Re: [TICTOC] [ntpwg] security ID submitted for review

Kurt Roeckx <kurt@roeckx.be> Wed, 07 August 2013 11:45 UTC

Return-Path: <kurt@roeckx.be>
X-Original-To: tictoc@ietfa.amsl.com
Delivered-To: tictoc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 154AA21F9BD8 for <tictoc@ietfa.amsl.com>; Wed, 7 Aug 2013 04:45:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.17
X-Spam-Level:
X-Spam-Status: No, score=-3.17 tagged_above=-999 required=5 tests=[AWL=-0.571, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HYVvQq8nwqCz for <tictoc@ietfa.amsl.com>; Wed, 7 Aug 2013 04:45:39 -0700 (PDT)
Received: from jacques.telenet-ops.be (jacques.telenet-ops.be [195.130.132.50]) by ietfa.amsl.com (Postfix) with ESMTP id CA37621F9A40 for <tictoc@ietf.org>; Wed, 7 Aug 2013 04:45:38 -0700 (PDT)
Received: from intrepid.roeckx.be ([94.226.199.45]) by jacques.telenet-ops.be with bizsmtp id 9nlX1m00R0zFtyu0JnlXda; Wed, 07 Aug 2013 13:45:32 +0200
Received: by intrepid.roeckx.be (Postfix, from userid 1000) id 9F804EB1C9; Wed, 7 Aug 2013 13:45:30 +0200 (CEST)
Date: Wed, 07 Aug 2013 13:45:30 +0200
From: Kurt Roeckx <kurt@roeckx.be>
To: "David L. Mills" <mills@udel.edu>
Message-ID: <20130807114530.GA20391@roeckx.be>
References: <51FAC820.3090401@udel.edu> <20130803174008.GA17578@roeckx.be> <52019C7B.9070602@udel.edu> <20130807102324.GA17618@roeckx.be>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20130807102324.GA17618@roeckx.be>
User-Agent: Mutt/1.5.21 (2010-09-15)
Cc: NTP Working Group <ntpwg@lists.ntp.org>, "tictoc@ietf.org" <tictoc@ietf.org>
Subject: Re: [TICTOC] [ntpwg] security ID submitted for review
X-BeenThere: tictoc@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Timing over IP Connection and Transfer of Clock BOF <tictoc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tictoc>, <mailto:tictoc-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tictoc>
List-Post: <mailto:tictoc@ietf.org>
List-Help: <mailto:tictoc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tictoc>, <mailto:tictoc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Aug 2013 11:45:45 -0000

On Wed, Aug 07, 2013 at 12:23:24PM +0200, Kurt Roeckx wrote:
> The problem I see with only sending the MAC over the ntp headers
> and not over the extensions is that the extensions can be removed
> or added and the client can't tell.  So it could for instance
> be replaced with an old version of the extension. I think it's
> important that the MAC covers everything.

You could of course also add a timestamp indicating when the
signature of the extension expires.  I think we should do
that in any case.

Then I'm not sure if there is still a need to to sign the
whole packet.  Can all extensions be signed? Is there a
need to sign them all?


Kurt