Re: [ntpwg] The next step of draft-ietf-ntp-checksum-trailer
Harlan Stenn <stenn@ntp.org> Sun, 06 March 2016 10:23 UTC
Return-Path: <ntpwg-bounces+ntp-archives-ahfae6za=lists.ietf.org@lists.ntp.org>
X-Original-To: ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com
Delivered-To: ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 51A3F1A88DF for <ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com>; Sun, 6 Mar 2016 02:23:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6bmdao2ldHyN for <ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com>; Sun, 6 Mar 2016 02:23:54 -0800 (PST)
Received: from lists.ntp.org (lists.ntp.org [IPv6:2001:4f8:fff7:1::7]) by ietfa.amsl.com (Postfix) with ESMTP id 1CDAA1A88DE for <ntp-archives-ahFae6za@lists.ietf.org>; Sun, 6 Mar 2016 02:23:54 -0800 (PST)
Received: from lists.ntp.org (lists.ntp.org [149.20.68.7]) by lists.ntp.org (Postfix) with ESMTP id A5ECE86DB9B for <ntp-archives-ahFae6za@lists.ietf.org>; Sun, 6 Mar 2016 10:23:53 +0000 (UTC)
X-Original-To: ntpwg@lists.ntp.org
Delivered-To: ntpwg@lists.ntp.org
Received: from stenn.ntp.org (stenn.ntp.org [IPv6:2001:4f8:fff7:1::30]) by lists.ntp.org (Postfix) with ESMTP id BA1EA86DAD1 for <ntpwg@lists.ntp.org>; Sun, 6 Mar 2016 09:53:25 +0000 (UTC)
Received: from [::1] (helo=stenn.ntp.org) by stenn.ntp.org with esmtp (Exim 4.86 (FreeBSD)) (envelope-from <stenn@stenn.ntp.org>) id 1acVNL-000CK8-RW; Sun, 06 Mar 2016 09:53:23 +0000
From: Harlan Stenn <stenn@ntp.org>
To: Tal Mizrahi <talmi@marvell.com>
In-reply-to: <4569da98236441699fb26aebb71f90a7@IL-EXCH01.marvell.com>
References: <4569da98236441699fb26aebb71f90a7@IL-EXCH01.marvell.com>
Comments: In-reply-to Tal Mizrahi <talmi@marvell.com> message dated "Sun, 06 Mar 2016 07:58:56 +0000."
X-Mailer: MH-E 7.4.2; nmh 1.6; XEmacs 21.4 (patch 24)
Mime-Version: 1.0 (generated by tm-edit 1.8)
Date: Sun, 06 Mar 2016 09:53:23 +0000
Message-Id: <E1acVNL-000CK8-RW@stenn.ntp.org>
Subject: Re: [ntpwg] The next step of draft-ietf-ntp-checksum-trailer
X-BeenThere: ntpwg@lists.ntp.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: IETF Working Group for Network Time Protocol <ntpwg.lists.ntp.org>
List-Unsubscribe: <http://lists.ntp.org/options/ntpwg>, <mailto:ntpwg-request@lists.ntp.org?subject=unsubscribe>
List-Archive: <http://lists.ntp.org/pipermail/ntpwg/>
List-Post: <mailto:ntpwg@lists.ntp.org>
List-Help: <mailto:ntpwg-request@lists.ntp.org?subject=help>
List-Subscribe: <http://lists.ntp.org/listinfo/ntpwg>, <mailto:ntpwg-request@lists.ntp.org?subject=subscribe>
Cc: "'ntpwg@lists.ntp.org'" <ntpwg@lists.ntp.org>, Suresh Krishnan <suresh.krishnan@ericsson.com>, "Karen ODonoghue (odonoghue@isoc.org)" <odonoghue@isoc.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: ntpwg-bounces+ntp-archives-ahfae6za=lists.ietf.org@lists.ntp.org
Sender: ntpwg <ntpwg-bounces+ntp-archives-ahfae6za=lists.ietf.org@lists.ntp.org>
Tal Mizrahi writes: > Hi All, > > In the last few days we had two main suggestions: > > (1) Request the value 0x2005 for Checksum Complement extension fields. > > (2) Remove the requirement to have a fixed length of 28 octets. > > Suggestion (1) will certainly be addressed. > There was a lot of discussion regarding (2), but it appears that there is n= > o consensus around the suggestion to remove the 28-octet requirement. > > Two important points should be made: > > - According to RFC 5905 + erratum 3627 (https://www.rfc-editor.org= > /errata_search.php?rfc=3D5905), it is not possible for the Checksum Complem= > ent extension field to be shorter than 28 octets. This restriction is furth= > er clarified in draft-ietf-ntp-extension-field. Hopefully, future updates t= > o RFC5905 will place the MAC in its own extension field, and will allow oth= > er extension fields to be shorter than 28 octets. However, this is currentl= > y not the case. I wish I had noticed Errata ID 3627 earlier. I think it is incorrect on several counts and I'll be looking to properly document my concerns about it. Having said that, I'm OK with the proposal as Tal outlines moving forward as an experimental document. Having said that, ... Autokey was defined with the requirement that its extension field be protected by a MAC. The revising language in Errata 3627 does not address this at all. One immediate recommendation is that 3627 be amended to say that a MAC SHOULD be present in any packet that includes any extension fields. The language about the algorithms and resulting length of MAC payloads is not limiting languaage, it is inclusive language. While 5906 describes an MD5 MAC as producing a 128 bit digest along with a 4 byte keyid, for a 20 byte MAC, and it also describes a 160 bit digest (with no alagorithm named) along with a 4 byte keyid, for a 24 byte MAC. That in no way means these are the only two digest payload lengths that are supported. The NTP Project's Reference Implementation supports other digest algorithms and resulting lengths as well, even though not all of these algorithms are presently fully-implemented in the receiving code. Some of these algorithms produce 512-bit digests, and result in a MAC of 68 bytes' length. Even by the current logic of 3627, if that disambiguation style is considered useful, the shortest extension field possible is 4 bytes. So any extension field before the current MAC can really be *any* allowed length, it's only the *last* extension field where there might be an issue. In this case, it would be better (and still wrong, I thing) to say "the last extension field in a packet cannot be 20 or 24 bytes' long." Given that we've never specified additional extension fields and nobody has requested IANA assign additional Field Types, exactly where is the risk in the disambiguation process I described in my earlier message? If we're really that concerned about this problem, then all we need to do is to create a new extension field, 8 bytes long, which indicates "I am the last extension field", so any data after that would be an old-style MAC. Yes, at first thought this would preclude things like the checksum complement proposal as currently stated, but in actuality it does not, as as the checksum complement proposal is currently *only* allowed to work if there is no MAC protection. > - The status of draft-ietf-ntp-checksum-trailer is experimental. T= > hat means that the definition of the Checksum Complement will be revised in= > the near future, and this revision may be an opportunity to relax the leng= > th requirement, assuming that by that time there will be a clear definition= > of shorter-than-28-octets extension fields. > > Therefore, I would like to suggest to leave the 28-octet length requiremen= > t as-is. Even so, if 3627 stands it says that the minimum Field Length is 28 octets. Also requiring it in this proposal means that we have to eventually clean up the Field Length issue in at least 2 places. Removing the Field Length requirement in the checksum-complement proposal means the Field Length should be adequately described somewhere else, and it is. But again, this is not a huge deal for me in the context of this experimental draft. H -- > Comments will be welcome. > Thanks, > Tal. _______________________________________________ ntpwg mailing list ntpwg@lists.ntp.org http://lists.ntp.org/listinfo/ntpwg
- [ntpwg] The next step of draft-ietf-ntp-checksum-… Tal Mizrahi
- Re: [ntpwg] The next step of draft-ietf-ntp-check… Harlan Stenn
- Re: [ntpwg] The next step of draft-ietf-ntp-check… Miroslav Lichvar
- Re: [ntpwg] The next step of draft-ietf-ntp-check… Tal Mizrahi
- Re: [ntpwg] The next step of draft-ietf-ntp-check… Harlan Stenn
- Re: [ntpwg] The next step of draft-ietf-ntp-check… Miroslav Lichvar
- Re: [ntpwg] The next step of draft-ietf-ntp-check… Harlan Stenn
- Re: [ntpwg] The next step of draft-ietf-ntp-check… Miroslav Lichvar
- Re: [ntpwg] The next step of draft-ietf-ntp-check… dieter.sibold
- Re: [ntpwg] The next step of draft-ietf-ntp-check… Harlan Stenn
- Re: [ntpwg] The next step of draft-ietf-ntp-check… Harlan Stenn
- Re: [ntpwg] The next step of draft-ietf-ntp-check… Danny Mayer
- Re: [ntpwg] The next step of draft-ietf-ntp-check… Danny Mayer
- Re: [ntpwg] The next step of draft-ietf-ntp-check… Harlan Stenn
- Re: [ntpwg] The next step of draft-ietf-ntp-check… Harlan Stenn
- Re: [ntpwg] The next step of draft-ietf-ntp-check… kristof.teichel
- Re: [ntpwg] The next step of draft-ietf-ntp-check… Danny Mayer