look like (where some of the few concrete suggestions would be 
> attackable with methods straight out of Roettger's 2012 critique of Autokey)... 
> if you mean either of those then please stop bringing them up as though there 
> was a serious discussion to be had at this point. If you mean something else, 
> please refer us to it so that a real discussion is possible. And again, what 
> would even be your actionable suggestion to us, the editors of the NTS document?
> 
> Is there anything else (preferably actionable suggestions) you still feel has 
> not been adressed?
> 
> 
> Best regards,
> Kristof
> 
> 
> -----"ntp" <ntp-bounces@ietf.org <mailto:ntp-bounces@ietf.org>> schrieb: -----
> An: ntp@ietf.org <mailto:ntp@ietf.org>
> Von: "Harlan Stenn"
> Gesendet von: "ntp"
> Datum: 07.12.2018 23:05
> Betreff: Re: [Ntp] WGLC: draft-ietf-ntp-using-nts-for-ntp
> 
> I am strongly supportive of the goal of providing a replacement for
> Autokey, as soon as possible.
> 
> As written, I am opposed to the adoption of this proposal, as the
> detailed objections and concerns I have repeatedly raised have still not
> been addressed.
> 
> Off the top of my head, here is a (partial?) summary of my objections:
> 
> - we have long earmarked EF type 4 for NTS, and this is still not in the
> document as a recommendation for IANA.  In particular, if the proposal
> advances as written we would want to see:
> 
> |   0x0104   | * NTS Unique Identifier Request              |
> |   0x8104   | * NTS Unique Identifier Response             |
> |   0x0204   | * NTS Cookie                                 |
> |   0x0304   | * NTS Cookie Placeholder                     |
> |   0x0404   | * NTS AEEF Request                           |
> |   0x8404   | * NTS AEEF Response                          |
> 
> (or similar).  There is no good reason to leave it up to IANA to
> possibly assign 6 random EFs for this use case.
> draft-stenn-ntp-extension-fields (for which I will be trying to post an
> update soon) clearly and simply describes this.
> 
> - The proposal is too monolithic, and we would all be better served with
> a proposal that separates the cookie mechanism and encrypted transfers
> into separately-usable mechanisms.  There may be other similar cases as
> well, but my brain is too fuzzy right now to think more about this.
> 
> - It creates a separate TCP service/port specifically for NTS key
> exchange.  This is wasteful in general, and would be better served by
> folks collaborating on:
> 
>   draft-stenn-ntp-tcp-services
>   draft-stenn-ntp-tcp-services-keyexchange
> 
> - The proposal uses multiple Cookie and Cookie Placeholder messages (as
> I recall - see my other message about the cold I'm still recovering
> from) instead of having a single Cookie and Cookie Placeholder message
> that supports multiple entries.  This would not be an issue if 7822 did
> not specify a 28-octet minimum final EF size, or if
> draft-stenn-ntp-extension-fields was implemented (or being considered,
> even).
> 
> - It only supports client/server mode, and it does so in a way for which
> adding support for symmetric and [mb]*cast modes had been demonstrated
> to be problematic.  We need an encompassing solution, and this isn't it.
> 
> It would not surprise me at all to discover issues I have forgotten to
> list above that are in my previous messages on this topic.
> 
> I'm sorry I haven't had the resources to once again re-study and re-list
> my objections to this proposal.
> 
> Dave Mills has posted several papers about the above problems including
> a proposed solution, but for whatever reasons, for years we have
> continued to pursue this increasingly limited solution instead of
> working towards a better/more functional solution.
> 
> As I said in an earlier message, Dave is currently unable to receive or
> send email messages, so he apparenetly can't participate in this WGLC.
> 
> -- 
> Harlan Stenn <stenn@nwtime.org <mailto:stenn@nwtime.org>>
> http://networktimefoundation.org - be a member!
> 
> _______________________________________________
> ntp mailing list
> ntp@ietf.org <mailto:ntp@ietf.org>
> https://www.ietf.org/mailman/listinfo/ntp
> 

-- 
Harlan Stenn <stenn@nwtime.org>
http://networktimefoundation.org - be a member!

v2.23.0 | Report a Bug | By Email