[secdir] Fwd: [Ntp] comments on draft-ietf-ntp-using-nts-for-ntp-23
Sandra Murphy <sandy@tislabs.com> Tue, 10 March 2020 14:09 UTC
Return-Path: <sandy@tislabs.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 408F73A1382 for <secdir@ietfa.amsl.com>; Tue, 10 Mar 2020 07:09:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.232
X-Spam-Level:
X-Spam-Status: No, score=-1.232 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_SOFTFAIL=0.665, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0mE1vweorQ7X for <secdir@ietfa.amsl.com>; Tue, 10 Mar 2020 07:09:38 -0700 (PDT)
Received: from walnut.tislabs.com (walnut.tislabs.com [192.94.214.200]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C48693A137A for <secdir@ietf.org>; Tue, 10 Mar 2020 07:09:32 -0700 (PDT)
Received: from nova.tislabs.com (unknown [10.66.1.77]) by walnut.tislabs.com (Postfix) with ESMTP id B80EF28B003D for <secdir@ietf.org>; Tue, 10 Mar 2020 10:09:31 -0400 (EDT)
Received: from [127.0.0.1] (localhost.localdomain [127.0.0.1]) by nova.tislabs.com (Postfix) with ESMTP id A17401F8056; Tue, 10 Mar 2020 10:09:31 -0400 (EDT)
From: Sandra Murphy <sandy@tislabs.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_18A53095-ED99-4B60-A0D4-3E8C95B02746"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Date: Tue, 10 Mar 2020 10:09:29 -0400
References: <43842926-38F3-4274-904B-AEBE8248E9A2@tislabs.com>
To: secdir@ietf.org
Message-Id: <A4C359A3-CD79-4113-99E0-A6C558D2184D@tislabs.com>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/Icn_HT0zmlUUaAzHd2VjzfumMbA>
Subject: [secdir] Fwd: [Ntp] comments on draft-ietf-ntp-using-nts-for-ntp-23
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Mar 2020 14:09:40 -0000
I reviewed draft-ietf-ntp-using-nts-for-ntp out of personal interest. Daniel Franke, the principal author, noted yesterday that no secdir assignment had been made. He and Tero decided that my review should stand as the secdir review. Here is my message to the ntp wg and the detailed comments. —Sandy > Begin forwarded message: > > From: Sandra Murphy <sandy@tislabs.com> > Subject: Re: [Ntp] comments on draft-ietf-ntp-using-nts-for-ntp-23 > Date: March 5, 2020 at 9:57:10 AM EST > To: ntp@ietf.org > Cc: Sandra Murphy <sandy@tislabs.com> > > I realize that I did not include one concern about the security considerations. Section 9.7 NTS Stripping talks about the client being deceived into reverting to plain NTP. There’s no discussion of the server being deceived into responding with plain NTP. An adversary who stripped the NTS extensions from the a NTP request would lead the server to reply without the expected NTS extensions in the response. What should/would the client do if it receives a non-NTS enhanced response to a NTS enhanced request? > > [Steve Bellovin would frequently suggest that there should be a way for a recipient to know to expect security protections to prevent such downgrade attacks. I don’t think there is a way in this case.] > > —Sandy > >> On Mar 4, 2020, at 7:06 PM, Sandra Murphy <sandy@tislabs.com> wrote: >> >> I am not an NTP participant but curious about vulnerabilities of NTP so I looked at NTS on last Fri, 28 Feb. >> >> Unfortunately, that was the last day of the IETF last call, so I have comments and they are arriving after the last call. >> >> So give these comments the consideration they deserve - they come late from someone who lacks context. >> >> Detailed comments attached. Overall comments here: >> >> Section 1 makes it clear that there is an intentional separation between the NTS-KE server and the NTP server, although it is allowed that both services could be resident on the same host. Figure 1 also makes it appear that the NTS-KE server may be associated with a large number of NTP servers, with unspecified means of communicating between them. Reading through, I was struck by how much the NTS-KE server must know about the NTP server - in Section 4.1.5 what algorithms it would support, in Section 6 the keying material it would accept. I was puzzled at how this could work in the post.ntp.org set of volunteer NTP servers. Then in Section 6, I saw a reference to “load-balanced cluster”, which would easily account for the NTS-KE server’s knowledge of the NTP servers’ configurations. More explanations of the supportable (current and potential) architectures would be very helpful. >> >> I believe it would be helpful for the implementers to have an explicit list of what the NTS-KE server must know about the NTP servers (address, algorithms supported, shared keys in use, cookie construction, protocol IDs accepted, anything else?) and what the communication between the NTS-KE server and the NTP server must provide (what Figure 1 calls “Shared cookie encryption parameters”). >> >> Some of the text concerns the interactions with the NTS-KE server, some concerns the interactions with the NTP server. The word “server” is used throughout. There are cases where it is not clear which type of server is meant from context. >> >> I found several cases where I was not sure what the error conditions should be handled, when requirements are not met, when an exchange fails, when an error condition is received, etc. In some sections, the receiver’s action upon receiving one message is explained but for other messages is not. >> >> Normative language: There are places where the text says “should” not “SHOULD” and it was not clear the RFC2119 language was intended. In particular, Section 6 uses “should” many times. Perhaps that was intentional since this section is not normative. I’m not sure what should (sic) be the usage in that case. “In general” appears many times, which begs the question of when it is or is not the case. On page 21, the text says “In general, however, the server MUST”. I’m not sure what that means to an implementer. The following language talks about exceptions, so perhaps the “In general” means “where there is no exception”. >> >> The document sets up an IANA registry for the Protocol ID. Is it necessary to stipulate what a specification of a new Protocol ID must include? Must it include a cookie format, for example? >> >> On page 21, the caption for Figure 5 should be “NTS-protected NTP Time Synchronization Messages”. It is an NTP exchange, not an NTS exchange. >> >> Section 9.4 page 36 - Is there a reference for “NTP_PHASE_MAX?” A web search found only references to this draft and to a “kernel constant” in various *nx man pages. >> >> In Section 6, the identifier “I” is used as a salt. RFC5869 says the salt is random. Should the text about choosing the “non-secret, unique” identifier mention random / unpredictable as well? >> >> —Sandy >> <draft-ietf-ntp-using-nts-for-ntp.detailedcomments.txt> >> >> >> _______________________________________________ >> ntp mailing list >> ntp@ietf.org >> https://www.ietf.org/mailman/listinfo/ntp >
- [secdir] Fwd: [Ntp] comments on draft-ietf-ntp-us… Sandra Murphy
- Re: [secdir] [Ntp] comments on draft-ietf-ntp-usi… Sandra Murphy