IETF Logo Mail Archive

Re: [Ntp] NTP Security (was NTPv5: big picture)

Watson Ladd <watsonbladd@gmail.com> Sat, 16 January 2021 19:02 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 664C63A194E for <ntp@ietfa.amsl.com>; Sat, 16 Jan 2021 11:02:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vl_sObfAcJ8s for <ntp@ietfa.amsl.com>; Sat, 16 Jan 2021 11:02:46 -0800 (PST)
Received: from mail-ed1-x52b.google.com (mail-ed1-x52b.google.com [IPv6:2a00:1450:4864:20::52b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0D47E3A1940 for <ntp@ietf.org>; Sat, 16 Jan 2021 11:02:46 -0800 (PST)
Received: by mail-ed1-x52b.google.com with SMTP id bm23so951457edb.8 for <ntp@ietf.org>; Sat, 16 Jan 2021 11:02:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=1KzEk1DXRgvtFmTnNw+2pj2QOQjZzuRc3PPu+VqPdP4=; b=A1IPO2ENmuiW15wXhbNnqpbA4nbOWPAWtPhCSXaWzE8LFEvz8d/hjODwwmK7aWc7aq fT4X82ReG8DjhzWoJN6lnj0n3KKPSvYvp4rExfB+ECr7RMBJ+g/RKd0n/rQgo3IamMyT pZjqKaQLwjMN2gp7kj99m+cfJoWdklFLzDCjrfxrDJ9GSduGx/yDnTsbHsIaGff4ByZf TBP0++DDcdWzFIrn0GiBXmrSrYwSGErWlWD5u+e9roF6mq9CtR1uN19ECY+E1Zu5/Ql7 f8TsFTkYOQv0d8lb4dxTujhSSCiUxub0NTHGQOhmKJR5wl2KDde4G/VOzrwW0inI1nA1 V2OA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=1KzEk1DXRgvtFmTnNw+2pj2QOQjZzuRc3PPu+VqPdP4=; b=Gd9bwtpMyhpFdpKB2TQnNKN9Mm1O5hXcl/hW2y9t/vS0+5VcQSsHVsKB1vrG4glhh3 Xna1GwU/4Ie3tMd0VBV5CnEU94zDDvxXhaRpZH0A2ne1APv2MaBgaikSdpJKK/ZLOQbN /esI2mxbIc6eQGKJCSchG7iqZCQhvbhBMzDwfAaMNLj28IGOhDLNNNZ2OTObOZBHoHJw ta2ySSDoL+zMO1ranyL5IQU8Eh1L7cLiKv/jYwntx99mfvP45YOTigerMfDZHG5KINC+ POxQdkey9/q63Uw3EQvUXwtX5+n9nCN2p9mNJOHsfnNkEnaGn/Igf/Ok9xntGShIYOTz eXVA==
X-Gm-Message-State: AOAM531YJS+rrhyRiX2p9/9fMiG6GQzwgzvfOq/byzS7eN1jmrqO4Z6K bit8gleAmSA/oM+W2pFeNXxK8PFC6F6eHsg6055GFpFQXFI=
X-Google-Smtp-Source: ABdhPJzCMqRvfQR1ErzaNoYOrovLIbYLDVBL+7BlAvxcQDHDGtJBlNHNg+FfjAxKbpTlfLyiPcJd7CDpgxWcSMcKehw=
X-Received: by 2002:a05:6402:1d3b:: with SMTP id dh27mr14485578edb.238.1610823764531; Sat, 16 Jan 2021 11:02:44 -0800 (PST)
MIME-Version: 1.0
References: <rsalz@akamai.com> <993FEEB5-F498-472E-813E-E684E273612F@akamai.com> <20210102050501.7D0DE40605C@ip-64-139-1-69.sjc.megapath.net> <26A97601-BEB4-4914-B570-6C8BD9C72FAD@akamai.com>
In-Reply-To: <26A97601-BEB4-4914-B570-6C8BD9C72FAD@akamai.com>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Sat, 16 Jan 2021 11:02:32 -0800
Message-ID: <CACsn0cm=d3z+ceTDMaw2LDHg_AeNoxbs411iEFNpGpnWcyvZvw@mail.gmail.com>
To: "Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org>
Cc: Hal Murray <hmurray@megapathdsl.net>, NTP WG <ntp@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/qj-Y_5k3phY1ybv04Z4ngE2j_Ws>
Subject: Re: [Ntp] NTP Security (was NTPv5: big picture)
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 16 Jan 2021 19:02:49 -0000

On Sat, Jan 2, 2021 at 6:01 AM Salz, Rich
<rsalz=40akamai.com@dmarc.ietf.org> wrote:
>
> >    What do you want that isn't already covered by NTS and/or shared keys?
>
> Perhaps nothing.  But not seeing security on the NTPv5 list as a first-class requirement does not engender good thoughts.
>
> >    As far as I can tell, the problem with NTP security is deployment of NTS.  The
>     pool has captured a large portion of the market and it is fundamentally
>     insecure.
>
> Then we should consider making NTPv5 require security.

I'd like to see some input from people who operate the pool on what
solutions would work for them. Right now we're sort of flying blind.
Perhaps we can discuss at IETF 110?

>
> >    HTTPs works because lots of sites want your money.  Nobody is paying for NTP.
>
> Nobody pays for much of the Internet, including DNS BGP etc. But those protocols are moving toward secure-by-default.
>
>
> _______________________________________________
> ntp mailing list
> ntp@ietf.org
> https://www.ietf.org/mailman/listinfo/ntp



--
Astra mortemque praestare gradatim

v2.23.0 | Report a Bug | By Email