Re: [ntpwg] Comments on new drafts
Miroslav Lichvar <mlichvar@redhat.com> Fri, 08 April 2016 14:16 UTC
Return-Path: <ntpwg-bounces+ntp-archives-ahfae6za=lists.ietf.org@lists.ntp.org>
X-Original-To: ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com
Delivered-To: ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 708E012D917 for <ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com>; Fri, 8 Apr 2016 07:16:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.909
X-Spam-Level:
X-Spam-Status: No, score=-6.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_HI=-5, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eaZk6v697qGY for <ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com>; Fri, 8 Apr 2016 07:16:29 -0700 (PDT)
Received: from lists.ntp.org (lists.ntp.org [149.20.68.7]) by ietfa.amsl.com (Postfix) with ESMTP id DFB6A12D914 for <ntp-archives-ahFae6za@lists.ietf.org>; Fri, 8 Apr 2016 07:16:18 -0700 (PDT)
Received: from lists.ntp.org (lists.ntp.org [149.20.68.7]) by lists.ntp.org (Postfix) with ESMTP id 4670086DBBF for <ntp-archives-ahFae6za@lists.ietf.org>; Fri, 8 Apr 2016 14:16:17 +0000 (UTC)
X-Original-To: ntpwg@lists.ntp.org
Delivered-To: ntpwg@lists.ntp.org
Received: from mail1.ntp.org (mail1.ntp.org [IPv6:2001:4f8:fff7:1::5]) by lists.ntp.org (Postfix) with ESMTP id 2075E86DAFF for <ntpwg@lists.ntp.org>; Fri, 8 Apr 2016 13:26:12 +0000 (UTC)
Received: from mx1.redhat.com ([209.132.183.28]) by mail1.ntp.org with esmtps (TLSv1:AES256-SHA:256) (Exim 4.77 (FreeBSD)) (envelope-from <mlichvar@redhat.com>) id 1aoWQE-000AOr-1N for ntpwg@lists.ntp.org; Fri, 08 Apr 2016 13:26:12 +0000
Received: from int-mx11.intmail.prod.int.phx2.redhat.com (int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.24]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 3A2BF48B; Fri, 8 Apr 2016 13:26:01 +0000 (UTC)
Received: from localhost (dhcp-24-154.brq.redhat.com [10.34.24.154]) by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u38DQ0to016826; Fri, 8 Apr 2016 09:26:00 -0400
Date: Fri, 08 Apr 2016 15:25:59 +0200
From: Miroslav Lichvar <mlichvar@redhat.com>
To: Harlan Stenn <stenn@ntp.org>
Message-ID: <20160408132559.GA14867@localhost>
References: <20160407121447.GE20410@localhost> <E1aoHHv-0005vf-03@stenn.ntp.org> <20160408085726.GA13598@localhost> <E1aoU0b-0006mQ-Sa@stenn.ntp.org>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <E1aoU0b-0006mQ-Sa@stenn.ntp.org>
User-Agent: Mutt/1.5.24 (2015-08-30)
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.24
X-SA-Exim-Connect-IP: 209.132.183.28
X-SA-Exim-Rcpt-To: ntpwg@lists.ntp.org
X-SA-Exim-Mail-From: mlichvar@redhat.com
X-SA-Exim-Version: 4.2
X-SA-Exim-Scanned: Yes (on mail1.ntp.org)
Subject: Re: [ntpwg] Comments on new drafts
X-BeenThere: ntpwg@lists.ntp.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: IETF Working Group for Network Time Protocol <ntpwg.lists.ntp.org>
List-Unsubscribe: <http://lists.ntp.org/options/ntpwg>, <mailto:ntpwg-request@lists.ntp.org?subject=unsubscribe>
List-Archive: <http://lists.ntp.org/pipermail/ntpwg/>
List-Post: <mailto:ntpwg@lists.ntp.org>
List-Help: <mailto:ntpwg-request@lists.ntp.org?subject=help>
List-Subscribe: <http://lists.ntp.org/listinfo/ntpwg>, <mailto:ntpwg-request@lists.ntp.org?subject=subscribe>
Cc: ntpwg@lists.ntp.org
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: ntpwg-bounces+ntp-archives-ahfae6za=lists.ietf.org@lists.ntp.org
Sender: ntpwg <ntpwg-bounces+ntp-archives-ahfae6za=lists.ietf.org@lists.ntp.org>
On Fri, Apr 08, 2016 at 10:51:25AM +0000, Harlan Stenn wrote: > Miroslav Lichvar writes: > > > > draft-mayer-ntp-mac-extension-field-00 > > Beside knowing which hash function was used in the MAC, the type field > > will allow other MACs in the field, not just those used by > > authentication with symmetric keys. > > The security folks tell me that it's better to not advertise the > algorithm. If you get adequate consensus from them that it's not an > issue to publish the hash function then OK. Ok, I can try. Who made the suggestion? Are they following this list? > Oh, what's stopping people from publishing 1 algorithm but actually > using another, again for security purposes? Sure, they can do that and if it's not a common practice, it might work. That's security through obscurity. The reasonable approach is to use secure keys. > The NTS designers have told me they do not want to do this. The NTS > stuff uses its packet for a bunch of different things. So you're > suggesting we don't use a new EF for NTS? Having all MACs in one extension field looks like a cleaner approach to me, but I don't want to make that suggestion unless it can be done without further delaying the NTS draft. > > > > draft-stenn-ntp-i-do-00 > As for examples of how the bits for MAC-OPTIONAL and MAC-INCLUDED, in > what way have I provided incomplete examples or supporting explanation > before? I'd like to see an example where the client or server does anything differently when the bit is set the other way, i.e. why it needs to be transferred in NTP packets. > > > > draft-stenn-ntp-ipv6-refid-hash-00 > 5) There are a number of different mechisms proposed around REFIDs. > They are not mutually exclusive. You should have the flexibility here > to implement a local policy you are comfortable with. If you only want to prevent loop, they might not be exclusive. But if you want to use refid to detect you are using the same source as your server, mixing different kinds of refids in the same network will break it. > > > > draft-stenn-ntp-leap-smear-refid-00 > > > Where else can it go that it's obvious, visible, and almost totally > > > backward-compatible? > > > > I think the reference timestamp would be a much better choice. > 1) How does somebody know when the reference timestamp is a reference > timestamp and when it's an offset? You can use a special refid to indicate leap smearing is active and reftime has special meaning. > Whether or not the reference > timestamp in its current form is sufficiently useful is a different > discussion. But we should not "hijack" it without a compelling reason. Very few client implementations look at the reference timestamp. ntpd as a client ignores it completely. From how it's specified in NTPv3 and NTPv4, there is about 44 bits that can set arbitrarily without breaking things. It just needs to be not newer than the transmit timestamp and not older than few hours. You could use the encoding specified in the refid draft directly in the fractional part of the timestamp. You would just need to decrement seconds by one to make sure it's not newer than the transmit timestamp. No client would have a problem with that and refid would stay clean. > 2) How is this easily visible from ntpq? ntpq -c rv <assid> prints the reference timestamp. > First, I'm not sure I buy the 1/256 collision thing. How is this not a 1 > in 4B chance of collision that would only happen on 1 poll exchange? On average 1 in 256 IPv6 servers (using the current definition of refid) will appear as constantly performing leap smear. If a client should act on that, it would be a problem. If it's meant only for humans monitoring the network (who probably can figure out the offset is not changing and it's a false positive), the draft should make it clear. > > If you need to see the fact that the server is leap smearing in the > > ntpq output in the refid field, pick a constant value for refid and > > don't encode the offset. That's what I did in chrony. > > What refid value did you choose? 127.127.1.255 > What happens when you have different servers offering different > applications of the leap smear? Things might break horribly. > How can you tell what they are doing? There is a command that prints the current leap smearing status and offset in the chrony monitoring protocol. > > > > draft-stenn-ntp-suggest-refid-00 > If folks want to know about an upstream server and they have > authorization to ask, they can issue a mode 6 request and see what the > source address is for that association. Mode 6 is an ntpd-specific extension of NTP. Even if the server runs ntpd, it's typically disabled. NTP clients can't work with that. > Was it you who mentioned that you saw a 3-system loop, and that loop was > on systems that were using neither orphan mode nor local refclock? If > that's the case, then please show how increasing the protocol complexity > (including a security analysis) to detect these loops is worth the cost. > Why just not fix the configuration so this doesn't happen? Why didn't > your systems monitoring catch this when the stratum of your servers went > out-of-spec? I think the monitoring caught it, that's not the problem. The problem was they were unusable for clients below them, it's an unexpected situation. A local reference was not an option as the servers and clients were required to always report real synchronisation distance. -- Miroslav Lichvar _______________________________________________ ntpwg mailing list ntpwg@lists.ntp.org http://lists.ntp.org/listinfo/ntpwg
- [ntpwg] Comments on new drafts Miroslav Lichvar
- Re: [ntpwg] Comments on new drafts Harlan Stenn
- Re: [ntpwg] Comments on new drafts brian utterback
- Re: [ntpwg] Comments on new drafts Harlan Stenn
- Re: [ntpwg] Comments on new drafts Miroslav Lichvar
- Re: [ntpwg] Comments on new drafts Harlan Stenn
- Re: [ntpwg] Comments on new drafts Miroslav Lichvar
- Re: [ntpwg] Comments on new drafts Harlan Stenn
- Re: [ntpwg] Comments on new drafts Miroslav Lichvar
- Re: [ntpwg] Comments on new drafts Sharon Goldberg
- Re: [ntpwg] Comments on new drafts Sharon Goldberg