[ntpwg] Comments on new drafts
Miroslav Lichvar <mlichvar@redhat.com> Thu, 07 April 2016 13:13 UTC
Return-Path: <ntpwg-bounces+ntp-archives-ahfae6za=lists.ietf.org@lists.ntp.org>
X-Original-To: ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com
Delivered-To: ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 54E1D12D95A for <ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com>; Thu, 7 Apr 2016 06:13:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.909
X-Spam-Level:
X-Spam-Status: No, score=-6.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_HI=-5, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5BNPykmJtcNq for <ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com>; Thu, 7 Apr 2016 06:13:02 -0700 (PDT)
Received: from lists.ntp.org (lists.ntp.org [IPv6:2001:4f8:fff7:1::7]) by ietfa.amsl.com (Postfix) with ESMTP id BDCB212D95F for <ntp-archives-ahFae6za@lists.ietf.org>; Thu, 7 Apr 2016 06:12:56 -0700 (PDT)
Received: from lists.ntp.org (lists.ntp.org [149.20.68.7]) by lists.ntp.org (Postfix) with ESMTP id B291686DC9F for <ntp-archives-ahFae6za@lists.ietf.org>; Thu, 7 Apr 2016 13:12:56 +0000 (UTC)
X-Original-To: ntpwg@lists.ntp.org
Delivered-To: ntpwg@lists.ntp.org
Received: from mail1.ntp.org (mail1.ntp.org [IPv6:2001:4f8:fff7:1::5]) by lists.ntp.org (Postfix) with ESMTP id 08CE286DB70 for <ntpwg@lists.ntp.org>; Thu, 7 Apr 2016 12:14:59 +0000 (UTC)
Received: from mx1.redhat.com ([209.132.183.28]) by mail1.ntp.org with esmtps (TLSv1:AES256-SHA:256) (Exim 4.77 (FreeBSD)) (envelope-from <mlichvar@redhat.com>) id 1ao8pl-0006S7-Ar for ntpwg@lists.ntp.org; Thu, 07 Apr 2016 12:14:59 +0000
Received: from int-mx14.intmail.prod.int.phx2.redhat.com (int-mx14.intmail.prod.int.phx2.redhat.com [10.5.11.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 7A53280088 for <ntpwg@lists.ntp.org>; Thu, 7 Apr 2016 12:14:48 +0000 (UTC)
Received: from localhost (dhcp-24-154.brq.redhat.com [10.34.24.154]) by int-mx14.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u37CElwa029188 for <ntpwg@lists.ntp.org>; Thu, 7 Apr 2016 08:14:47 -0400
Date: Thu, 07 Apr 2016 14:14:47 +0200
From: Miroslav Lichvar <mlichvar@redhat.com>
To: ntpwg@lists.ntp.org
Message-ID: <20160407121447.GE20410@localhost>
MIME-Version: 1.0
Content-Disposition: inline
User-Agent: Mutt/1.5.24 (2015-08-30)
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.27
X-SA-Exim-Connect-IP: 209.132.183.28
X-SA-Exim-Rcpt-To: ntpwg@lists.ntp.org
X-SA-Exim-Mail-From: mlichvar@redhat.com
X-SA-Exim-Version: 4.2
X-SA-Exim-Scanned: Yes (on mail1.ntp.org)
Subject: [ntpwg] Comments on new drafts
X-BeenThere: ntpwg@lists.ntp.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: IETF Working Group for Network Time Protocol <ntpwg.lists.ntp.org>
List-Unsubscribe: <http://lists.ntp.org/options/ntpwg>, <mailto:ntpwg-request@lists.ntp.org?subject=unsubscribe>
List-Archive: <http://lists.ntp.org/pipermail/ntpwg/>
List-Post: <mailto:ntpwg@lists.ntp.org>
List-Help: <mailto:ntpwg-request@lists.ntp.org?subject=help>
List-Subscribe: <http://lists.ntp.org/listinfo/ntpwg>, <mailto:ntpwg-request@lists.ntp.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: ntpwg-bounces+ntp-archives-ahfae6za=lists.ietf.org@lists.ntp.org
Sender: ntpwg <ntpwg-bounces+ntp-archives-ahfae6za=lists.ietf.org@lists.ntp.org>
I've few quick comments and questions on the new drafts. I can expand on that later if there is any interest. draft-mayer-ntp-mac-extension-field-00 - I'm not sure if hiding the length of the MAC using padding with random data is really useful. This was discussed before. The attacker can search for the key in parallel using all hash functions. As their number is very small, the slowdown is insignificant. - Instead of hiding the hash function, I think it might be more useful to specify it directly in the field to allow easier debugging when the authentication fails. The MAC length field could be shortened to one octet and the other octet could specify the key type, allowing 256 different types. - In order to save bandwidth with functions producing long digests, they could be truncated to some fixed size, like NTS already does in its MAC extension field. Is 128 bits enough? - MACs could be treated as opaque data, not requiring symmetric keys with 32-bit key IDs. This would allow storing MACs from new authentication schemes and they wouldn't need a new extension field, just a new MAC type for this extension field. draft-stenn-ntp-i-do-00 - The draft mentions negotiation. Is the server required to keep a state of what the client supports? I'd expect it to be a purely informational field that doesn't change over time. - It's not clear to me why there needs to be a "MAC required" bit and why it should be specified in this draft. This was discussed before, but I've not seen any conclusion. draft-stenn-ntp-ipv6-refid-hash-00 - The idea was discussed several times before. It doesn't make much sense to me. - In order to avoid conflicts with refids based on IPv4 addresses it makes conflicts between refids based on IPv6 more likely. Why should be IPv4 special? The world is quickly moving to IPv6. - It's an incompatible change making assumptions about how the refid is used in clients. draft-stenn-ntp-leap-smear-refid-00 - I don't think the refid field in NTP packet is a good place to store an offset. - The refid will conflict with 1/256 of refids based on IPv6. Even if the IPv6 refid draft that shrinks the space for IPv6 refids to 24 bits is accepted, it will take some time before it's used. - This should rather be a new extension field, maybe in a more general form that allows different time scales and their offset to UTC to be specified. draft-stenn-ntp-suggest-refid-00 - Again, the "required MAC" bit in the field type doesn't seem useful. - I'd suggest to use all bits of the refid (not fix the first octet to 0xfd) to make collisions less likely. - The extension field could be extended to contain also refids of upstream servers (obtained with this extension). - Instead of hiding the real refid, I'd rather see servers to use this extension field to announce the same refid to all clients in order to allow them to detect multihomed hosts and duplicates in paths to their stratum 1 sources. This is discussed in the other thread. draft-stenn-ntp-last-extension-00 - Field length of 4 is currently not valid in NTP packets. The minimum length is 16 and there are special rules for the last extension field. Is there a plan to relax these requirements? (It would be an incompatible change.) - Will be this extension field useful when the new MAC extension field is ready? It looks like they have a similar purpose. -- Miroslav Lichvar _______________________________________________ ntpwg mailing list ntpwg@lists.ntp.org http://lists.ntp.org/listinfo/ntpwg
- [ntpwg] Comments on new drafts Miroslav Lichvar
- Re: [ntpwg] Comments on new drafts Harlan Stenn
- Re: [ntpwg] Comments on new drafts brian utterback
- Re: [ntpwg] Comments on new drafts Harlan Stenn
- Re: [ntpwg] Comments on new drafts Miroslav Lichvar
- Re: [ntpwg] Comments on new drafts Harlan Stenn
- Re: [ntpwg] Comments on new drafts Miroslav Lichvar
- Re: [ntpwg] Comments on new drafts Harlan Stenn
- Re: [ntpwg] Comments on new drafts Miroslav Lichvar
- Re: [ntpwg] Comments on new drafts Sharon Goldberg
- Re: [ntpwg] Comments on new drafts Sharon Goldberg