IETF Logo Mail Archive

Re: [Ntp] Draft extension NTS for pools

Hal Murray <halmurray@sonic.net> Sun, 24 December 2023 05:36 UTC

Return-Path: <halmurray@sonic.net>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 69FE5C14F5E2 for <ntp@ietfa.amsl.com>; Sat, 23 Dec 2023 21:36:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sonic.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2StYxk8fXaF4 for <ntp@ietfa.amsl.com>; Sat, 23 Dec 2023 21:36:12 -0800 (PST)
Received: from d.mail.sonic.net (d.mail.sonic.net [64.142.111.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 85536C14F5E6 for <ntp@ietf.org>; Sat, 23 Dec 2023 21:36:12 -0800 (PST)
Received: from 107-137-68-211.lightspeed.sntcca.sbcglobal.net (104-182-38-69.lightspeed.sntcca.sbcglobal.net [104.182.38.69]) (authenticated bits=0) by d.mail.sonic.net (8.16.1/8.16.1) with ESMTPSA id 3BO5aAbc003020 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT); Sat, 23 Dec 2023 21:36:10 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sonic.net; s=net23; t=1703396171; bh=KT+ZcdkGTZrONI91k1EHugwsAfWCH5hupDIiepBzZTI=; h=To:From:Subject:Mime-Version:Date:Message-Id:From:Subject; b=VUR9VLvYnckcMvWN9EQJHFSdShPlaf/SwvglffByo4g6O7GCgUEdiMOwO4wIySXvP gh2ii0ofb92Qmh8DTXk25FshvfpB7ZbbRce1X6kIfDG7VyJibiYJis/uEZ2ZNEGIuV 5EqtpKKWU06qoQ+8wjYd/rfJAMuI959wnbSWI/QIKXd3yfnhmIIgvQdaozTwYEK6Ci /Ov7FkGGY3mchNJfdguloQ/alkiqmxCq7jkCk41DSFEwdDGHx/FkBw22M6d1l7p63R gskNunmDK8Hkomk6/hLdFdf/Zlrro3n7sTYrSfgBrjbirmcD7B2nY2x17PHX60gwE3 qG0NTEJINFxUg==
Received: from hgm (localhost [IPv6:::1]) by 107-137-68-211.lightspeed.sntcca.sbcglobal.net (Postfix) with ESMTP id 3C8E028C002; Sat, 23 Dec 2023 21:36:10 -0800 (PST)
X-Mailer: exmh version 2.9.0 11/07/2018 with nmh-1.8
To: David Venhoek <david@venhoek.nl>
cc: NTP WG <ntp@ietf.org>, Hal Murray <halmurray@sonic.net>
From: Hal Murray <halmurray@sonic.net>
In-Reply-To: Message from David Venhoek <david@venhoek.nl> of "Fri, 22 Dec 2023 11:27:38 +0100." <CAPz_-SWidPW1bACgt_dN7saGfjPYbXtZLbqFpTGhPj5OOK4xYg@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Date: Sat, 23 Dec 2023 21:36:10 -0800
Message-Id: <20231224053610.3C8E028C002@107-137-68-211.lightspeed.sntcca.sbcglobal.net>
X-Sonic-CAuth: UmFuZG9tSVboBZvCBZEUmG8vaf1qI1CtJCDPxAgsvRHrXylqJgGbllM9KPu+qM3J3zKI84ordAOxc1fkzIxXwwJfTEGk/jT1TJoEKz+sptw=
X-Sonic-ID: C;mCH3Vx6i7hGZhUZFP63e0g== M;QoAMWB6i7hGZhUZFP63e0g==
X-Sonic-Spam-Details: -1.5/5.0 by cerberusd
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/xRMjoy8fv8Y0VB3iw8GYEya4tLQ>
Subject: Re: [Ntp] Draft extension NTS for pools
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 24 Dec 2023 05:36:16 -0000

I think the pool as we know it and security are incompatible.  The problem is 
one of trust.  If you have a large collection of volunteers, there is no way 
to know that they are all good guys.  NTS can ensure that you are talking to a 
pool server, but not that the operator of that system is a good guy.

I could imagine a pool run with a restricted membership.

I think a discussion of the operational side of running NTS/NTP servers would 
be a good idea.  I'm primarily thinking of organizations that run multiple 
servers but ideas for single servers or pools would be welcome.

I think your 4 options are a good start.

---------

Your draft is well written.  I think I could implement from it without much help.

I think it needs a big warning about trust and the current pool.

Section 5: Pool authentication
I don't understand
  To discourage misuse, ...
What sort of misuse do you have in mind?  What could a bad guy do if he gets cookies for an arbitrary key?

  ... MUST authenticate clients using the Fixed Key Request
  record using TLS client certificates.

At first glance, that seem overly strong.  Yes, client certificates are a good way to authenticate.  Why isn't filtering by IP Address good enough?  It might be simpler to implement with firewall rules.  But that's not good enough if you are worried about MITM attacks.


Section 6.5. NTP Server Deny

> A client MAY send multiple of these records if desired. The data in the
> record SHOULD match that given through an NTPv4 Server Negotiation received
> in an earlier request from the same NTS Key Exchange server.

I think this area needs work.  I need to be able to avoid servers that I got some other way that also happen to be in the pool.

And you might have multiple servers for load sharing so "the same" gets complicated.






-- 
These are my opinions.  I hate spam.

v2.23.0 | Report a Bug | By Email