Reviewer: Tim Chown Review result: Ready with Nits Hi, I have reviewed this document as part of the Internet Area directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written with the intent of improving the operational aspects of the IETF drafts. Comments that are not addressed in last call may be included in AD reviews during the IESG review. Document editors and WG chairs should treat these comments just like any other last call comments. This document describes a tool named Khronos which can be run alongside NTPv4 to mitigate against time-shifting attacks. It achieves this by running less frequent (than NTP) queries to a small random set of NTP servers (around ~10-15) drawn from a large pool (perhaps ~500), and comparing the resulting time offsets to those of the system NTP clock. The document is generally well-written, and for its heavier theoretical detail refers to a paper published elsewhere by the authors. I believe the document is close to being ready for publication (Ready with Nits). I have only a small number of general comments and nits. General comments: The term man in the middle (MitM) is used a lot, and includes scenarios where an attacker owns the NTP server being queried. Personally, I’d not consider that a MitM attack as I’d consider the “middle” the elements between the client and server. Maybe clarify your meaning. Is there an assessment of the impact on the existing NTP pool if Khronos is widely implemented? It seems that there will be more queries overall, but perhaps to a more scattered set of servers? On the security side, does it matter than an observer may be able to detect when Khronos is being used, by its use of ~500 NTP servers instead of the usual small fixed number of servers? Also, how ‘random’ is the selection of servers from the pool? Might it be predictable, and if so does that pose risks? I suppose certain MitM vulnerabilities are more ‘sweeping’ than others, like a bad actor controlling a major or exclusively used uplink, and thus rather harder to even impossible to mitigate? This is the worst case of the second scenario in 4.3? (Which also seems to say >2/3 controlled, then just below 1/4 controlled?). Nits: The word ‘byzantine’ is used several times before it is explained, even with forward references (except in the start of 4.1) to 4.3, and then in 4.3 I can't find any use of the word. It would be nice to have it explained on first use. In a few places the section referencing appears as Section Section. A couple of Khoronos instances (extra ‘o’). Best wishes, Tim -- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call