IETF Logo Mail Archive

Re: [TICTOC] [ntpwg] New version of draft-mizrahi-ntp-checksum-trailer

Danny Mayer <mayer@ntp.org> Sun, 27 October 2013 19:19 UTC

Return-Path: <mayer@ntp.org>
X-Original-To: tictoc@ietfa.amsl.com
Delivered-To: tictoc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 22C8011E81C3 for <tictoc@ietfa.amsl.com>; Sun, 27 Oct 2013 12:19:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.599
X-Spam-Level:
X-Spam-Status: No, score=-4.599 tagged_above=-999 required=5 tests=[AWL=-2.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ckJn58s1yLbW for <tictoc@ietfa.amsl.com>; Sun, 27 Oct 2013 12:19:24 -0700 (PDT)
Received: from mail1.ntp.org (mail1.ntp.org [IPv6:2001:4f8:fff7:1::5]) by ietfa.amsl.com (Postfix) with ESMTP id 6C06911E80E9 for <tictoc@ietf.org>; Sun, 27 Oct 2013 12:19:24 -0700 (PDT)
Received: from pool-173-76-231-254.bstnma.fios.verizon.net ([173.76.231.254] helo=[192.168.1.7]) by mail1.ntp.org with esmtpsa (TLSv1:CAMELLIA256-SHA:256) (Exim 4.77 (FreeBSD)) (envelope-from <mayer@ntp.org>) id 1VaVrn-000NWs-Sy; Sun, 27 Oct 2013 19:19:18 +0000
Message-ID: <526D671A.7050908@ntp.org>
Date: Sun, 27 Oct 2013 15:18:50 -0400
From: Danny Mayer <mayer@ntp.org>
Organization: NTP
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.0.1
MIME-Version: 1.0
To: Tal Mizrahi <talmi@marvell.com>, "ntpwg@lists.ntp.org" <ntpwg@lists.ntp.org>, "tictoc@ietf.org" <tictoc@ietf.org>
References: <74470498B659FA4687F0B0018C19A89C01B87D7A40A6@IL-MB01.marvell.com> <526C30F9.1040400@ntp.org> <74470498B659FA4687F0B0018C19A89C01B87D7A4C6E@IL-MB01.marvell.com> <526D165D.3040902@ntp.org> <74470498B659FA4687F0B0018C19A89C01B87D7A4DC7@IL-MB01.marvell.com>
In-Reply-To: <74470498B659FA4687F0B0018C19A89C01B87D7A4DC7@IL-MB01.marvell.com>
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-SA-Exim-Connect-IP: 173.76.231.254
X-SA-Exim-Rcpt-To: talmi@marvell.com, ntpwg@lists.ntp.org, tictoc@ietf.org
X-SA-Exim-Mail-From: mayer@ntp.org
X-SA-Exim-Version: 4.2
X-SA-Exim-Scanned: Yes (on mail1.ntp.org)
Subject: Re: [TICTOC] [ntpwg] New version of draft-mizrahi-ntp-checksum-trailer
X-BeenThere: tictoc@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: mayer@ntp.org
List-Id: Timing over IP Connection and Transfer of Clock BOF <tictoc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tictoc>, <mailto:tictoc-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tictoc>
List-Post: <mailto:tictoc@ietf.org>
List-Help: <mailto:tictoc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tictoc>, <mailto:tictoc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 27 Oct 2013 19:19:25 -0000

On 10/27/2013 9:42 AM, Tal Mizrahi wrote:
> Hi Danny,
> 
>> That also means that the extension field MUST NOT be added by any intermediate nodes if it does not exist.
> 
> I am not sure we want to go there, for 2 reasons:
> 
> 1. Let's not forget that the source and the intermediate node are in
fact two modules in the same client/server (see Figure 1 in the draft).
>From an interoperability perspective it would be exactly the same if the
source created the extension field, or the intermediate node did. Why
would we mandate a specific implementation detail that would be
completely transparent to the network?

Maybe I missed that in the draft, but don't you want the sending server
to decide whether or not it expects the timestamp be updated? Having
intermediate systems update the timestamp and extension field without
the originating server sanctioning it seems even worse (to me).

> 
> 2. A clock that receives an NTP message has no way of knowing
> whether
an extension field was added by the source or by an intermediate node,
and thus there is no way to enforce (enforce from a security
perspective) the requirement you suggested.
> 

True enough but don't you want the originator to have a say in this so
that this becomes a recommendation for developers?

I've added TICTOC to the discussion. It was not in the original mail.

Danny

> Tal.
> 
> 
> -----Original Message-----
> From: Danny Mayer [mailto:mayer@ntp.org] 
> Sent: Sunday, October 27, 2013 3:34 PM
> To: Tal Mizrahi; ntpwg@lists.ntp.org
> Subject: Re: [ntpwg] New version of draft-mizrahi-ntp-checksum-trailer
> 
> On 10/27/2013 3:58 AM, Tal Mizrahi wrote:
>> Hi Danny,
>>
>>> The draft does not state whether or not the source of the packet creates the extension field before it is sent to the recipient.
>>> That needs to be clarified.
>>
>> The source should create the extension field in advance. I will clarify this in the draft.
>>
> 
> That also means that the extension field MUST NOT be added by any intermediate nodes if it does not exist.
> 
> Danny
> 
>>
>>> I am aware that it is easy enough to change the contents of a packet 
>>> AND the UDP checksum and noone would be the wiser
>>
>> Right, I completely agree.
>>
>>> but I don't think that it's good policy.
>>
>>
>> Thanks,
>> Tal.
>>
>>
>> -----Original Message-----
>> From: Danny Mayer [mailto:mayer@ntp.org]
>> Sent: Sunday, October 27, 2013 12:16 AM
>> To: Tal Mizrahi; ntpwg@lists.ntp.org
>> Subject: Re: [ntpwg] New version of draft-mizrahi-ntp-checksum-trailer
>>
>> On 10/21/2013 5:59 AM, Tal Mizrahi wrote:
>>> Hi,
>>> A new version is available:
>>>
>>> http://tools.ietf.org/html/draft-mizrahi-ntp-checksum-trailer-01
>>>
>>> The most significant change since the last draft is that this draft 
>>> is
>>> **not** intended for authenticated mode.
>>>
>>> This was in response to security related concerns from Danny and Harlan.
>>>
>>> I believe the current draft does not present a new security 
>>> vulnerability compared to the existing NTPv4.
>>>
>>> (I think) I managed to convince Harlan of this. I am not sure I 
>>> convinced Danny yetÃ,Â.
>>>
>>
>> Let me try and explain my worries about this extension field.
>> The draft is marked as experimental so it falls into the category of something someone want's to try but won't necessarily make it further than that.
>>
>> The proposal's intent is to allow the packet to be modified in-flight to change the previously provided timestamp with another one. When one does that the packet's existing UDP checksum becomes invalid. In order to deal with this, instead of updating the UDP checksum itself, the extension field is either added, or updated, I'm not clear which, so that the additional set of bits makes the original UDP checksum be correct. The draft does not state whether or not the source of the packet creates the extension field before it is sent to the recipient.
>> That needs to be clarified. Either way the intent of the extension field is just to provide a delta so that the originator's original UDP checksum works. It has no other function. Potentially the timestamp could be updated multiple times by intermediaries and the extension field updated each time. This also means that a MAC cannot be present unless the MAC is updated each time and security like autokey cannot be used.
>>
>> My worry here is that this just provides another way of changing the contents of the NTP packet without disturbing the original UDP checksum.
>> It's not something I would want to encourage. I am aware that it is easy enough to change the contents of a packet AND the UDP checksum and noone would be the wiser but I don't think that it's good policy.
>>
>>
>> Danny
>>
> 
> 
>

v2.23.0 | Report a Bug | By Email