Re: [secdir] secdir review of draft-ietf-ntp-extension-field

Sean Turner <> Wed, 14 October 2015 13:34 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 8D3F51A702A for <>; Wed, 14 Oct 2015 06:34:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Jtq2sT93A9d5 for <>; Wed, 14 Oct 2015 06:34:06 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4002:c07::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E6B581A7007 for <>; Wed, 14 Oct 2015 06:34:03 -0700 (PDT)
Received: by ykey125 with SMTP id y125so47064558yke.3 for <>; Wed, 14 Oct 2015 06:34:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=c8xWxu68Hp0MXPkfp0pceyxbeDtDKJv2AvPmeuRix+U=; b=hrLhryZEBOBGLrYK8qJCKpyMxPgf3eDYCm9m3q2+/3BAIZqHxpkZZhPNh6eAJDHYc0 1x+0aZs/nwSX3SaPUnpl161JuZT29x7hOxxtnB8WkakdrtbG6+BVLF6aN7+jlRPlPOza OnLUoqyFyzDLB+vKASsUfh3d0oEx/KlYTArLc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=c8xWxu68Hp0MXPkfp0pceyxbeDtDKJv2AvPmeuRix+U=; b=QEhMEpoW3Y3We9IpArcmi3pyrVKLKNMnXDMYoVOlVDJhHPRQn67TSirujVyASnXKCh ohi21mXCam0xvODq8jsXsRwAcNL2DR0uj/LQ+zbbDCMij6wbmdIpZCPHAJAFDlk/8O0X Ka1u2xyefN8ZXFBNluG2y2T/Y2ysGAGuzi8AmdK7D6H29FniuQf10dvZL6FYsNB3Zbl3 PHg8Ov1rWu+cO7iR3m9V/bq9rmEFgL0/z9xRGmPMXzmrp+7WSR/4C/lS1ab33/Lxl13h IpcdFJzbbdFY76vNgTZSsbyYEyLxrtY2LiUucxZnPp5guFfizNh1nDCv9J+sbJf/aC5K FWkQ==
X-Gm-Message-State: ALoCoQmdmw53wEOXsRXIjZSooTroLKPS6PpvzUID4v0aSzFjncYO/0rMLCxHjQo/CgNldUjOLuE5
X-Received: by with SMTP id w83mr2495309ywb.285.1444829643228; Wed, 14 Oct 2015 06:34:03 -0700 (PDT)
Received: from [] ( []) by with ESMTPSA id s62sm5762889ywg.35.2015. (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 14 Oct 2015 06:34:02 -0700 (PDT)
Content-Type: text/plain; charset=windows-1252
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Sean Turner <>
In-Reply-To: <>
Date: Wed, 14 Oct 2015 09:34:00 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: <>
Cc:,, The IESG <>
Subject: Re: [secdir] secdir review of draft-ietf-ntp-extension-field
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 14 Oct 2015 13:34:08 -0000


Sorry it’s been so long to get back to you on this.  Responses inline (I snipped out he nits and the ones that look like we agreed on).


On Sep 16, 2015, at 13:02, Danny Mayer <> wrote:

> Sorry for the delay in responding. I've been up to my ears in problems.
> See my feedback below.
> Danny
> On 8/27/2015 9:08 AM, Sean Turner wrote:
>> Fear not as this is just the secdir review!
>> I have reviewed this document as part of the security directorate’s
>> ongoing effort to review all IETF documents being processed by the
>> IESG.  These comments were written with the intent of improving
>> security requirements and considerations in IETF drafts. Comments not
>> addressed in last call may be included in AD reviews during the IESG
>> review.  Document editors and WG chairs should treat these comments
>> just like any other last call comments.
>> draft summary: This draft updates NTPv4 Protocol and Algorithm
>> Specification (aka RFC 5905) s7.5, which is the section that
>> describes extension fields, and to paraphrase the: clarify the
>> relationship between extension fields and MACs and define the
>> behavior of a host that receives an unknown extension field.  Note
>> that when comparing the “OLD” section to RFC 5905, you’ll should note
>> that the “OLD” text incorporates a verified errata
>> (  The “NEW"
>> text requires things like when defining an extension the definition
>> must specify whether it must be MACed or not, the MTI MAC, the length
>> of the MAC, etc.
>> secdir status summary: I need to clarify something in my mind, which
>> I hope fall into the “you missed that in this spec over here” or the
>> “these are *NOT* the droids you’re looking for” bucket, before I can
>> say "ready with nits":
>> 0) says an extension can support multiple MACs, that the
>> extension’s document defines the MTI algorithm & MAC length, and that
>> if more than one algorithm is allowed the extension includes an
>> indication of which one was actually used; all great.  But, I’m
>> trying to figure out how that fits with RFC 5905:
>> - In s7.3, I see "dgst (128)” in f8
>> - In s9.2, I see "There is no specific requirement for
>> authentication; however, if authentication is implemented, then the
>> MD5-keyed hash algorithm described in [RFC1321] must be supported”
>> Doesn’t s7.3 limit the MAC to HMAC-MD5 and the length to 128?  I mean
>> if you’re going to allow an extension to override s9.2 that seems
>> like something worth noting in say the abstract/intro.
> Now that you bring this up, I should tell you that the reference
> implementation implements MD5 and NOT HMAC_MD5 but it also implements
> DES (not 3DES) and SHA-1! None of this is documented of course and the
> packets are inspected for which algorithm to use based on the size of
> the MAC field! Since there is no way to know from the packet whether
> there is one or more extension fields or if there is a MAC present the
> code ends up guessing which in turn limits the size that you can give an
> extension field. This all leads to the strange wording in section
> and in the draft and is necessary to detect the presence
> of a MAC.
> We probably need to update the dgest field in RFC5905 to make it clear
> that it can have multiple lengths depending on the algorithm used. On
> the other hand I would prefer to get rid of the MAC and turn it into an
> extension field, assuming that the NTS/CMS scheme is not used. The
> advantages of that is obvious especially as no guessing would be
> required and we could specify the algorithm to use and you could have
> multiple MAC extension fields that would cover different parts of the
> packet.
>> Thinking there’s got to be a reason for this I went off and looked at
>> the other NTP WG drafts … after finding the NTS & CMS-based specs,
>> are the changes proposed in this draft to to allow an NTP packet blob
>> that doesn’t use the MAC mechanism described in RFC 5905 but instead
>> use the NTS/CMS “scheme”, i.e., an NTP extension that is a CMS
>> object, with no MAC in the 5905 sense - the CMS object instead of the
>> NTP MAC field gives you the authentication?
>> 1) s7.5.1.2 seems to be saying if extension A specifies alg X, and
>> extension B specifies alg X and Y, and extension C specifies alg Y
>> then extension A and B can appear together as can extension B and C,
>> but A and C can’t appear together?   Sounds great, but what if A and
>> C do appear together what happens?
> I think that the draft makes it clear that you cannot have that case
> since it requires that the MAC use one algorithm. "multiple extension
> fields that require a MAC they MUST all require use of the same
> algorithm and MAC length”

Ah that might be it MTI vs MTU.  I was reading this as extension A specifies the MTI (Mandatory to Implement) algorithms X, Y.  What you’re saying is that the definition says extension A MUST use algorithm X.

>> 2) Still on 7.5.12: "If there are multiple extension fields that
>> require a MAC they MUST all require use of the same algorithm and MAC
>> length.”
>> So if I specify extension A with X as the MUST, and extension B with
>> X as the SHOULD and Y as the MUST, then I can’t include both
>> extension A and B?  Extension A requires X, but extension B requires
>> Y.
> That's right.

I guess the IETF review process for extension types should provide some sanity here, but couldn’t this result in multiple versions of the same attribute one for each algorithm?  Extension A requires the use of alg X, Extension A’ requires the use of alg Y, etc?  (then again maybe I’m being dense this morning)

>> 3) s7.5.1.3: What’s the 24-octet limitation based on?
> The MAC guessing game. See the insanity above.

Okay so it’s not just me ;)

>> Minor:
>> 0) The new s7.5 says:
>> The Field Type field is specific to the defined function and is not
>> elaborated here.  If a ….
>> 0.a) I think what you’re trying to say is that the Field Type field
>> is defined in an IANA registry and it’s length and value are defined
>> by the document referred to by the registry?
> Yes.

Might be worth unpacking that in the draft, but I’m certainly not hard over on this ;)

  The Field Type field is specific to the defined function and is not
  elaborated here;  the Field Type field is defined in an IANA registry
  and its length and value are defined by the document referred to
  by the registry.

>> 0.b) Neither RFC5905 nor this document specify how the padding is
>> done.  Is padding determined by the document referred to by the field
>> type?  I.e., can I do padding with all 1s and somebody else do it
>> with all zeros?
> It shouldn't matter. If the extension field specification needs it to be
> specific it should state that in the specification.

ack - you define the extension and the padding just falls out.