IETF Logo Mail Archive

Re: [TICTOC] [ntpwg] New Draft: draft-mizrahi-ntp-checksum-trailer-00

Tal Mizrahi <talmi@marvell.com> Mon, 29 July 2013 20:47 UTC

Return-Path: <talmi@marvell.com>
X-Original-To: tictoc@ietfa.amsl.com
Delivered-To: tictoc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5844721E80B6 for <tictoc@ietfa.amsl.com>; Mon, 29 Jul 2013 13:47:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wCWZznAqmT5F for <tictoc@ietfa.amsl.com>; Mon, 29 Jul 2013 13:46:54 -0700 (PDT)
Received: from na3sys009aog130.obsmtp.com (na3sys009aog130.obsmtp.com [74.125.149.143]) by ietfa.amsl.com (Postfix) with ESMTP id 6736221F9AF0 for <tictoc@ietf.org>; Mon, 29 Jul 2013 13:46:41 -0700 (PDT)
Received: from sc-owa02.marvell.com ([199.233.58.137]) (using TLSv1) by na3sys009aob130.postini.com ([74.125.148.12]) with SMTP ID DSNKUfbUqu+6CC+fcdlrICBhYUm7QwV/gJYt@postini.com; Mon, 29 Jul 2013 13:46:54 PDT
Received: from YK-HUB02.marvell.com (10.4.102.52) by sc-owa02.marvell.com (10.93.76.22) with Microsoft SMTP Server (TLS) id 8.3.213.0; Mon, 29 Jul 2013 13:46:25 -0700
Received: from IL-MB01.marvell.com ([10.4.102.53]) by YK-HUB02.marvell.com ([10.4.102.52]) with mapi; Mon, 29 Jul 2013 23:46:22 +0300
From: Tal Mizrahi <talmi@marvell.com>
To: "mayer@ntp.org" <mayer@ntp.org>
Date: Mon, 29 Jul 2013 23:46:18 +0300
Thread-Topic: [ntpwg] New Draft: draft-mizrahi-ntp-checksum-trailer-00
Thread-Index: Ac6MfF2W1x+yez/FRUqrWDIU8z4VJgAHyJaA
Message-ID: <74470498B659FA4687F0B0018C19A89C01A0FA109DCC@IL-MB01.marvell.com>
References: <74470498B659FA4687F0B0018C19A89C01A0F9C9380F@IL-MB01.marvell.com> <51F69E59.9010403@ntp.org>
In-Reply-To: <51F69E59.9010403@ntp.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "ntpwg@lists.ntp.org" <ntpwg@lists.ntp.org>, "tictoc@ietf.org" <tictoc@ietf.org>, "David L. Mills" <mills@udel.edu>
Subject: Re: [TICTOC] [ntpwg] New Draft: draft-mizrahi-ntp-checksum-trailer-00
X-BeenThere: tictoc@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Timing over IP Connection and Transfer of Clock BOF <tictoc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tictoc>, <mailto:tictoc-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tictoc>
List-Post: <mailto:tictoc@ietf.org>
List-Help: <mailto:tictoc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tictoc>, <mailto:tictoc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Jul 2013 20:47:00 -0000

Hi Danny,

I understand your concern, and I would like to clarify an important point: I believe the functionality described in this draft is useful in unauthenticated mode, and not useful in authenticated mode. In authenticated mode, an intermediate entity that changes the packet would have to re-compute the MAC, so re-computing the UDP checksum as well does not significantly complicate the intermediate entity.

I tried to explain this point in the draft (the text is quoted below), but if the working group feels strongly about it I am willing to make it a stronger statement - that the checksum trailer is only  relevant to unauthenticated mode, and is not to be used in authenticated mode.

Danny, does this make sense?

Quoting from section 3.4 of the draft:
   While a Checksum Trailer MAY be used when authentication is enabled,
   in practice the Checksum Trailer is more useful in unauthenticated
   mode, allowing the intermediate entity to perform serial processing
   of the packet without storing-and-forwarding it.


Tal.


-----Original Message-----
From: Danny Mayer [mailto:mayer@ntp.org] 
Sent: Monday, July 29, 2013 6:55 PM
To: Tal Mizrahi
Cc: ntpwg@lists.ntp.org; tictoc@ietf.org; David L. Mills
Subject: Re: [ntpwg] New Draft: draft-mizrahi-ntp-checksum-trailer-00

I have serious concerns about this draft. I effect it seems to say that any intermediate mode can alter the contents of the packet in flight and thus encourage a MIM attack. Furthermore it recommends recomputing the MAC. Why bother to do it this way if you can just recompute the MAC (if
any) and then UDP checksum and place it in the UDP checksum field. I'd rather have the new timestamp placed in the extension field so that the receiving server can use it or not.

The security considerations makes no mention of these issues.

Danny

v2.23.0 | Report a Bug | By Email