IETF Logo Mail Archive

Re: [secdir] Secdir last call review of draft-ietf-ntp-mode-6-cmds-08

Brian Haberman <brian@innovationslab.net> Sat, 13 June 2020 18:15 UTC

Return-Path: <brian@innovationslab.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E07513A0E40 for <secdir@ietfa.amsl.com>; Sat, 13 Jun 2020 11:15:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=innovationslab-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XFvX4dzs0JzZ for <secdir@ietfa.amsl.com>; Sat, 13 Jun 2020 11:15:24 -0700 (PDT)
Received: from mail-qk1-x72c.google.com (mail-qk1-x72c.google.com [IPv6:2607:f8b0:4864:20::72c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 992673A0E39 for <secdir@ietf.org>; Sat, 13 Jun 2020 11:15:24 -0700 (PDT)
Received: by mail-qk1-x72c.google.com with SMTP id c14so12059020qka.11 for <secdir@ietf.org>; Sat, 13 Jun 2020 11:15:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=innovationslab-net.20150623.gappssmtp.com; s=20150623; h=subject:to:cc:references:from:autocrypt:message-id:date:user-agent :mime-version:in-reply-to; bh=NH3MVpLLf3x6th1xNum2cE36ozt7/jLEs/b/RpgBZqM=; b=dycBA0B4dhOtclTYTajUsNRru39IMEBLLKRyDafMG9J3xxcMHisqqukNiGHN/xdWzx WUo1Rm+TKaXTm2TtOI7tAYxPoRCSw4LjKMqZYCvP+t/WpWEW8yDLJxVdsJJYbr5J4ih2 9xCRA3Lo7kb4hBo3ghFKM1RCN80YQmmTEBk+vqaWkjFOOs8tH0jAGBVGYLRXopBtEklU ljFmFq6dg6BGdJDLqz0y9JuxyFsjS5rghrBQugmucRawLkR26MUFE9iVbt46Shuub6M/ +OwWA6X7PybU+lW+/3reamuEF2dv5xx0f9gtGHRlOc8roIl8Md8nks03094EBm9kSqPW 0CsA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:autocrypt :message-id:date:user-agent:mime-version:in-reply-to; bh=NH3MVpLLf3x6th1xNum2cE36ozt7/jLEs/b/RpgBZqM=; b=VbbKGy581/mSXL5u6uts/e+lAKqshh4m2Nt/BsYiCKm7afqK96Nk7Y0oINp52kevWe Va8OT99fNCjsEp8aXJtDNY4dUfQAorsZwDH9gT5HYYkFnj1GT+DI6gYAF+bbNsDkHuQh bEhAFVJJSUFGTTpUX7tfEcOsCcc4jM0w27wQtXtFEgQ20ni1fVe/SMhDsMQboClhsVkd mePMGJh4fXhDOB4jspewH3aC0t0T0VMetd54LGzgA2jlIlD0pIkj/yHQJtPGVohOFIbz dqBZujcvIzMY4X/4y+hsqx+mPyyClCDoXLYUM2YpNSPZcqL/eH5I8Ywsan4MPsOgl1GO H5eA==
X-Gm-Message-State: AOAM530bC9k/XaQxzOinAc6k3otucmImyLsmqKkw9OKlb02YZlfdEBVq f1pO1YobP5J1ZDsBEhOk9DUL1g==
X-Google-Smtp-Source: ABdhPJxNK81lLzRzBSeCNcYJiAtiVbGTlGTHfdZGPf7kd5WqMN1eMyRAdORXh6smPVs/YgjgNBXw1A==
X-Received: by 2002:a05:620a:8cd:: with SMTP id z13mr8630706qkz.198.1592072123570; Sat, 13 Jun 2020 11:15:23 -0700 (PDT)
Received: from LakeHartwell.local ([2601:154:c001:f99e:7c90:3d3e:34c5:9457]) by smtp.gmail.com with ESMTPSA id d13sm7206194qkc.121.2020.06.13.11.15.22 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 13 Jun 2020 11:15:22 -0700 (PDT)
To: Daniel Franke <dafranke@akamai.com>, secdir@ietf.org
Cc: ntp@ietf.org, last-call@ietf.org, draft-ietf-ntp-mode-6-cmds.all@ietf.org
References: <159206148916.27533.2080482554461273224@ietfa.amsl.com>
From: Brian Haberman <brian@innovationslab.net>
Autocrypt: addr=brian@innovationslab.net; keydata= mQINBFm5KgYBEACs2icafejrG19L5DRNFq8Q2O+K+LRxjR4qAElZDnXFXNA2ipFWPeT0J2wa KJ+h9UdfhDm8DzULB553CYm+Q3XF1N56TglkIRMZYc7mYXZEr3x7e4fmX4kD4qMjBLG8cL26 rEe3Q0qaiMGY69/4o5coVMT0qmHjgCH1tkG+L2Y8MKr1gFxS18eO8MVoWe1yDKuyxFSElHGB 3mZn4gcqeCaemPGG3CiVNlp4KnijpNcSgvseXbkQEA4IXEsIvUL8MIwOTXg9Gh5cbtisZpuf +4B0LNMUSqWlqyKd9M3KCMj+dW4vsFytc00Z+GyQ+ArOR9GwTdAwJ5qqVODTvbjKqOR1zolJ 1JxLUtSiv7Lx5x2OrCexPYXkzlTkjG9Imtg2XNh55R/JKMC3KU1NQL3nS9tJXeoRWNgWSZrG MsrbeejbqLVb9LblXNpgLciJ96XHMvYAXX7p4LAwivzSRrVg46vErYIAV6EvDvwVENWW8JCU 0vX5iTGfkEwU4KxCa7WAmmD8yiNspHP1J0uk93Sta5K0PuTi7b+EZlCjdrqOEWLGPv6qXlIu FwLLcCaDs3XdVvwgNM+UFRxFH1aOVQQKCiCOCcNlwgYG1u4ZbD2T6hd/d2tOAKu/MNnQVF7d Cfi2BtSjzglLcY61e37zqTM04BgU+LniZ7V99yneM6DM2UzgkwARAQABtClCcmlhbiBIYWJl cm1hbiA8YnJpYW5AaW5ub3ZhdGlvbnNsYWIubmV0PokCQAQTAQoAKgIbAwUJB4YfgAULCQgH AwUVCgkICwUWAgMBAAIeAQIXgAUCWbkqSAIZAQAKCRBo1jycU9GLYQixD/9UX0uiAvbJ+4dK z3Ne3kUdDK0Lk73RGfFgE/ezsc9I6ED82h+arC8pAoDnBWgzTxugZdbexek983bgMq02XFsG pJf7hudeKnB8UmtjTc0j1UUgi129FYyBmINS2Lz1gpEOygFfbeOGLJK5qZJwD3I3O6yN8SUZ uwahXXd1aEB+d1eGhNqxkjQ+L7vdfTlN662GWog3ROMwUbrg0+QAbn/Vlp2iIYO6VERUZ9Yr GfFJX9b9LKa6AHxzAaqFIix1h2wBiIacpIBGU/4+3+wL5zkCbGSRzoIHW8srllj7ehgwwfNx QevibuZWJ4XpHpIxrtsmBO7ERFk8pN7oiQ9M3b2Cg9OBD5vgxyMCHEKIblWyKz8GLtz5357L ORU1EBWB8BoJPBHz3u7bZE+jH9+w5PpI087Ae78KCDkTNj7o2wbkRoYLmLpMo8DOwAumyy5R 2DuRu0cn5Rw5pFjlJkyfM0Wf80Ml/SINrUORWeqSbsHSX8i+Y0Oyt5JNo9NFbgN0Gn/Qo364 I8cLgbvUAyFHwhnmbHB+QXFCGAy73NOQ+g2fCRPeSbihhYa34ugfmd4oa6W2w805ixzM7iGr P+wDB1dhA7eHKVmoo9Kxvm9VzU+2homYGEROd/H6n0BMvWtp1oFh/JvEgZN6dVLg3p+XX5Zj Ggy568bIY4P5kP7pAxh017kCDQRZuSoGARAAtCWxW1cRne/iGbFuibvB8d3upcbCB7oz4LWk LSE20Db2ymn04ici9V+wBSWX57me5jQdwMi/gzVVZcupbzWTg5Yhv7Qt7CKORJLEKo6nULbb 4aEpdOXD9s7wwx+foFjzjtDOH/JYoB+OEe2oW39VmK6EsIx7ClsLf6+cih5yApZHtmV+2M3J YSxD2kCUE619ITFLAkMf203ap5vJ6DDaaKnVoNhF9qV7jlJEceGqHTBG4KkBX/zNCehMIfhr ViY/B2IWAHeuZ99lnCPx2mehGGa4XLjQauUkY9KB7dOq/ODyt+7SL0dfWrOVf3BnU3C308b4 9YdId8KI4dJ30nfXn6ifTK9STZHZE+Mt1sIVmtEguqMXEk/axZmT14x194c7ZPmU/uCQTE3U y1NFs4Yof50WF1ze0CyN2ycmqx11mHjP5+L23TqcdIWmJG+EtdHUAFpu42kbB0fML3Oc/cEU SmWK3WpF5YPljLM2gyh3RXjuiBnaGoJaKTOj5zXQ2G2l3/ijbn9FbqmFup+R352dxUyakXEP xNe3HdyjfyUcy/RJNeZz/lgUIhkxWQjOOU1RIN41RtCKcF9tJjMwgQvI51QmPvf90/6ab3I/ vwEpjlRb4AbuWfPWe89J+Z3TG97V9sntlMcQ6MGiPLbyFpiXIf2150e6FxZdJtipVwY2d/kA EQEAAYkCJQQYAQoADwUCWbkqBgIbDAUJB4YfgAAKCRBo1jycU9GLYfy0EACYrxb4nWtOnIu0 N7rXXo/0ZjaBTyUhJ6hzy2D7rt3vv/qj2ui+N21ui/yMDS928za/XRfP25qN9A1puioHqN4l SAsxwCC3mT9GJXVXVgivg3MeciqBXoOdnk1hUkP1CTKL3qZ9pSuw8bPlNE7+b1xF7Oce37YH +QRVmBXbGwTxtDTCZ9Js0/IpiUtg9QCfmryB1r/fD0TFb8b9aCBuVeKocWSuX9UXRt7zRGM8 BJwOLvdLdGvV8us1imlBKFLai4L8CPgihuc/s7ZB0r3pgW697hXScWhGHF3OUWbPFVkNyivM xtDcq+9ZlUMrxFbwUEABi8NFwvzwn+YJQqlrPiF4xxsScYpnIlfWEuP6Vpp6Z/u5x+1MNyZb oxNWWaevMVeo3tdRV9F6/YFqucw4JQ9HqlCKQ62sW9+e5SSlxGNlV4j9cchG6a4fAZqxL+pS ks+KitK3ap/R4RUG+nbjLlhCwGJIti8lxvdYAoPqjtwEUmMJv4dIl0/2h1495cwBIi7XeRKZ Rx38TV3G3LCx0J8dFhkyTG5TxUZQFgHjznkIX7bzeSQX72MxT0b/tc38yM71WpAgAY+MlHCT FQRKqIQsH/4MFir+g/oV2uPNGwmg0QEOnv9zZ79JJ/nBmuXC2RwUVTtZgtiZXhaP0afvR0eg WPEzptIZZCSmtBOOYkfsAw==
Message-ID: <4251f262-22f7-3b7d-41d4-e0c3ef1da1b8@innovationslab.net>
Date: Sat, 13 Jun 2020 14:15:21 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0) Gecko/20100101 Thunderbird/68.9.0
MIME-Version: 1.0
In-Reply-To: <159206148916.27533.2080482554461273224@ietfa.amsl.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="aPtcZpmDiwweFM4VBRzCoCseLJU0qk1np"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/cV7s9Kmm4uhfJyhcSeEPZwvMYP0>
Subject: Re: [secdir] Secdir last call review of draft-ietf-ntp-mode-6-cmds-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 13 Jun 2020 18:15:26 -0000

Thanks for the review, Daniel. A quick follow-up below for those of you
playing along at home...

On 6/13/20 11:18 AM, Daniel Franke via Datatracker wrote:
> Reviewer: Daniel Franke
> Review result: Ready
> 
> I have reviewed this document as part of the security directorate's ongoing
> effort to review all IETF documents being processed by the IESG.  These
> comments were written with the intent of improving security requirements and
> considerations in IETF drafts.  Comments not addressed in last call may be
> included in AD reviews during the IESG review.  Document editors and WG chairs
> should treat these comments just like any other last call comments.
> 
> This document describes a historic protocol whose design falls far short of
> modern IETF standards. Its myriad issues are well-described in the Security
> Considerations section.
> 
> There has been some debate as to whether the appropriate status for this
> document is Historic or Informational. I believe the currently-intended
> Historic status is more appropriate. The argument I have heard repeatedly in
> favor of Informational status is that it is not appropriate to classify a
> protocol as Historic until a better alternative exists with a published
> specification. I believe that better alternative exists, which is to have no
> standard at all. It's perfectly fine for NTP monitoring and management
> protocols to be vendor-specific. In virtually all legitimate uses ("legitimate"
> so as to exclude RDoS attacks), both sides of the protocol run on systems
> managed by the same organization and the need for vendor-specific tools is not
> a practical issue. Lack of standardization is the already the status quo, since
> there are many widely-used NTP implementations out there but only the Network
> Time Foundation implementation and its derivatives (such as NTPsec) support
> this protocol. I know of nobody who has ever been inconvenienced by this;
> standardization is a solution in search of a problem.
> 
> 

Interestingly enough, RFC 1305 actually says this...

"Ordinarily, these functions can be implemented using a
network-management protocol such as SNMP and suitable extensions to the
MIB database. However, in those cases where such facilities are not
available, these functions can be implemented using special NTP control
messages described herein."

SNMP exists and the NTP WG published RFC 5907 to cover the MIB support
needed by NTP. I believe that also counts as a better alternative.

Regards,
Brian

v2.23.0 | Report a Bug | By Email