Re: [Last-Call] [Ntp] Secdir last call review of draft-ietf-ntp-chronos-16

Danny Mayer <mayer@xxxxxxxxxxxxxxxxx> · Fri, 14 Jul 2023 18:17:50 -0400



    Can this be added to the security considerations section of the
      draft?
    Danny

    
    On 7/11/23 3:03 PM, Michael Schapira
      wrote:

    
        Hi everyone,
        

        Following up on the above discussion, I wanted to point out
          that the load on NTP servers induced by Khronos is something
          that we have extensively analyzed, both theoretically and
          empirically. Please see
        https://www.michaelschapira.com/_files/ugd/3b1e1e_278d283d14bf4dc994128eb4be88484a.pdf
        for a detailed analysis. In fact, respecting today's load
        distribution is one of the requirements (see VI.A. therein).
        Importantly, *our analysis already takes into account the
        weighting of servers, as mentioned by Miroslav, and does not
        assume equal distribution of load* (VI.B+C). Recall that most
        NTP queries in our solution are made in NTPv4 mode, and so, of
        course, adhere to the weight distribution, whereas Khronos
        (watchdog) queries are more rare (see detailed analysis in the
        publication).
        

        I want to highlight the following conclusions from the
          analysis:
        
          
            So long as panic mode isn't triggered, the overhead is
              negligible. In fact, even querying servers by Khronos 100x
              less frequently than NTPv4 yields substantial security
              benefits (VI.F.). If the attacker does not have
              man-in-the-middle (MitM) capabilities with respect to the
              communications between a Khronos client and a large
              fraction of the NTP servers in Khronos' pool (say 1/4),
              the probability of triggering a panic mode for that client
              even *a single time* is effectively non-existent (see
              analysis in https://www.cs.huji.ac.il/w~neta/ndss18-final231.pdf. 

              
            We are left with the case of an attacker with MitM
              capabilities with respect to the communication between
              *each and every* client in *a large group of clients*
              (otherwise the load is not high) and *a large fraction* of
              all NTP servers in the Khronos pool. Even in this extreme
              scenario, the load can be kept low. This is because panic
              mode triggers are separated by multiple (the configurable
              parameter k in Khronos), infrequent, "regular" querying
              rounds. So, the attacker would not only have to maintain
              the attack for a very long time, but would also have
              limited impact (if k is set to be sufficiently high). We
              will clarify this point in the draft.

            
            (As a side note, if an attacker is, in fact, capable of
              surpassing the very high bar presented in the previous
              bullet, that means that either the attacker is physically
              present a large ISP's egress point(s), or is launching an
              elaborate attack like BGP hijacking of multiple IP
              addresses. If an attacker is that powerful there are
              bigger concerns (and attack strategies for the attacker)
              than overloading the NTP pool :).
            

            I hope this clarifies some of the technical aspects.
            

            Best,
            Michael
          
        
        On Tue, Jul 11, 2023 at
          3:13 PM Miroslav Lichvar <mlichvar@xxxxxxxxxx>
          wrote:

        
        On
          Tue, Jul 11, 2023 at 12:21:44PM +0300, Tal Mizrahi wrote:

          > Specifically, this concern about Khronos is addressed in
          the current

          > version of the draft (as you indeed noted):

          >    While Khronos

          >    queries around 3 times more servers per polling
          interval than NTP,

          >    Khronos's polling interval can be longer (e.g., 10
          times longer) than

          >    NTPv4, thereby, minimizing the load on NTP servers and
          the

          >    communication overhead.  Moreover, Khronos's random
          server selection

          >    may even help to distribute queries across the whole
          pool.

          
          The last sentence in the quoted paragraph actually points out
          another

          problem. The servers in pool.ntp.org
          are not supposed to share the NTP

          traffic equally. The owners set a connection speed for each
          NTP server

          according to their traffic and CPU limits. It sets a weight of
          the

          address on the DNS server. There is a 1:2000 ratio between the
          slowest

          and fastest servers.

          
          If a significant portion of the clients implement Khronos as
          currently

          specified, it will effectively equalize the weights and
          increase

          traffic to slower servers, which might force their owners to
          remove

          them from the pool and decrease its global capacity.

          
          -- 

          Miroslav Lichvar

          
      _______________________________________________
ntp mailing list
ntp@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ntp

    
-- 
last-call mailing list
last-call@xxxxxxxx
https://www.ietf.org/mailman/listinfo/last-call