A different RFC, eventually. But I'm not in a rush. Let people managing
large scale deployments figure out what works for them and then standardize
around it later.
On Wed, Mar 6, 2019, 13:25 Achim Gratz via devel wrote:
> Daniel Franke via devel writes:
> > That's correct: ensuring interop betw
Daniel Franke via devel writes:
> That's correct: ensuring interop between differing implementations of the
> NTS-KE server and the NTP server is outside the scope of this document.
So what are the plans for that department? Have everything bloom into
chaos or put it into a different RFC?
Regar
On Wed, Mar 6, 2019, 03:33 Hal Murray wrote:
>
> dfoxfra...@gmail.com said:
> > The intended design for running NTS with pool servers is that only the
> pool
> > operator runs an NTS-KE server. The NTS-KE server then picks an
> NTS-enabled
> > NTP server out of the pool and serves you an appropri
dfoxfra...@gmail.com said:
> The intended design for running NTS with pool servers is that only the pool
> operator runs an NTS-KE server. The NTS-KE server then picks an NTS-enabled
> NTP server out of the pool and serves you an appropriate NTPv4 Server
> Negotiation Record. Individual server op
Daniel Franke via devel writes:
> The intended design for running NTS with pool servers is that only the
> pool operator runs an NTS-KE server. The NTS-KE server then picks an
> NTS-enabled NTP server out of the pool and serves you an appropriate
> NTPv4 Server Negotiation Record. Individual server
Hal Murray via devel writes:
> Gary said:
>>> I would assume that critical infrastructure would be run in a less
>>> insecure environment.
>> Bad assumption. Just look at any data center. There is no way to secure
>> customer machines. Unless you get rid of the customers.
>
> Right. But why wo
> The intended design for running NTS with pool servers is that only the pool
> operator runs an NTS-KE server. The NTS-KE server then picks an NTS-enabled
> NTP server out of the pool and serves you an appropriate NTPv4 Server
> Negotiation Record. Individual server operators, on a one-time basi
Yo Matthew!
On Mon, 4 Mar 2019 21:35:14 +
Matthew Selsky wrote:
> On Mon, Mar 04, 2019 at 12:11:07PM -0800, Gary E. Miller via devel
> wrote:
>
> > Given the Comodo mess of last week I expect a lot more people will
> > want to do pinning next month.
>
> Do you have a reference for this m
Yo Daniel!
On Mon, 4 Mar 2019 16:32:33 -0500
Daniel Franke wrote:
> On Mon, Mar 4, 2019 at 4:28 PM Gary E. Miller via devel
> wrote:
> > The name in ntp.conf MUST match the name in the cert. Unless you
> > override it ("noval", pin, etc.).
> >
> > > The normal getaddrinfo and friends automa
On Mon, Mar 04, 2019 at 12:11:07PM -0800, Gary E. Miller via devel wrote:
> Given the Comodo mess of last week I expect a lot more people will want to
> do pinning next month.
Do you have a reference for this mess?
Thanks,
-Matt
___
devel mailing list
On Mon, Mar 4, 2019 at 4:28 PM Gary E. Miller via devel
wrote:
> The name in ntp.conf MUST match the name in the cert. Unless you
> override it ("noval", pin, etc.).
>
> > The normal getaddrinfo and friends automatically follow CNAMEs.
> > Thus my comment about needing some DNS code.
>
> Which o
Yo Hal!
On Mon, 04 Mar 2019 12:58:14 -0800
Hal Murray via devel wrote:
> rlaa...@wiktel.com said:
> > CNAMEs don't really help. Certificate validation uses the original
> > name anyway.
>
> I was assuming we could intercept the CNAME and use that for
> certificate validation. Maybe I should
The intended design for running NTS with pool servers is that only the
pool operator runs an NTS-KE server. The NTS-KE server then picks an
NTS-enabled NTP server out of the pool and serves you an appropriate
NTPv4 Server Negotiation Record. Individual server operators, on a
one-time basis, establi
rlaa...@wiktel.com said:
> CNAMEs don't really help. Certificate validation uses the original name
> anyway.
I was assuming we could intercept the CNAME and use that for certificate
validation. Maybe I should have said SRV or TXT or ???
The normal getaddrinfo and friends automatically follow
Yo Hal!
On Mon, 04 Mar 2019 12:46:27 -0800
Hal Murray via devel wrote:
> Gary said:
> >> I would assume that critical infrastructure would be run in a less
> >> insecure environment.
> > Bad assumption. Just look at any data center. There is no way to
> > secure customer machines. Unless yo
Gary said:
>> I would assume that critical infrastructure would be run in a less
>> insecure environment.
> Bad assumption. Just look at any data center. There is no way to secure
> customer machines. Unless you get rid of the customers.
Right. But why would you run your NTS-KE server on a
Yo Hal!
On Mon, 04 Mar 2019 01:58:23 -0800
Hal Murray via devel wrote:
> Gary said:
> >> Otherwise, either do full validation or don't bother with NTS
> >> at all. Pinning counts as full validation.
>
> > I'd be happy if we had per host pinning instead of "noval".
>
> How is per-host pinn
Yo Hal!
On Mon, 04 Mar 2019 02:11:04 -0800
Hal Murray via devel wrote:
> Gary said:
> > Think data center. The data center controls the LAN, but the
> > customers control what is in the containers. Or the hacker that
> > used the latest Wordpress bug to take over the contrainer. And
> > break
Hal Murray via devel writes:
>>> There is no security in the pool anyway, so let's put that discussion
>>> aside for a while.
>> I'd take exception with that statement. If the pool was upgraded to use NTS
>> one way or the other, it _would_ provide some extra security over the status
>> quo. It's
Kurt Roeckx via devel writes:
> There currently isn't a protocol defined between the NTP server
> and the NTS-KE. This would mean that if you want to use it with
> the pool that such a protocol would need to be defined.
A more practical solution until that's been hashed out is to require an
NTS ma
On 3/4/19 3:46 AM, Hal Murray via devel wrote:
> Plan A is to give all the servers the certificate and private key for
> time.nist.gov and do the load sharing via traditional DNS rotation. The
> disadvantage with that is that there are many copies of the private key out
> there. One leak and t
Hal Murray via devel :
> Eric said:
> > Trying to change that by breaking out a separate NTS-KE server would
> > introduce a lot of complexity when we could achieve the same result by
> > pointing the ntpd instances at a common key on a fileshare.
>
> That adds the fileshare to the security tangl
Gary said:
> Think data center. The data center controls the LAN, but the customers
> control what is in the containers. Or the hacker that used the latest
> Wordpress bug to take over the contrainer. And breaking out of a container
> to infect the motherboard is not that hard.
I would assum
Eric said:
> Trying to change that by breaking out a separate NTS-KE server would
> introduce a lot of complexity when we could achieve the same result by
> pointing the ntpd instances at a common key on a fileshare.
That adds the fileshare to the security tangle and probably complicates the
sta
Gary said:
>> Otherwise, either do full validation or don't bother with NTS
>> at all. Pinning counts as full validation.
> I'd be happy if we had per host pinning instead of "noval".
How is per-host pinning normally implemented?
We have the option to use a local file of trusted/root certific
>> There is no security in the pool anyway, so let's put that discussion
>> aside for a while.
> I'd take exception with that statement. If the pool was upgraded to use NTS
> one way or the other, it _would_ provide some extra security over the status
> quo. It's a different kind of security th
> We've established not so long ago that a single NTP server can serve a lot of
> clients. The number of servers is driven by the network topology more
> likely, i.e. say you want one NTP server per network span or subnet, so the
> server has low latency to each of its clients and doesn't send p
Yo Kurt!
On Mon, 4 Mar 2019 00:35:24 +0100
Kurt Roeckx wrote:
> > > But it is present in chrony. It supports both interleaved mode
> > > and hardware timestamping.
> >
> > I'm looking for it, but can not find it. Can you point out where?
> >
> > I do see that chronyd has a "PTP hardware clo
On Sun, Mar 03, 2019 at 03:30:53PM -0800, Gary E. Miller via devel wrote:
> Yo Kurt!
>
> On Mon, 4 Mar 2019 00:19:44 +0100
> Kurt Roeckx via devel wrote:
>
> > > Actually getting timestamps from the NIC is fairly involved. The NIC
> > > has its own clock and its own oscillator, which has to care
Yo Kurt!
On Mon, 4 Mar 2019 00:19:44 +0100
Kurt Roeckx via devel wrote:
> > Actually getting timestamps from the NIC is fairly involved. The NIC
> > has its own clock and its own oscillator, which has to carefully be
> > kept in sync with the system clock. Furthermore, all the APIs for
> > doing
On Sun, Mar 03, 2019 at 05:59:11PM -0500, Daniel Franke wrote:
> On Sun, Mar 3, 2019 at 8:45 AM Kurt Roeckx via devel wrote:
> > On Sun, Mar 03, 2019 at 05:23:31AM -0800, Hal Murray wrote:
> > >
> > > k...@roeckx.be said:
> > > > If this is something you're worried about, this can be solved with t
On Sun, Mar 3, 2019 at 8:45 AM Kurt Roeckx via devel wrote:
> On Sun, Mar 03, 2019 at 05:23:31AM -0800, Hal Murray wrote:
> >
> > k...@roeckx.be said:
> > > If this is something you're worried about, this can be solved with the
> > > interleave mode, which was removed.
> >
> > How well does it wor
Yo Hal!
On Sat, 02 Mar 2019 22:45:05 -0800
Hal Murray via devel wrote:
> Gary said:
> >> Which ones do you intend to relax? And in any case you don't need a
> >> whole CA, you can pin a self-signed cert and still do full
> >> validation on it.
> > Except we can't. The current NTPsec code does
Yo Hal!
On Sat, 02 Mar 2019 23:49:14 -0800
Hal Murray via devel wrote:
> devel@ntpsec.org said:
> > Partial validation means you don't follow the cert chain to the
> > root. In the off-net scenario, it means you stop folloing the chain
> > when you'd have to go outside the network perimeter you'
On Sun, Mar 03, 2019 at 10:25:31PM +0100, Achim Gratz via devel wrote:
> Kurt Roeckx via devel writes:
> > I don't see how it can work with the current pool system. You look
> > something up like pool.ntp.org and get some IP addresses. But none
> > of those will have a certificate for pool.ntp.org,
Kurt Roeckx via devel writes:
> I don't see how it can work with the current pool system. You look
> something up like pool.ntp.org and get some IP addresses. But none
> of those will have a certificate for pool.ntp.org, so the
> verification of the certificate will fail.
You will still look up a
On Sun, Mar 03, 2019 at 08:56:55PM +0100, Achim Gratz via devel wrote:
> Hal Murray via devel writes:
> > There is no security in the pool anyway, so let's put that discussion
> > aside for a while.
>
> I'd take exception with that statement. If the pool was upgraded to use
> NTS one way or the o
Hal Murray via devel writes:
> I thought most systems came with a collection of trusted/root certificates.
> What do I have to go outside-the-network to get?
You'll have to check the cert chain until you hit one of those trust
anchors that can't be otherwise checked since they're the start of th
Hal Murray via devel writes:
> There is no security in the pool anyway, so let's put that discussion
> aside for a while.
I'd take exception with that statement. If the pool was upgraded to use
NTS one way or the other, it _would_ provide some extra security over
the status quo. It's a different
Kurt Roeckx :
> If this is something you're worried about, this can be solved with
> the interleave mode, which was removed.
The interleave move was removed because it was broken. There was a small but
fatal error in the packet construction. I don't remember the details, but
Damiel Franke did it
Hal Murray :
> > Let me take a different tack: can we move the aut computation off path?
>
> Nope. The auth includes the whole packet. Can't do the auth until you know
> the time that you are going to put in the packet.
I was expecting that answer, but the question hd to be asked.
> We can me
On Sun, Mar 03, 2019 at 05:23:31AM -0800, Hal Murray wrote:
>
> k...@roeckx.be said:
> > If this is something you're worried about, this can be solved with the
> > interleave mode, which was removed.
>
> How well does it work?
It works great, the errors are much smaller when it's enabled.
> Is
k...@roeckx.be said:
> If this is something you're worried about, this can be solved with the
> interleave mode, which was removed.
How well does it work?
Is there an option to get a kernel timestamp on transmit packets?
--
These are my opinions. I hate spam.
___
On Sat, Mar 02, 2019 at 09:23:51PM -0800, Hal Murray via devel wrote:
> *) There is actually one interesting point that authentication makes more
> interesting. On receive, we get a time stamp when the packet arrives. We
> can
> take all day to inspect the packet and run authentication code.
> Let me take a different tack: can we move the aut computation off path?
Nope. The auth includes the whole packet. Can't do the auth until you know
the time that you are going to put in the packet.
We can measure how long it takes and advance the time to compensate.
--
These are my opinions
Hal Murray :
>
> e...@thyrsus.com said:
> >> My big concern is that nobody else seems to be testing it. There may be
> >> dragons that I haven't poked.
> > Understood. Unfortunately I myself can't be much help here - my outside
> > view
> > of NTP is still weak, I have only limited ability to
devel@ntpsec.org said:
> Partial validation means you don't follow the cert chain to the root. In the
> off-net scenario, it means you stop folloing the chain when you'd have to go
> outside the network perimeter you're in. ...
> https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinnin
Achim Gratz said:
>> Why do we need a standalone NTS-KE server?
> Because you only want one NTS-KE per any number of ntpd on a large fleet of
> hardware (think a warehouse full of compute racks) and of course the NTP pool
> servers will not work with NTS any other way.
There is no security in t
Gary said:
>> Which ones do you intend to relax? And in any case you don't need a
>> whole CA, you can pin a self-signed cert and still do full validation
>> on it.
> Except we can't. The current NTPsec code does not support any cert
> fanciness.
For some value of "any" or "fancy".
You can pr
e...@thyrsus.com said:
>> My big concern is that nobody else seems to be testing it. There may be
>> dragons that I haven't poked.
> Understood. Unfortunately I myself can't be much help here - my outside view
> of NTP is still weak, I have only limited ability to recognize what normal
> opera
Yo Daniel!
On Fri, 1 Mar 2019 23:59:22 -0500
Daniel Franke wrote:
> Which ones do you intend to relax? And in any case you don't need a
> whole CA, you can pin a self-signed cert and still do full validation
> on it.
Except we can't. The current NTPsec code does not support any cert
fanciness.
Yo Hal!
On Fri, 01 Mar 2019 21:46:56 -0800
Hal Murray via devel wrote:
> Gary said:
> > Because that is the initial use case. If each ntpd had nts-ke in
> > it then there would be no need for such a complicated protocol.
>
> > The way Mark explained it to me, you want one NTS-KE per aisle, o
Yo Eric!
On Sat, 2 Mar 2019 12:52:49 -0500
"Eric S. Raymond" wrote:
> Gary E. Miller via devel :
> > > > The way Mark explained it to me, you want one NTS-KE per aisle,
> > > > or per rack. That limits the number of servers, with keys,
> > > > that need to be protected.
> > >
> > > I now t
On Sat, Mar 2, 2019 at 12:36 PM Gary E. Miller via devel
wrote:
> Yes, but you seriously reduce the attack time window. Instead of
> a possible MitM every few seconds, you need to grab the one time the
> cookies are shared.
No you don't, because a MitM who appears at any time can drop time
packe
Gary E. Miller via devel :
> > > The way Mark explained it to me, you want one NTS-KE per aisle, or
> > > per rack. That limits the number of servers, with keys, that need
> > > to be protected.
> >
> > I now think this plan is a mistake and that Hal did the right thing by
> > building key serv
Yo Daniel!
On Sat, 2 Mar 2019 09:40:30 -0500
Daniel Franke wrote:
> On Fri, Mar 1, 2019 at 11:39 PM Gary E. Miller via devel
> wrote:
> > Not complete security, but at least encryption. And there are
> > levels of validation. If you are off net, you can't completely
> > validate the cert, but
Yo Eric!
On Sat, 2 Mar 2019 11:36:03 -0500
"Eric S. Raymond" wrote:
> Gary E. Miller via devel :
> > The way Mark explained it to me, you want one NTS-KE per aisle, or
> > per rack. That limits the number of servers, with keys, that need
> > to be protected.
>
> I now think this plan is a mi
Hal Murray :
>
> Eric said:
> >> I've been collecting major items in devel/TODO-NTS
> > Is there some reason this isn't just a section in nts.adoc? (Which may need
> > some GC at this point.) The whole idea of that document was to be a planning
> > whiteboard.
>
> Only signal to noise. I was t
Gary E. Miller via devel :
> The way Mark explained it to me, you want one NTS-KE per aisle, or
> per rack. That limits the number of servers, with keys, that need
> to be protected.
I now think this plan is a mistake and that Hal did the right thing by
building key service into ntpd itself.
Try
Hal Murray :
> > I'll take responsibility for the documentation.
>
> Thanks.
>
> Be sure to include a section that says that NTS doesn't guarantee good time,
> just that you are talking to the system you expect to talk to. (modulo typos
> and such)
That's true of all three forms of authentica
Hal Murray via devel writes:
>> Not complete security, but at least encryption. And there are levels of
>> validation. If you are off net, you can't completely validate the cert, but
>> you can partially validate it. Maybe you would want to pin it.
>
> What does partial validation mean? What do
Hal Murray via devel writes:
> Gary said:
>> It is missing key rotation. Also how to share keys between standalone NTS-KE
>> and NTPD.
>
> Why do we need a standalone NTS-KE server?
Because you only want one NTS-KE per any number of ntpd on a large fleet
of hardware (think a warehouse full of com
On Fri, Mar 1, 2019 at 11:39 PM Gary E. Miller via devel
wrote:
> Not complete security, but at least encryption. And there are
> levels of validation. If you are off net, you can't completely
> validate the cert, but you can partially validate it. Maybe you
> would want to pin it.
Encryption
> I'll take responsibility for the documentation.
Thanks.
Be sure to include a section that says that NTS doesn't guarantee good time,
just that you are talking to the system you expect to talk to. (modulo typos
and such)
--
These are my opinions. I hate spam.
___
> And the NTS-KE and NTPD are NOT on the same host?
No. I misinterpreted your question.
>> I don't understand that use case. Without checking the certificate,
>> you have no real security.
> Not complete security, but at least encryption. And there are levels of
> validation. If you are off
Gary said:
> Because that is the initial use case. If each ntpd had nts-ke in it then
> there would be no need for such a complicated protocol.
> The way Mark explained it to me, you want one NTS-KE per aisle, or per rack.
> That limits the number of servers, with keys, that need to be protecte
Which ones do you intend to relax? And in any case you don't need a whole
CA, you can pin a self-signed cert and still do full validation on it.
On Fri, Mar 1, 2019, 23:41 Gary E. Miller via devel
wrote:
> Yo Daniel!
>
> On Fri, 1 Mar 2019 21:26:15 -0500
> Daniel Franke wrote:
>
> > On Fri, Mar
Yo Daniel!
On Fri, 1 Mar 2019 21:26:15 -0500
Daniel Franke wrote:
> On Fri, Mar 1, 2019 at 7:01 PM Gary E. Miller via devel
> wrote:
> > "noval" is not mostly for debugging. It is essential for off
> > network operation.
>
> There's no point in doing NTS if you're not doing certificate
> va
Yo Hal!
On Fri, 01 Mar 2019 19:55:15 -0800
Hal Murray via devel wrote:
> Gary said:
> > It is missing key rotation. Also how to share keys between
> > standalone NTS-KE and NTPD.
>
> Why do we need a standalone NTS-KE server?
Because that is the initial use case. If each ntpd had nts-ke in
Gary said:
> It is missing key rotation. Also how to share keys between standalone NTS-KE
> and NTPD.
Why do we need a standalone NTS-KE server?
> Gary said:
> "noval" is not mostly for debugging. It is essential for off network
> operation.
I don't understand that use case. Without checkin
On Fri, Mar 1, 2019 at 7:01 PM Gary E. Miller via devel
wrote:
> "noval" is not mostly for debugging. It is essential for off
> network operation.
There's no point in doing NTS if you're not doing certificate
validation. The result isn't any more secure than unauthenticated NTP.
Eric said:
>> I've been collecting major items in devel/TODO-NTS
> Is there some reason this isn't just a section in nts.adoc? (Which may need
> some GC at this point.) The whole idea of that document was to be a planning
> whiteboard.
Only signal to noise. I was trying to capture the big ide
Hal Murray :
>
> > What still needs to be done to fully land this feature? Key rotation?
> > Anything else?
>
> I've been collecting major items in devel/TODO-NTS
Is there some reason this isn't just a section in nts.adoc? (Which
may need some GC at this point.) The whole idea of that document
Yo Hal!
On Fri, 01 Mar 2019 15:46:49 -0800
Hal Murray via devel wrote:
> > What still needs to be done to fully land this feature? Key
> > rotation? Anything else?
>
> I've been collecting major items in devel/TODO-NTS
It is missing key rotation. Also how to share keys between
standalone NT
> What still needs to be done to fully land this feature? Key rotation?
> Anything else?
I've been collecting major items in devel/TODO-NTS
Mostly, it needs testing and probably an overview level documentation.
Something high level rather than the details of how to configure it. Maybe a
HOW
75 matches
Mail list logo
