Re: [Ntp] New rev of the NTP port randomization I-D (Fwd: New Version Notification for draft-gont-ntp-port-randomization-01.txt)
Aanchal Malhotra <aanchal4@bu.edu> Sun, 09 June 2019 04:24 UTC
Return-Path: <aanchal4@bu.edu>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 854A2120105 for <ntp@ietfa.amsl.com>; Sat, 8 Jun 2019 21:24:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.198
X-Spam-Level:
X-Spam-Status: No, score=-4.198 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DaCBldR60gIO for <ntp@ietfa.amsl.com>; Sat, 8 Jun 2019 21:24:41 -0700 (PDT)
Received: from relay52.bu.edu (relay52.bu.edu [128.197.228.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0498D12004D for <ntp@ietf.org>; Sat, 8 Jun 2019 21:24:40 -0700 (PDT)
X-Envelope-From: aanchal4@bu.edu
Received: from mail-lf1-f72.google.com (mail-lf1-f72.google.com [209.85.167.72]) by relay52.bu.edu (8.14.3/8.14.3) with ESMTP id x594O2Vf006403 for <ntp@ietf.org>; Sun, 9 Jun 2019 00:24:03 -0400
Received: by mail-lf1-f72.google.com with SMTP id e13so1247714lfb.18 for <ntp@ietf.org>; Sat, 08 Jun 2019 21:24:02 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=rJBf5bFMp2SV7kpeN6s3cvlY/vZRiuedU7Rd8Z94uNM=; b=XLIzzNRFXnYMemF2RD8/0Sg0xrYLzrjT3zpS7YD7gTwGCjNCYowFNbG29gySIaDkM4 TjZFyB5O+40hGeGqedl/QQhQQCqHTqTMrhZMt5UVQsKcjLuChiQ0aVHpN2Vz84dbIQ+N VSKiyFDHNHNPQradiiyAaH0jkRr05k+Wz9IFXmFGgq6+Jz5FfCoTrphb95Tu9nXPL/64 e3ORO5kIPgy1FJhGcLV14IoO3E3PwAiBO9jPa60m3XdSaZmI4VFl2zvrUQ5FNyDtRab6 RoseAz9kzcxDUaRcK+VfOC/0E0FZvAzLTQBfuBbBR8JrnAnMN67JBsWl5uKSCCM9Td8i X0aA==
X-Gm-Message-State: APjAAAX+S50KbVjy/6vTmHFE+aMYNxdHnMbBaxqo1WN9cjSICkDjtsDN 1s8iihjAyLg2fhTJwJgIC+KfQwNAVvN9OKuDyHXk2QmASsQXxaT3PcFh1fjYE0bpi3EVAe65vZR z9oJPmKUqPqzJIQiTGPKl
X-Received: by 2002:ac2:4990:: with SMTP id f16mr30060872lfl.93.1560054242229; Sat, 08 Jun 2019 21:24:02 -0700 (PDT)
X-Google-Smtp-Source: APXvYqzLnpKbncEQxhnxR3Fqr4mkgRnonyt0thECS6AdbDNIVRHd16McxUSnMtb2SSQsdSzNLN8JJSLA+iN/CDmse2g=
X-Received: by 2002:ac2:4990:: with SMTP id f16mr30060855lfl.93.1560054241828; Sat, 08 Jun 2019 21:24:01 -0700 (PDT)
MIME-Version: 1.0
References: <155841904754.12856.3727925672753047210.idtracker@ietfa.amsl.com> <9d21f083-4cba-1dd1-f5bb-c95984d3127b@si6networks.com> <9d74c6e3-244e-fdd7-184a-0572f4f144cd@ntp.org> <25275d68-8c18-1616-f226-dffe7e21091e@si6networks.com> <20190528174208.11253a67@rellim.com> <1a133133-5d6a-ca96-6c15-73e6933baffc@si6networks.com> <2794A95B-B118-40BD-AD60-DCB50CC32717@latt.net> <2107d74d-02da-cbd7-7a12-2837cb2e47a2@si6networks.com> <ced4c6d4-c34d-3460-eccc-b5608fbd340e@nwtime.org> <b4faacdf-3d9b-5e47-2415-276ef3d7f3af@si6networks.com> <69295233-497e-fa31-3270-691407fb6f30@nwtime.org> <15a5c387-8a44-5d7e-404b-e953a7a81737@si6networks.com> <f1b43a93-83cb-4a8a-1cbb-dcfda1e12943@pdmconsulting.net> <3ac96dec-e1ca-c0d0-1cda-7bb55c641a4c@si6networks.com> <5534f617-f15b-41f7-a89a-813afadb10f7@nwtime.org> <95123cd0-0cd4-0e98-a81d-1a50cadeb79f@si6networks.com> <e33f0315-5005-ead6-88d2-9905959be8a4@si6networks.com> <c200ab9a-8919-37d5-73ba-554795a468ef@nwtime.org> <fe1bf721-4568-cc64-3bb9-43da49929fb1@si6networks.com>
In-Reply-To: <fe1bf721-4568-cc64-3bb9-43da49929fb1@si6networks.com>
From: Aanchal Malhotra <aanchal4@bu.edu>
Date: Sun, 09 Jun 2019 00:23:49 -0400
Message-ID: <CAMbs7kuCyxzbZMQJn2PakoLJPYzro_WohPVGi4Z60bOH43DEyQ@mail.gmail.com>
To: Fernando Gont <fgont@si6networks.com>
Cc: ntp@ietf.org, Miroslav Lichvar <mlichvar@redhat.com>
Content-Type: multipart/alternative; boundary="000000000000ea3b99058adc6ea7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/soBmvDsnqbr1SaMzeeL79O6S9Nk>
Subject: Re: [Ntp] New rev of the NTP port randomization I-D (Fwd: New Version Notification for draft-gont-ntp-port-randomization-01.txt)
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 09 Jun 2019 04:24:43 -0000
Hi All, For those curious about the success probability of off-path attacks with randomized transmit timestamps, I would suggest refering to Section 7 of the paper "Security of NTP's datagram protocol <https://eprint.iacr.org/2016/1006/20161026:151159>". It has detailed analysis of off-path attacks on NTP where attacker tries to predict the transmit timestamp. Best, Aanchal Malhotra. On Fri, Jun 7, 2019 at 7:05 AM Fernando Gont <fgont@si6networks.com> wrote: > On 4/6/19 12:47, Harlan Stenn wrote: > > > > > > On 6/3/2019 11:37 PM, Fernando Gont wrote: > >> On 29/5/19 21:58, Fernando Gont wrote: > >>> Harlan, > >>> > >>> Responding this one in a separate email, since it seems we're > converging > >>> on something... > >>> > >>> On 29/5/19 13:15, Harlan Stenn wrote: > >>>> > >>> [....]>> Using randomized port numbers requires yet additional effort > on > >>> the side > >>>>> of the attacker. And means that the attacker now needs to guess the > >>>>> client port, or otherwise his packets will not even make it to the > ntp > >>>>> process. > >>>> > >>>> If your point is to change the last sentence of RFC590 9.1 where it > says: > >>>> > >>>> srcport: UDP port number of the server or reference clock. This > >>>> becomes the destination port number in packets sent from this > >>>> association. When operating in symmetric modes (1 and 2), this > field > >>>> must contain the NTP port number PORT (123) assigned by the IANA. > In > >>>> other modes, it can contain any number consistent with local > policy. > >>>> > >>>> to: > >>>> > >>>> ... In other modes, it SHOULD contain any number consistent with > >>>> local policy. > >>>> > >>>> I'm fine with that.> > >>> Yes. That's the whole point of this document. > >> > >> > >> Sorry. THe point of the document is to change that to "SHOULD randomize > >> the port number". THat's the BCP of the transport area. > > > > If your local policy is randomization, that's fine. > > > The transport area has produced a BCP recommending that ephemeral port > numbers should be randomized. > > Are we just implicitly saying that we don't care about the advice of the > transport area? > > > -- > Fernando Gont > SI6 Networks > e-mail: fgont@si6networks.com > PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 > > > > > _______________________________________________ > ntp mailing list > ntp@ietf.org > https://www.ietf.org/mailman/listinfo/ntp >
- [Ntp] New rev of the NTP port randomization I-D (… Fernando Gont
- Re: [Ntp] New rev of the NTP port randomization I… Danny Mayer
- Re: [Ntp] New rev of the NTP port randomization I… Fernando Gont
- Re: [Ntp] New rev of the NTP port randomization I… Gary E. Miller
- Re: [Ntp] New rev of the NTP port randomization I… Fernando Gont
- Re: [Ntp] New rev of the NTP port randomization I… Majdi S. Abbas
- Re: [Ntp] New rev of the NTP port randomization I… Fernando Gont
- Re: [Ntp] New rev of the NTP port randomization I… Fernando Gont
- Re: [Ntp] New rev of the NTP port randomization I… Harlan Stenn
- Re: [Ntp] New rev of the NTP port randomization I… Harlan Stenn
- Re: [Ntp] New rev of the NTP port randomization I… tglassey@earthlink.net
- Re: [Ntp] New rev of the NTP port randomization I… tglassey@earthlink.net
- Re: [Ntp] New rev of the NTP port randomization I… Harlan Stenn
- Re: [Ntp] New rev of the NTP port randomization I… Harlan Stenn
- Re: [Ntp] New rev of the NTP port randomization I… Fernando Gont
- Re: [Ntp] New rev of the NTP port randomization I… Fernando Gont
- Re: [Ntp] New rev of the NTP port randomization I… Fernando Gont
- Re: [Ntp] New rev of the NTP port randomization I… Fernando Gont
- Re: [Ntp] New rev of the NTP port randomization I… Miroslav Lichvar
- Re: [Ntp] New rev of the NTP port randomization I… Harlan Stenn
- Re: [Ntp] New rev of the NTP port randomization I… Fernando Gont
- Re: [Ntp] New rev of the NTP port randomization I… Danny Mayer
- Re: [Ntp] New rev of the NTP port randomization I… Danny Mayer
- Re: [Ntp] New rev of the NTP port randomization I… Danny Mayer
- [Ntp] Antw: Re: New rev of the NTP port randomiza… Ulrich Windl
- [Ntp] Antw: Re: New rev of the NTP port randomiza… Ulrich Windl
- Re: [Ntp] New rev of the NTP port randomization I… Harlan Stenn
- Re: [Ntp] New rev of the NTP port randomization I… Fernando Gont
- Re: [Ntp] Antw: Re: New rev of the NTP port rando… Harlan Stenn
- Re: [Ntp] New rev of the NTP port randomization I… Fernando Gont
- Re: [Ntp] Antw: Re: New rev of the NTP port rando… Miroslav Lichvar
- Re: [Ntp] New rev of the NTP port randomization I… Harlan Stenn
- Re: [Ntp] Antw: Re: Antw: Re: New rev of the NTP … Ulrich Windl
- Re: [Ntp] Antw: Re: New rev of the NTP port rando… Harlan Stenn
- Re: [Ntp] Antw: Re: Antw: Re: New rev of the NTP … Harlan Stenn
- Re: [Ntp] Antw: Re: Antw: Re: New rev of the NTP … Hal Murray
- Re: [Ntp] Antw: Re: Antw: Re: New rev of the NTP … Harlan Stenn
- Re: [Ntp] New rev of the NTP port randomization I… tglassey@earthlink.net
- Re: [Ntp] New rev of the NTP port randomization I… tglassey@earthlink.net
- Re: [Ntp] Antw: Re: Antw: Re: New rev of the NTP … Hal Murray
- Re: [Ntp] New rev of the NTP port randomization I… Danny Mayer
- Re: [Ntp] New rev of the NTP port randomization I… Fernando Gont
- Re: [Ntp] New rev of the NTP port randomization I… Harlan Stenn
- Re: [Ntp] New rev of the NTP port randomization I… Fernando Gont
- Re: [Ntp] New rev of the NTP port randomization I… Fernando Gont
- Re: [Ntp] New rev of the NTP port randomization I… Watson Ladd
- Re: [Ntp] New rev of the NTP port randomization I… Ask Bjørn Hansen
- Re: [Ntp] Antw: Re: Antw: Re: New rev of the NTP … tglassey@earthlink.net
- Re: [Ntp] New rev of the NTP port randomization I… Fernando Gont
- Re: [Ntp] New rev of the NTP port randomization I… Fernando Gont
- [Ntp] Antw: Re: New rev of the NTP port randomiza… Ulrich Windl
- Re: [Ntp] New rev of the NTP port randomization I… Miroslav Lichvar
- Re: [Ntp] New rev of the NTP port randomization I… Fernando Gont
- Re: [Ntp] New rev of the NTP port randomization I… Harlan Stenn
- Re: [Ntp] Antw: Re: Antw: Re: New rev of the NTP … Tony Finch
- [Ntp] New rev of the NTP port randomization I-D (… Loganaden Velvindron
- Re: [Ntp] New rev of the NTP port randomization I… Fernando Gont
- Re: [Ntp] New rev of the NTP port randomization I… Aanchal Malhotra