| < draft-dfranke-ntp-data-minimization-01.txt | draft-dfranke-ntp-data-minimization-02.txt > | |||
|---|---|---|---|---|
| Network Working Group D. Franke | Network Working Group D. Franke | |||
| Internet-Draft Akamai | Internet-Draft Akamai | |||
| Updates: 5905 (if approved) A. Malhotra | Updates: 5905 (if approved) A. Malhotra | |||
| Intended status: Standards Track Boston University | Intended status: Standards Track Boston University | |||
| Expires: May 2, 2017 October 29, 2016 | Expires: September 28, 2017 March 27, 2017 | |||
| NTP Client Data Minimization | NTP Client Data Minimization | |||
| draft-dfranke-ntp-data-minimization-01 | draft-dfranke-ntp-data-minimization-02 | |||
| Abstract | Abstract | |||
| This memo proposes backward-compatible updates to the Network Time | This memo proposes backward-compatible updates to the Network Time | |||
| Protocol to strip unnecessary identifying information from client | Protocol to strip unnecessary identifying information from client | |||
| requests and to improve resilience against blind spoofing of | requests and to improve resilience against blind spoofing of | |||
| unauthenticated server responses. | unauthenticated server responses. | |||
| Status of This Memo | Status of This Memo | |||
| skipping to change at page 1, line 34 ¶ | skipping to change at page 1, line 34 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on May 2, 2017. | This Internet-Draft will expire on September 28, 2017. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2016 IETF Trust and the persons identified as the | Copyright (c) 2017 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 2 | 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 2 | |||
| 3. Client Packet Format . . . . . . . . . . . . . . . . . . . . 2 | 3. Client Packet Format . . . . . . . . . . . . . . . . . . . . 2 | |||
| 4. Security and Privacy Considerations . . . . . . . . . . . . . 3 | 4. Security and Privacy Considerations . . . . . . . . . . . . . 3 | |||
| 4.1. Data Minimization . . . . . . . . . . . . . . . . . . . . 3 | 4.1. Data Minimization . . . . . . . . . . . . . . . . . . . . 3 | |||
| 4.2. Transmit Timestamp Randomization . . . . . . . . . . . . 3 | 4.2. Transmit Timestamp Randomization . . . . . . . . . . . . 4 | |||
| 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4 | 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 6.1. Normative References . . . . . . . . . . . . . . . . . . 4 | 6.1. Normative References . . . . . . . . . . . . . . . . . . 4 | |||
| 6.2. Informative References . . . . . . . . . . . . . . . . . 4 | 6.2. Informative References . . . . . . . . . . . . . . . . . 5 | |||
| Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 5 | Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 5 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 5 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 1. Introduction | 1. Introduction | |||
| Network Time Protocol (NTP) packets, as specified by RFC 5905 | Network Time Protocol (NTP) packets, as specified by RFC 5905 | |||
| [RFC5905], carry a great deal of information about the state of the | [RFC5905], carry a great deal of information about the state of the | |||
| NTP daemon which transmitted them. In the case of mode 4 packets | NTP daemon which transmitted them. In the case of mode 4 packets | |||
| (responses sent from server to client), as well as in broadcast (mode | (responses sent from server to client), as well as in broadcast (mode | |||
| 5) and symmetric peering modes (mode 1/2), most of this information | 5) and symmetric peering modes (mode 1/2), most of this information | |||
| skipping to change at page 3, line 6 ¶ | skipping to change at page 3, line 6 ¶ | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in RFC 2119 [RFC2119]. | document are to be interpreted as described in RFC 2119 [RFC2119]. | |||
| 3. Client Packet Format | 3. Client Packet Format | |||
| In every client-mode packet sent by a Network Time Protocol [RFC5905] | In every client-mode packet sent by a Network Time Protocol [RFC5905] | |||
| implementation: | implementation: | |||
| The first octet, which contains the leap indicator, version | The first octet, which contains the leap indicator, version | |||
| number, and mode fields, SHALL be set to 0x23 (LI = 0, VN = 4, | number, and mode fields, SHOULD be set to 0x23 (LI = 0, VN = 4, | |||
| Mode = 3). | Mode = 3). | |||
| The Transmit Timestamp field SHALL be set uniformly at random, | The Transmit Timestamp field SHOULD be set uniformly at random, | |||
| generated by a mechanism suitable for cryptographic purposes. | generated by a mechanism suitable for cryptographic purposes. | |||
| [RFC4086] provides guidance on the generation of random values. | [RFC4086] provides guidance on the generation of random values. | |||
| The Poll field MAY be set to the actual polling interval as | The Poll field MAY be set to the actual polling interval as | |||
| specified by RFC 5905, or else MAY be set to zero. | specified by RFC 5905, or else MAY be set to zero. | |||
| All other header fields, specifically the Stratum, Precision, Root | All other header fields, specifically the Stratum, Precision, Root | |||
| Delay, Root Dispersion, Reference ID, Reference Timestamp, Origin | Delay, Root Dispersion, Reference ID, Reference Timestamp, Origin | |||
| Timestamp, and Receive Timestamp, SHALL be set to zero. | Timestamp, and Receive Timestamp, SHOULD be set to zero. | |||
| Servers MUST allow client packets to conform to the above | ||||
| recommendations. This requirement shall not be construed so as to | ||||
| prohibit servers from rejecting conforming packets for unrelated | ||||
| reasons, such as access control or rate limiting. | ||||
| 4. Security and Privacy Considerations | 4. Security and Privacy Considerations | |||
| 4.1. Data Minimization | 4.1. Data Minimization | |||
| Zeroing out unused fields in client requests prevents disclosure of | Zeroing out unused fields in client requests prevents disclosure of | |||
| information that can be used for fingerprinting [RFC6973]. | information that can be used for fingerprinting [RFC6973]. | |||
| While populating any of these fields with authentic data reveals at | While populating any of these fields with authentic data reveals at | |||
| least some identifying information about the client, the Origin | least some identifying information about the client, the Origin | |||
| skipping to change at page 3, line 40 ¶ | skipping to change at page 3, line 45 ¶ | |||
| severe information leak. RFC 5905 calls for clients to copy the | severe information leak. RFC 5905 calls for clients to copy the | |||
| transmit timestamp and destination timestamp of the server's most | transmit timestamp and destination timestamp of the server's most | |||
| recent response into the origin timestamp and receive timestamp | recent response into the origin timestamp and receive timestamp | |||
| (respectively) of their next request to that server. Therefore, when | (respectively) of their next request to that server. Therefore, when | |||
| a client moves between networks, a passive observer of both network | a client moves between networks, a passive observer of both network | |||
| paths can determine with high confidence that the old and new IP | paths can determine with high confidence that the old and new IP | |||
| addresses belong to the same system by noticing that the transmit | addresses belong to the same system by noticing that the transmit | |||
| timestamp of a response sent to the old IP matches the origin | timestamp of a response sent to the old IP matches the origin | |||
| timestamp of a request sent from the new one. | timestamp of a request sent from the new one. | |||
| Zeroing the poll field is made optional because this field conveys no | Zeroing the poll field is made optional (MAY rather than SHOULD) so | |||
| information that an observer could not otherwise obtain simply by | as not to preclude future development of schemes wherein the server | |||
| observing the actual interval between requests. Since in the NTP | uses information about the client's current poll interval in order to | |||
| reference implementation servers copy the poll field from the | recommend adjustments back to the client. Putting accurate | |||
| client's request into their response, if clients rely on the value of | information into this field has no significant impact on privacy | |||
| the poll field in the response then zeroing the poll field of the | since an observer can already obtain this information simply by | |||
| request may result in adverse behavior. | observing the actual interval between requests. | |||
| 4.2. Transmit Timestamp Randomization | 4.2. Transmit Timestamp Randomization | |||
| While this memo calls for most fields in client packets to be set to | While this memo calls for most fields in client packets to be set to | |||
| zero, the transmit timestamp is randomized. This decision is | zero, the transmit timestamp is randomized. This decision is | |||
| motivated by security as well as privacy. | motivated by security as well as privacy. | |||
| NTP servers copy the transmit timestamp from the client's request | NTP servers copy the transmit timestamp from the client's request | |||
| into the origin timestamp of the response; this memo calls for no | into the origin timestamp of the response; this memo calls for no | |||
| change in this behavior. Clients discard any response whose origin | change in this behavior. Clients discard any response whose origin | |||
| End of changes. 10 change blocks. | ||||
| 16 lines changed or deleted | 21 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||