Re: [secdir] Review of draft-ietf-tictoc-security-requirements-05

Tal Mizrahi <> Thu, 31 October 2013 07:58 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 4BB8721E80C5; Thu, 31 Oct 2013 00:58:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.54
X-Spam-Status: No, score=-3.54 tagged_above=-999 required=5 tests=[AWL=-1.275, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ydSKZo7qDO8g; Thu, 31 Oct 2013 00:58:40 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 0A6BE11E8133; Thu, 31 Oct 2013 00:58:39 -0700 (PDT)
Received: from pps.filterd ( []) by (8.14.5/8.14.5) with SMTP id r9V7wd2m010998; Thu, 31 Oct 2013 00:58:39 -0700
Received: from ([]) by with ESMTP id 1ftb2msafm-1 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT); Thu, 31 Oct 2013 00:58:39 -0700
Received: from ( by ( with Microsoft SMTP Server (TLS) id; Thu, 31 Oct 2013 00:58:38 -0700
Received: from ([]) by ([]) with mapi; Thu, 31 Oct 2013 09:58:34 +0200
From: Tal Mizrahi <>
To: Shawn M Emery <>, "" <>
Date: Thu, 31 Oct 2013 09:58:31 +0200
Thread-Topic: Review of draft-ietf-tictoc-security-requirements-05
Thread-Index: Ac7UdvBdPGEkt19FQgC7Tmib5nXYMABl808Q
Message-ID: <>
References: <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.10.8794, 1.0.431, 0.0.0000 definitions=2013-10-31_03:2013-10-31, 2013-10-31, 1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1305240000 definitions=main-1310310010
Cc: "Yaakov Stein (" <>, "" <>, "" <>, "" <>
Subject: Re: [secdir] Review of draft-ietf-tictoc-security-requirements-05
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 31 Oct 2013 07:58:46 -0000

Hi Shawn.

Thanks for your comments. 
We will accommodate them in the next draft.


-----Original Message-----
From: Shawn M Emery [] 
Sent: Tuesday, October 29, 2013 9:18 AM
Subject: Review of draft-ietf-tictoc-security-requirements-05

I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.
These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments.

This internet-draft describes the threat analysis for time protocols, such as Precision Time Protocol (PTP) and the Network Time Protocol (NTP).

The draft itself discusses security considerations.  I believe the draft adequately covers the various threats and how to mitigate such attacks.  I just have a few comments below:

In regards to this paragraph in section 5.1.3:
    Authentication of slaves prevents unauthorized clocks from receiving
    time services. Preventing the master from serving unauthorized clocks
    can help in mitigating DoS attacks against the master. Note that the
    authentication of slaves might put a higher load on the master than
    serving the unauthorized clock, and hence this requirement is a

I think that this requirement of whether to allow for unauthorized clocks should be a MAY (as does the prior text in this section) and should state that the decision to do this should be based on the environment in which the master and slaves are deployed.

In regards to this paragraph in section 5.2.1:
    The requirement level of the first requirement is 'SHOULD' since in
    the presence of recursive authentication (Section 5.1.2.) this
    requirement may be redundant.

This should state that this is the "second requirement", not the "first requirement".

In section 5.5.1 what's the difference between a replay and playback attack?  If there is such a difference then playback needs to be defined.

In section 5.8, interception attacks is never explicitly described.

I don't understand this sentence:

The erroneous time may expose cryptographic
    algorithms that rely on time to prevent replay attacks.

Does this mean to say "security protocols" instead of "cryptographic algorithms"?

General comments:


Editorial comments:

s/if a slave is/if a slave/

s/(Section 3.2.4.
    )/(Section 3.2.4.)/

s/Additional measure/Additional measures/

Looks like this sentence was truncated:

    The requirements in this subsection address MITM attacks such as the

s/necessarily possible/possible/

s/5.1. ,/Section 5.1.,/

s/in the literature/in literature/

s/in [1588IPsec] and [Tunnel]/[1588IPsec] and [Tunnel]/