IETF Logo Mail Archive

Re: [Ntp] New rev of the NTP port randomization I-D (Fwd: New Version Notification for draft-gont-ntp-port-randomization-01.txt)

Aanchal Malhotra <aanchal4@bu.edu> Sun, 09 June 2019 04:24 UTC

Return-Path: <aanchal4@bu.edu>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 854A2120105 for <ntp@ietfa.amsl.com>; Sat, 8 Jun 2019 21:24:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.198
X-Spam-Level:
X-Spam-Status: No, score=-4.198 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DaCBldR60gIO for <ntp@ietfa.amsl.com>; Sat, 8 Jun 2019 21:24:41 -0700 (PDT)
Received: from relay52.bu.edu (relay52.bu.edu [128.197.228.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0498D12004D for <ntp@ietf.org>; Sat, 8 Jun 2019 21:24:40 -0700 (PDT)
X-Envelope-From: aanchal4@bu.edu
Received: from mail-lf1-f72.google.com (mail-lf1-f72.google.com [209.85.167.72]) by relay52.bu.edu (8.14.3/8.14.3) with ESMTP id x594O2Vf006403 for <ntp@ietf.org>; Sun, 9 Jun 2019 00:24:03 -0400
Received: by mail-lf1-f72.google.com with SMTP id e13so1247714lfb.18 for <ntp@ietf.org>; Sat, 08 Jun 2019 21:24:02 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=rJBf5bFMp2SV7kpeN6s3cvlY/vZRiuedU7Rd8Z94uNM=; b=XLIzzNRFXnYMemF2RD8/0Sg0xrYLzrjT3zpS7YD7gTwGCjNCYowFNbG29gySIaDkM4 TjZFyB5O+40hGeGqedl/QQhQQCqHTqTMrhZMt5UVQsKcjLuChiQ0aVHpN2Vz84dbIQ+N VSKiyFDHNHNPQradiiyAaH0jkRr05k+Wz9IFXmFGgq6+Jz5FfCoTrphb95Tu9nXPL/64 e3ORO5kIPgy1FJhGcLV14IoO3E3PwAiBO9jPa60m3XdSaZmI4VFl2zvrUQ5FNyDtRab6 RoseAz9kzcxDUaRcK+VfOC/0E0FZvAzLTQBfuBbBR8JrnAnMN67JBsWl5uKSCCM9Td8i X0aA==
X-Gm-Message-State: APjAAAX+S50KbVjy/6vTmHFE+aMYNxdHnMbBaxqo1WN9cjSICkDjtsDN 1s8iihjAyLg2fhTJwJgIC+KfQwNAVvN9OKuDyHXk2QmASsQXxaT3PcFh1fjYE0bpi3EVAe65vZR z9oJPmKUqPqzJIQiTGPKl
X-Received: by 2002:ac2:4990:: with SMTP id f16mr30060872lfl.93.1560054242229; Sat, 08 Jun 2019 21:24:02 -0700 (PDT)
X-Google-Smtp-Source: APXvYqzLnpKbncEQxhnxR3Fqr4mkgRnonyt0thECS6AdbDNIVRHd16McxUSnMtb2SSQsdSzNLN8JJSLA+iN/CDmse2g=
X-Received: by 2002:ac2:4990:: with SMTP id f16mr30060855lfl.93.1560054241828; Sat, 08 Jun 2019 21:24:01 -0700 (PDT)
MIME-Version: 1.0
References: <155841904754.12856.3727925672753047210.idtracker@ietfa.amsl.com> <9d21f083-4cba-1dd1-f5bb-c95984d3127b@si6networks.com> <9d74c6e3-244e-fdd7-184a-0572f4f144cd@ntp.org> <25275d68-8c18-1616-f226-dffe7e21091e@si6networks.com> <20190528174208.11253a67@rellim.com> <1a133133-5d6a-ca96-6c15-73e6933baffc@si6networks.com> <2794A95B-B118-40BD-AD60-DCB50CC32717@latt.net> <2107d74d-02da-cbd7-7a12-2837cb2e47a2@si6networks.com> <ced4c6d4-c34d-3460-eccc-b5608fbd340e@nwtime.org> <b4faacdf-3d9b-5e47-2415-276ef3d7f3af@si6networks.com> <69295233-497e-fa31-3270-691407fb6f30@nwtime.org> <15a5c387-8a44-5d7e-404b-e953a7a81737@si6networks.com> <f1b43a93-83cb-4a8a-1cbb-dcfda1e12943@pdmconsulting.net> <3ac96dec-e1ca-c0d0-1cda-7bb55c641a4c@si6networks.com> <5534f617-f15b-41f7-a89a-813afadb10f7@nwtime.org> <95123cd0-0cd4-0e98-a81d-1a50cadeb79f@si6networks.com> <e33f0315-5005-ead6-88d2-9905959be8a4@si6networks.com> <c200ab9a-8919-37d5-73ba-554795a468ef@nwtime.org> <fe1bf721-4568-cc64-3bb9-43da49929fb1@si6networks.com>
In-Reply-To: <fe1bf721-4568-cc64-3bb9-43da49929fb1@si6networks.com>
From: Aanchal Malhotra <aanchal4@bu.edu>
Date: Sun, 09 Jun 2019 00:23:49 -0400
Message-ID: <CAMbs7kuCyxzbZMQJn2PakoLJPYzro_WohPVGi4Z60bOH43DEyQ@mail.gmail.com>
To: Fernando Gont <fgont@si6networks.com>
Cc: ntp@ietf.org, Miroslav Lichvar <mlichvar@redhat.com>
Content-Type: multipart/alternative; boundary="000000000000ea3b99058adc6ea7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/soBmvDsnqbr1SaMzeeL79O6S9Nk>
Subject: Re: [Ntp] New rev of the NTP port randomization I-D (Fwd: New Version Notification for draft-gont-ntp-port-randomization-01.txt)
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 09 Jun 2019 04:24:43 -0000

Hi All,

For those curious about the success probability of off-path attacks with
randomized transmit timestamps, I would suggest refering to Section 7 of
the paper "Security of NTP's datagram protocol
<https://eprint.iacr.org/2016/1006/20161026:151159>".  It has detailed
analysis of off-path attacks on NTP where attacker tries to predict the
transmit timestamp.

Best,
Aanchal Malhotra.

On Fri, Jun 7, 2019 at 7:05 AM Fernando Gont <fgont@si6networks.com> wrote:

> On 4/6/19 12:47, Harlan Stenn wrote:
> >
> >
> > On 6/3/2019 11:37 PM, Fernando Gont wrote:
> >> On 29/5/19 21:58, Fernando Gont wrote:
> >>> Harlan,
> >>>
> >>> Responding this one in a separate email, since it seems we're
> converging
> >>> on something...
> >>>
> >>> On 29/5/19 13:15, Harlan Stenn wrote:
> >>>>
> >>> [....]>> Using randomized port numbers requires yet additional effort
> on
> >>> the side
> >>>>> of the attacker. And means that the attacker now needs to guess the
> >>>>> client port, or otherwise his packets will not even make it to the
> ntp
> >>>>> process.
> >>>>
> >>>> If your point is to change the last sentence of RFC590 9.1 where it
> says:
> >>>>
> >>>>    srcport: UDP port number of the server or reference clock.  This
> >>>>    becomes the destination port number in packets sent from this
> >>>>    association.  When operating in symmetric modes (1 and 2), this
> field
> >>>>    must contain the NTP port number PORT (123) assigned by the IANA.
> In
> >>>>    other modes, it can contain any number consistent with local
> policy.
> >>>>
> >>>> to:
> >>>>
> >>>>    ... In other modes, it SHOULD contain any number consistent with
> >>>>    local policy.
> >>>>
> >>>> I'm fine with that.>
> >>> Yes. That's the whole point of this document.
> >>
> >>
> >> Sorry. THe point of the document is to change that to "SHOULD randomize
> >> the port number". THat's the BCP of the transport area.
> >
> > If your local policy is randomization, that's fine.
>
>
> The transport area has produced a BCP recommending that ephemeral port
> numbers should be randomized.
>
> Are we just implicitly saying that we don't care about the advice of the
> transport area?
>
>
> --
> Fernando Gont
> SI6 Networks
> e-mail: fgont@si6networks.com
> PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
>
>
>
>
> _______________________________________________
> ntp mailing list
> ntp@ietf.org
> https://www.ietf.org/mailman/listinfo/ntp
>

v2.23.0 | Report a Bug | By Email