idnits 2.17.1 draft-mayer-ntp-mac-extension-field-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The draft header indicates that this document updates RFC5905, but the abstract doesn't seem to directly say this. It does mention RFC5905 though, so this could be OK. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'SHOULD not' in this paragraph: A MAC SHOULD not be present if there is a crypto-NAK present in the packet. (Using the creation date from RFC5905, updated by this document, for RFC5378 checks: 2005-07-11) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (March 14, 2016) is 2965 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC7384' is mentioned on line 204, but not defined == Unused Reference: 'RFC5906' is defined on line 245, but no explicit reference was found in the text Summary: 0 errors (**), 0 flaws (~~), 4 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 NTP Working Group D. Mayer 2 Internet Draft Network Time Foundation 3 Intended status: Standards Track H. Stenn 4 Updates: 5905 Network Time Foundation 5 Expires: September 2016 March 14, 2016 7 The Network Time Protocol Version 4 (NTPv4) MAC Extension Field 8 draft-mayer-ntp-mac-extension-field-00.txt 10 Abstract 12 The Network Time Protocol Version 4 (NTPv4) defines in RFC5905 the 13 optional usage of Message Authentication Code (MAC). The MAC is an 14 optional component of the NTP packet at the end of the packet. There 15 can only be one MAC segment in the packet but there is no way of 16 knowing if the last data segment at the end of an NTP packet is a MAC 17 or an extension field, which is also defined in RFC5905. This draft 18 defines a MAC extension field which will allow the existing MAC 19 segment to be moved into an extension field and have a known length 20 and deprecates the existing MAC. 22 Status of this Memo 24 This Internet-Draft is submitted to IETF in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF), its areas, and its working groups. Note that 29 other groups may also distribute working documents as Internet- 30 Drafts. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 The list of current Internet-Drafts can be accessed at 38 http://www.ietf.org/ietf/1id-abstracts.txt. 40 The list of Internet-Draft Shadow Directories can be accessed at 41 http://www.ietf.org/shadow.html. 43 This Internet-Draft will expire on September 14, 2016. 45 Copyright Notice 47 Copyright (c) 2016 IETF Trust and the persons identified as the 48 document authors. All rights reserved. 50 This document is subject to BCP 78 and the IETF Trust's Legal 51 Provisions Relating to IETF Documents 52 (http://trustee.ietf.org/license-info) in effect on the date of 53 publication of this document. Please review these documents 54 carefully, as they describe your rights and restrictions with respect 55 to this document. Code Components extracted from this document must 56 include Simplified BSD License text as described in Section 4.e of 57 the Trust Legal Provisions and are provided without warranty as 58 described in the Simplified BSD License. 60 Table of Contents 62 1. Introduction...................................................2 63 2. Conventions Used in this Document..............................3 64 2.1. Terminology...............................................3 65 2.2. Terms & Abbreviations.....................................3 66 3. MAC Extension Field............................................3 67 4. Security Considerations........................................5 68 5. IANA Considerations............................................5 69 6. Acknowledgments................................................6 70 7. References.....................................................6 71 7.1. Normative References......................................6 72 7.2. Informative References....................................6 74 1. Introduction 76 The NTP packet format consists of a set of fixed fields that may be 77 followed by some optional fields. Two types of optional fields are 78 currently defined, a Message Authentication Code (MAC), and extension 79 fields, as defined in Section 7.5 of [RFC5905]. 81 If a MAC is used it resides at the end of the packet. This field has 82 a length which depends on the digest algorithm being used. While 83 extension fields have a known length specified in the extension field 84 header, there is no simple way to unequivocally know if the final 85 extra data segment in an NTP packet is a MAC or if it is an extension 86 field. There is also no currently implemented way to pad the length 87 of a MAC to make it difficult to determine the digest algorithm being 88 used. 90 This document creates a MAC extension field to remove this ambiguity, 91 clearly defining a MAC in an extension field with known size, and 92 allows us the possibility of deprecating the MAC as described in 93 [RFC5905]. The content of the MAC extension field is almost identical 94 to the existing MAC field but with a size specified in the extension 95 field and the ability to have multiple MAC's within the extension 96 field for different digest algorithms. We note that the only current 97 potential use for multiple MAC algorithms would be for certain 98 broadcast scenarios. By deprecating the original MAC field all parts 99 of the NTP packet will have well-specified lengths. 101 2. Conventions Used in this Document 103 2.1. Terminology 105 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 106 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 107 document are to be interpreted as described in [KEYWORDS]. 109 2.2. Terms & Abbreviations 111 NTPv4 Network Time Protocol Version 4 [RFC5905] 113 MAC Message Authentication Code 115 Legacy MAC MAC as defined in RFC5095 117 3. MAC Extension Field 119 The MAC extension field is designed to allow one or more MAC digests 120 to be present within the MAC extension field. The MAC extension field 121 contains the unsigned number of MACs present followed by the unsigned 122 size of each MAC. The number of MACs listed in the MAC COUNT in this 123 extension field MUST be greater than zero. The MAC extension field 124 SHOULD be the last extension field in the packet and a legacy MAC at 125 the end of the packet is OPTIONAL. The extension field MAC supplants 126 the use of a legacy MAC. All new extension fields that require a MAC 127 SHOULD use this MAC extension field, if the recipient implements the 128 MAC extension field. The MACs present in the extension field should 129 perform the digest on all parts of the packet up to but not including 130 the MAC extension field. A legacy MAC MAY be present at the end of 131 the extension fields provided it covers all extension fields 132 including the MAC extension field and is present only for reasons of 133 interoperability with servers that do not understand the new MAC 134 extension field but require a MAC for authentication of the packet. 135 The layout of the data in a MAC extension field is as follows: 137 0 1 2 3 138 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 139 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 140 | Field Type | Field Length | 141 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 142 | MAC Count | MAC 1 Length | 143 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 144 | MAC 2 Length | MAC 3 Length | 145 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 146 . MAC 1 Key ID . 147 . +-+-+-+-+-+-+-+-+-+-+-+-. 148 . MAC 1 Key Data | Random Data Padding . 149 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 150 . MAC 2 Key ID . 151 . +-+-+-+-+-+-+-+-+-+-+-+-+-. 152 . MAC 2 Key Data | Random Data Padding . 153 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 154 . MAC 3 Key ID . 155 . +-+-+-+-+-+-+-+-+-+-. 156 . MAC 3 Key Data |Random Data Padding. 157 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 158 | Padding (as needed) | 159 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 160 Figure 1: MAC Extension Field Format 162 A Field Type of 0 and a Length of 0 means this extension field is a 163 CRYPTO-NAK, as defined by RFC5905. Otherwise, a Field Type value of 164 TBD identifies this extension field as a MAC Extension field. The MAC 165 Count is an unsigned 16-bit field, as is each MAC length field. If 166 there are an even number of MACs specified there is an unused 16-bit 167 field which SHOULD be 0x0000 at the end of the set of MAC length 168 values so that the subsequent MAC data is longword (4-octet) aligned. 169 Each MAC SHALL be padded so that any subsequent MAC starts on a 4- 170 octet boundary. 172 A MAC SHOULD not be present if there is a crypto-NAK present in the 173 packet. 175 Each MAC within the extension field consists of a 32-bit key 176 identifier which SHOULD be unique to the set of key identifiers in 177 this MAC extension field followed by ((MAC Length) - 4) octets of 178 data, optionally followed by random octets to pad the key data to the 179 length specified earlier in the extension field. That key identifier 180 is a shared secret which defines the algorithm to be used and a 181 cookie or secret to be used in generating the digest. The MAC digest 182 is produced by hashing the data from the beginning of the NTP packet 183 up to but not including the start of the MAC extension field. The 184 calculation of the digest SHOULD be a hash of this data concatenated 185 with the 32-bit keyid (in network-order), and the key. When sending 186 or receiving a key identifier each side needs to agree on the key 187 identifier, algorithm and cookie to be used to produce the digest 188 along with the digest lengths. Note that the sender may send more 189 bytes than are required by the digest algorithm. This would be done 190 to make it more difficult for a casual observer to identify the 191 algorithm being used based on the length of the data. The digest 192 data begins immediately after the key ID, and any padding octets 193 SHOULD be random. 195 MAC values should be processed until either one of the MACs is 196 validated, in which case the entire packet up to the beginning of the 197 MAC extension field is considered to be validated, or no more MAC 198 values are left to be validated, in which case the NTP packet is 199 considered to have failed MAC validation. 201 4. Security Considerations 203 The security considerations of time protocols in general are 204 discussed in [RFC7384], and the security considerations of NTP are 205 discussed in [RFC5905]. 207 Digests MD5, DES and SHA-1 are considered compromised and should not 208 be used [COMP]. 210 If possible each MAC length should be at least 68 octets long to 211 allow for 4 octets of key ID and at least 64 octets of digest and 212 random padding. This means that for SHA-256 digests there are 4 213 octets of key ID, 32 bytes digest and 32 random octets of padding. 214 Using larger minimum MAC lengths makes it difficult for an attacker 215 to know which digest algorithms are used. 217 5. IANA Considerations 219 IANA is requested to allocate the NTP extension Field Type value of 220 0x0000 for CRYPTO-NAK. 222 IANA is requested to allocate an NTP extension Field Type value for 223 the MAC extension. We recommend 0x3003. 225 6. Acknowledgments 227 The authors gratefully acknowledge Dave Mills for his insightful 228 comments. 230 This document was prepared using 2-Word-v2.0.template.dot. 232 7. References 234 7.1. Normative References 236 [KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate 237 Requirement Levels", BCP 14, RFC 2119, March 1997. 239 [RFC5905] Mills, D., Martin, J., Burbank, J., Kasch, W., 240 "Network Time Protocol Version 4: Protocol and 241 Algorithms Specification", RFC 5905, June 2010. 243 7.2. Informative References 245 [RFC5906] Haberman, B., Mills, D., "Network Time Protocol 246 Version 4: Autokey Specification", RFC 5906, June 247 2010. 249 [COMP] TBF 251 Authors' Addresses 253 Danny Mayer 254 Network Time Foundation 255 PO Box 918 256 Talent OR 97540 258 Email: mayer@ntp.org 260 Harlan Stenn 261 Network Time Foundation 262 PO Box 918 263 Talent OR 97540 265 Email: stenn@nwtime.org