Re: [Ntp] AD Evaluation: draft-ietf-ntp-using-nts-for-ntp-21

Marcus Dansarie <marcus@dansarie.se> Thu, 13 February 2020 19:01 UTC

Return-Path: <marcus.dansarie.nilsson@gmail.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E1718120289; Thu, 13 Feb 2020 11:01:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Level:
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xu_2dMsgu-as; Thu, 13 Feb 2020 11:01:31 -0800 (PST)
Received: from mail-qt1-x82d.google.com (mail-qt1-x82d.google.com [IPv6:2607:f8b0:4864:20::82d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 750011207FB; Thu, 13 Feb 2020 11:01:28 -0800 (PST)
Received: by mail-qt1-x82d.google.com with SMTP id f3so5124682qtc.5; Thu, 13 Feb 2020 11:01:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:subject:to:references:cc:from:autocrypt:message-id:date :user-agent:mime-version:in-reply-to; bh=yvkINLxsoroSraVhsl2b9yHY8ZQLd50gGzgSPIj7spI=; b=YXxeOjy7EdPM0E8bCWg+iIcsw7lLBvkq3aiSXPu/CADQYNAdw+jYVffuxB3qOYMn/f q74zDwwNoXfLlRoNxehsRf17ZAoApjSRAAyA39lCRHZG+SwLsf2DxXE5NEibJeEb9SWJ /SfUnQyfBz4nNSYOjL1H7tSIgxTw8mpgVbJFQoOOziLuK12pWM1V+X1ijrbEm9q6/F75 KM8s/kdw7Up5wnRSq7wX6sX8dO9Wwxwv062wHl8Dw/goNb54KpEFgjNls3Ngl8p7cJwT PwdpMYxzP2uMfkcyzAXtBE3AxpDjKQNzzO0HK2MFK//IlfaeoQaJfvJEYKgNKRp/bP8X uZbQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:subject:to:references:cc:from:autocrypt :message-id:date:user-agent:mime-version:in-reply-to; bh=yvkINLxsoroSraVhsl2b9yHY8ZQLd50gGzgSPIj7spI=; b=NdpmevxfkbqW8Gyc+WsUmWBFbsrQ/9+1NaYFvm/QXIP7YwOKBjNh0A1HVzrRX88EXB YR88eCvFAgqSF7nvGdY4sanhO5zCyu8rrUQvVchozvJyElVBfzKbPr/TrLSLRLjAeFCv jPfqfOaM//8j8lIMO1bpZj+QAtqVMBWmTF0oRZXUG2MRRKCfUpXSF0VliHl/REIGtKlP VR4krPfhaQZVMaXkohzTJupgInANkryxpPwGwLtbz/75OFMBfw83XmzKF2NDWUqlgq6p 8ab0we4fWjFco3jJsPsrQKhcmNG8Tt3KSUxjB1Qoqhj7Au8J79JeVp6mqeRd7kS5WMzB 4pWA==
X-Gm-Message-State: APjAAAVWrME3qmtf2Qwftp1PVW6DETuxeQ4C7qX8+4yPuD4X1ior94si ly59qoa3+52S1SBjBid3Um6jWpm4q8W2+y97
X-Google-Smtp-Source: APXvYqzop3I6d+ueuqtbiV36m2jpr8RVxDxz2NHeA2GmhjYvo2gLbiSvmj9oMAUOv7026tisNCDq3A==
X-Received: by 2002:aed:3765:: with SMTP id i92mr12786013qtb.373.1581620486903; Thu, 13 Feb 2020 11:01:26 -0800 (PST)
Received: from [192.168.30.26] (va-67-233-124-39.dhcp.embarqhsd.net. [67.233.124.39]) by smtp.gmail.com with ESMTPSA id c45sm1998640qtd.43.2020.02.13.11.01.25 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 13 Feb 2020 11:01:25 -0800 (PST)
Sender: Marcus Dansarie <marcus.dansarie.nilsson@gmail.com>
To: Suresh@kaloom.com
References: <AF4879A2-9F09-4A34-B4E5-3970B293A806@kaloom.com> <DM5PR06MB301806532F0CDAA81BB8D363C2180@DM5PR06MB3018.namprd06.prod.outlook.com> <DM5PR06MB301877557F3323309F8B8FFBC2180@DM5PR06MB3018.namprd06.prod.outlook.com>
Cc: draft-ietf-ntp-using-nts-for-ntp.authors@ietf.org, Karen O'Donoghue <odonoghue@isoc.org>, "ntp@ietf.org" <ntp@ietf.org>
From: Marcus Dansarie <marcus@dansarie.se>
Autocrypt: addr=marcus@dansarie.se; prefer-encrypt=mutual; keydata= mQINBFawEn4BEAC8YukDy8f3eczlE8WAcuctrjsNltPCLZDzcj3vBmiayXlXuPULOopqeuw4 +oaZqj4KqvdFBA1mzvwPll7IHePuwAoJYJr48IbIXc9MRjtLoFtd0KnhiVPUS8F2cmfzSJ8E FEv92sz6UT8/tlLEu6sNqr6/caYUivspuW5wf4f6nkSE+6rao9Nx9X03r289IPNBSZv+Y/Ym jWHDPpbT8WLUJZ+A8RsW/1oza609oAzqTkclmnRzip8wZZWNg3Q55P7onBmTIOrEz13My9r5 DWCMHyxXgFL1RJ9YW0t4yRkRm+HvOn3Vesk3m8CCGA6esHV0IPZmBOxJr3l+UQYuDiTgFufr WMpu5MvlyKGHS4fNd505DyyJY2G6eQLLrOq3nZy4qoZSL42TMxzYglexg+H6P/YsIIShk5Ch h/hNphXjrElDWhbGT5JiRWIivgSj/gq5QVBbDLR3b25n9PA0byGemfcEHLkii6EKyH7GW6v9 sgmvCmPfEfppYcOP2g9Jdt8RPitx0UBjoCzWAn0Py0NvlFDyz0FQhWDPig3yo1CG5ljb686v VBwcHJthczUV0rIyVzfmnikIb9ZjydHSX3fFwLz1IcIIX+INS58qA0SDqOoyP2WTYGZCDPVw GMMh+wMtAL2MICTr6vybFWB58m4PsI1j8Ri+AQiEkxyJauI2WQARAQABtCRNYXJjdXMgRGFu c2FyaWUgPG1hcmN1c0BkYW5zYXJpZS5zZT6JAlwEEwEIAEYCGwMCHgECF4ACGQEJCwkNCAwH CwoEBhUKCQgLAgUWAwIBABYhBBfkVFb0H62SH33Csy9j5/6tpPBjBQJeDONDBQkJQKdFAAoJ EC9j5/6tpPBj/xkP/jXvaCeWK9zrphIn1oFX+ssyrJUnpPR0boj0kFsI8NQSReHJ4camTawp 8mhIWa3VWjY3BiklYhQHzFO2e/4lc8tLKHzTL9bSMRQkbmx+S5ek8JnBy9s6dqx+gNgFmm0I zm8iJeLwI0bOXxyOJ0ZGUif0Kf4ks++5NZNe9ybVnWrhjY63GNfQgJqFCZ2zOb1ua9EkiLWO EvFizody2Br3GuP4WyUgEyXLBwYsEzWYzTLaATbid8pWeghAJI880LTt54EtmLpzDKKrZB4H 4CFxh6IogSZTXIXZUbM6XfjMUpMYCzv+F46Hit01QmJtWlIHfjSRbS9H6b//gpCsAjlaYw2m eBovyl0q4sE9mXYxdTqlk51umsvfewravYsfDpSHZ+7iw9dSoft8CGI8PBSUfp3YhVlBzTeX AjYeQJ+aGsGYvn6I0OT5U085m/PsLzvjjcmgMasoYsThYssRE6UQNxXa7OljRlsTRL8f67Ty 6W3fSV6YLcfMEn5/Z9M6/I9W+V9XiaLgVGht03x2GzyE7On0gk/cgapREotaYiDXTzW4njDQ 5pgi85vBOIKX4shmlJ7TNPWSDEAaZRkZGVHzyw+VY+0gdcI65NXofESOzIRdWAHLeOL2savo LCdNJcophzJG6gbpqF6AawdE6YfJf3lsV6Fgp7qUXt5sNWsWF9f3uQINBFawEqwBEAClJOj1 zOQTMRGzLK/08tEdwR4EwBDiWNci0JtjT59xtJdlGujuf/9wkt9hRIiALqt8U0vHwCzmxVTP Eueewv40WOraJzzDv6OBXJZMeF+IN1/CGrZcn8rLG9J1CyyVf+gCxUUXmpQDlE91iYMB4ifj dTTTizRnVYOQh54TV0yyiL2bn+ZdL8NYNpUbpoG2vppltt0NXv9ib9WPug9Q8Sx33CkkCj3F HJLHeHqo6AkFTpBdSn6/Ezs+ZHpuhNCHtrZyiJOi2YZ8EzpuxDwVjHLh8iXu0amlXSGP5wA7 MpNEtomhGw3bUr3aBcenfS4u/RE3V/y+vXae33LtVmaH7sli0SmrP8iUxkks2qjtS6W2a/qF xlHK/FXBChNIG0uRROvDlIudg6UHzQlK4mBdraGz4etfDpsNAX0x5ssxBTaFrJlZz935GPLR sg4o5f+FYcQrIZGisfCmiH8rdF1bkz450/OyfzS7lTCoxeizOnlamVwUCTfrWah/l8BXgP/i Y6KlbGpfr7aVYvA5e7fPe7uRqzPsxq7pL72r3p/TkNuPtJ7cbShN99p7v/v38STSJ4jbzy2W LMBFw5dJI73XtSGU2g/viZgVfl4Tro4XeYMF/FmRDiYcd+GpuDoB+g+NJYpGRGnr4+GgWl9U YCnN1TE9LSpvehvvKMvGqi0U1ENOUwARAQABiQRbBBgBCAAmAhsCFiEEF+RUVvQfrZIffcKz L2Pn/q2k8GMFAl4M41wFCQlApzACKcFdIAQZAQgABgUCVrASrAAKCRDBCAAOw+Eh5rtYD/wN eZOov+0rwhszfD+IY9fI4qFUjuiKWR06fJ60HV7cStkDW6WtrF+NkUAwH5G0yrA+izyI9wtR 4r5OW5ruPWTRbHxOmsLfRnqh4dKU6uCvtoL+LNzAMyPORiZkzomOaKAPdtiVgECVupLsApDl 4tI2hpMYKmeTVuessXa83oGOi8uQGK/M57Koz20KPfLltJBsCcOwofCUdbmaPOlN/DspOaIe LWzN7qb3pzAuUltBCvVI3VRgqvfh6JSiGyaSUfjghfbtz0uAlZ4wSfHX2+Iw+1/9mlElZjkC y6QgxCb1vMqGSw5u596aGVm7m2zVGLn4/xhpFNbxHUwWre/AAMtJR5ASK3cq2au1U2rOja3f rRfzMuBqTrQGb+OcCaesaOssd7t+RmDKfv0u40z6ls9Mzav+BCXzfOnb3HNAgJE5C/xApTsd xhn5BZoxHy8N2Pc0emWe6JI5UDPlKpuwH6JDKrLaoHhE7Gy2U6iinQcgI5IEEa8wmwoWfkjU 5phTbZVHJ+yTOeZWcbJtyFIX18fbzyrZWguo1EWHubv33KqbiJ6klpfg5chwKXWZIlLmbivp Dv0KRybk5GB+X83OpeAH9dKT3kvcu6midppjFzakSIiaoSJDS9jcqQYEiRG71lnD7QdCoqjb fHZh8HXGYSbenDzisWIRouGsimOyeSaX6QkQL2Pn/q2k8GMJbw//fuKz02SFeJBoJL0riuwa Rz7xhoCuJ6F5T9foj5DMs1Bi2aNxHM+y8s60MrP48HrTmzvoirSR5n7hZdESVoE8HXqKeXD6 EBZyEDWWnqYbMMhdYUS7xKiA8SHMhF8qnT2Yy8OLeuXQPmfJWZcGGivNbmjRoGTh1rbIZPL5 8y5F4uY7TsJwX0nW5mMIngdEmSqoXOINa3+DrjG5zcpoCqGDFGEZSw6B3ZokceOUmSXyO6lk d0tL5G3B0ipUh47RIa81wmJDXqoF0g5nVjO/2fB6wzw9uITHVaLJ6ayCcKWQkyFJABN4ZLaF udK5V4241JieYgmy5uzD5xfKwwqqmj/qbVP0Gmw1mujAnR4KBppdsfDKle4hp/NriVAngKDC UgZwXk75qwbGkS7luHCF1x7sIA1Z332sROCYzALuWi4NzmcCUkdjKoMxqbFabFDpswq8mELe o1aYsyrpkDLOai3/M8EHRFNwgkfyweU+Xe+4H2H/yXeLOa17ED2xNcDnK+SnvFq+Hvsuu9m6 FbwLaAyGKW3d/D4be49/7Cwyk4aHM+nB/ozAvfeLkxXdZYtIIf72UbAHc9oJMLOEY1UqkHJ7 +mOxez7UWqErXxbauX+bZ70u5ipOf5E3wxdo7+E1FRMXReUHCysV0qUqNK/wG/NDFNQxYRnF ubNo7v9TpsmWZ8i5Ag0EVrASywEQAMscigyDy6txQ/cUE8P+S9zMPNbsTSqa3iyj0SREswxm JsrUou+yOt/Y4UxGX+JLc/zjI1+frWE33CNmucYMtrZSrxgQDp+Wp8Ak7UNQlBtRIjdcPqmA EFzgG9OP7If7MJZMeWVd47ybIYUKohuTdFgwJSF80f+DGLLjIchyVZbvyZWSQKIAxfavmZr1 CNEVYXyrL752rLVB+KnQgJaFqHFPp6cO/Y20ViF9QsLRtlref1VrxtdPuILhEKMmmc+ZRsDh J0V8Mi5q8pWcYWrz+JiVRyA1ULAhg6C2ypj1cFNnQyN22XptXbz687bqZQxar5xyAAV4D6i/ 8q1kNgSsbDq+XkWuGjS9kmvLGM9kGARNhMFNguJSgSfqZExPAJhCZ4hVboTKFoRR10482rlO yj0Va0GbmpGqftjNodA4mjpBi52pNymUF+s6eTk13L9DOOJ8d0+2Qd6e4uTeNXJhNW6g2l7b 5dt/bbHMla7hgqRKUtTqQRR2JCpP3vF4sHWnXYdEcJSACarBcxbfdwZBnF9Nwv7GiNTEEg7O +8qwlj16LTB8oNWjOwAHiqg0xQlL8JTz2rkX0gUIW1Hy9A6b6UikViRbmpHXg0s7364Xtxji mkKD8DVnC5NJDiwZztqG2iW7kxJnfA+eAClKEh+niZo5NpjWNUfhjUXM5DNVHtchABEBAAGJ AjwEGAEIACYCGwwWIQQX5FRW9B+tkh99wrMvY+f+raTwYwUCXgzjXAUJCUCnEQAKCRAvY+f+ raTwY0TWEACnl4/g2QvX/bCMTSgAeeHaX3Fs2k0j+XoOe0uwyPRxWzwtvAbipW7fRXdAru1v 4qJkoGQrZpXSKDQL1Ij5x7XM/SB5FaXjMspXZwB0Vh1kuTsdbAXuJhC8kIOsVBrnBOUtbYnY tjJT7yvOy1w1N3PaE9+/oW5DbiODd5LC3ZSG7hzFgYAfg0lm9DX2imPs6wnroWT4AN+Evvjk FC39HMrgavEWjgG2s5VvR15NWtNf/+8BPtMtMACzCeDKMBC+zYsoe0nksCas+XzUihERW2a6 vjCkzb6jVs5+QwapnskrKNw9CG7QTEcPsNXH7w798Q0/hFkAy6c1goH+YBMEmy/TtlXq0lMv TNzvB70Gjot9vc6FdQEeQW4BeEJ4E0Ii/aKV8PITTe45mO0YFyQooW7go1cIkY9Ue7/3ggr6 FXGDjFqNeZaf0S6XficHXHsmKYnObOsuFUfVpBZbhtiahR99VHMbiV+UjdUY3X5+Td5p/VIA sFbHFW7M157wHDJQDKad1NrvWjq5if/cpiKC1VYGLP595jlZUu99JmtwqlEEru6gh0Z94Iv3 8kAcSCf4M9jwwoTXKcHYXHezaFgl8q4op2C0dLWoJihgjXLYHYiQPNiRtkHPOPocDJtu3T1U foURyeSY4YcBgderqZHZgygBpdU0Arc9C5wWy1t9WofUIg==
Message-ID: <cf868779-a4ed-36aa-4487-24da20e8298c@dansarie.se>
Date: Thu, 13 Feb 2020 20:01:09 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.4.1
MIME-Version: 1.0
In-Reply-To: <DM5PR06MB301877557F3323309F8B8FFBC2180@DM5PR06MB3018.namprd06.prod.outlook.com>
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="MFyVwZmMFCuRYThjvLNStTC01GY3slP53"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/tL-TDHHsWdGW-VcRweqOmDmnh-k>
Subject: Re: [Ntp] AD Evaluation: draft-ietf-ntp-using-nts-for-ntp-21
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Feb 2020 19:01:39 -0000

Suresh,

Thank you for your thorough review of the NTS draft. Changes that
address the issues found have been incorporated in version 22 of the
draft, which was just submitted. Our replies to your individual comments
follow inline below. The comments and changes represent a consensus
among the authors, except for Daniel Franke whom we haven't been able to
reach. In the interest of time, we have decided to submit a new draft
despite this.

Kind regards,
Marcus Dansarie


> Major:
> =====
> 
> * Section 4.2. and 5.1.
> 
> These sections seem to be mandating the use of RFC5705 for extracting
> key material while also putting in a SHOULD level requirement for TLS
> 1.3. In my view these are incompatible.
> 
> As I was reading through the draft that became TLS 1.3 spec (RFC8446)
> one of the things it changed was the way key exporters work by changing
> from PRF to HKDF. It appears to me that this would make the RFC5705 key
> extraction mechanisms incompatible with TLS1.3.
> 
> If you agree that this is an issue, can you put in some disambiguating
> text in these sections to mention that RFC5705 has to be used with
> earlier TLS versions, and Section 7.5 of RFC8446 is to be used with TLS
> 1.3. If this is not an issue, can you please explain why?

We agree. The draft has been updated accordingly.

> Minor:
> =====
> 
> Section 2:
> 
> "The Network Time Protocol includes many different operating modes to
>    support various network topologies”
> 
> I think a pointer to Section 3 of RFC5905 could be useful here.

We agree. The draft has been updated accordingly.

> Section 5.7:
> 
> I think it would be preferable to remove the following text
> 
> " and is in practice also safe for avoiding IPv4 fragmentation"
> 
> from the sentence beginning with “1280 octets…” as IPv4 hosts are only
> required to accept packets up to 576 bytes long as per RFC1122.

You are correct in that RFC 1122 allows packets as short as 576 bytes.
What we are saying in Section 5.7 is, however, that a maximum length of
1280 bytes will avoid fragmentation in the vast majority of real-world
cases. The wording in question is not normative and merely serves as a
design justification.

> Section 6:
> 
> Given that this section is non-normative consider this only as a
> suggestion from me (and feel free to ignore). RFC5077 has been obsoleted
> by the session resumption specified in Section 2.2 of RFC8446. Given
> that, is there something here you would like to change?

We have decided to leave the current wording as it is.

> Section 9 (Security Considerations):
> 
> I think it might be worth repeating here that NTS only protects the
> client-server mode of NTP. I am happy with the text in Section 1.2 and
> would not mind if it is summarized here.

We agree and have added a new subsection to the Security Considerations
incorporating your comments and referencing RFC 8573 as the best current
practice for authentication of NTP modes other than 3 and 4.