idnits 2.17.1 draft-stenn-ntp-mac-last-ef-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The abstract seems to contain references ([RFC5905], [RFC1305]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Using lowercase 'not' together with uppercase 'MUST', 'SHALL', 'SHOULD', or 'RECOMMENDED' is not an accepted usage according to RFC 2119. Please use uppercase 'NOT' together with RFC 2119 keywords (if that is what you mean). Found 'SHOULD not' in this paragraph: A MAC SHOULD not be present if there is a crypto-NAK present in the packet. -- The document date (October 29, 2016) is 2729 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'COMP' is mentioned on line 237, but not defined ** Obsolete normative reference: RFC 1305 (Obsoleted by RFC 5905) ** Downref: Normative reference to an Informational RFC: RFC 7384 Summary: 3 errors (**), 0 flaws (~~), 3 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Engineering Task Force H. Stenn 3 Internet-Draft D. Mayer 4 Intended status: Standards Track Network Time Foundation 5 Expires: May 2, 2017 October 29, 2016 7 Network Time Protocol MAC/Last Extension Fields 8 draft-stenn-ntp-mac-last-ef-00 10 Abstract 12 NTPv4 is defined by RFC 5905 [RFC5905], and it and earlier versions 13 of the NTP Protocol have supported symmetric private key Message 14 Authentication Code (MAC) authentication. MACs were first described 15 in Appendix C of RFC 1305 [RFC1305] and are further described in RFC 16 5905 [RFC5905]. As the number of Extension Fields grows there is an 17 increasing chance of a parsing ambiguity when deciding if the "next" 18 set of data is an Extension Field or a legacy MAC. This proposal 19 defines two new Extension Fields to avoid this ambiguity. One is 20 used to signifiy that it is the last Extension Field in the packet. 21 If present, any subsequent data MUST be considered to be a legacy 22 MAC. The other allows one or more MACs to be encapsulated in an 23 Extension Field. If all parties in an association support MAC-EF, 24 the use of a legacy MAC may be avoided. 26 Status of This Memo 28 This Internet-Draft is submitted in full conformance with the 29 provisions of BCP 78 and BCP 79. 31 Internet-Drafts are working documents of the Internet Engineering 32 Task Force (IETF). Note that other groups may also distribute 33 working documents as Internet-Drafts. The list of current Internet- 34 Drafts is at http://datatracker.ietf.org/drafts/current/. 36 Internet-Drafts are draft documents valid for a maximum of six months 37 and may be updated, replaced, or obsoleted by other documents at any 38 time. It is inappropriate to use Internet-Drafts as reference 39 material or to cite them other than as "work in progress." 41 This Internet-Draft will expire on May 2, 2017. 43 Copyright Notice 45 Copyright (c) 2016 IETF Trust and the persons identified as the 46 document authors. All rights reserved. 48 This document is subject to BCP 78 and the IETF Trust's Legal 49 Provisions Relating to IETF Documents 50 (http://trustee.ietf.org/license-info) in effect on the date of 51 publication of this document. Please review these documents 52 carefully, as they describe your rights and restrictions with respect 53 to this document. Code Components extracted from this document must 54 include Simplified BSD License text as described in Section 4.e of 55 the Trust Legal Provisions and are provided without warranty as 56 described in the Simplified BSD License. 58 Table of Contents 60 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 61 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 2 62 2. The Last Extension Field Extension Field . . . . . . . . . . 3 63 3. MAC Extension Field . . . . . . . . . . . . . . . . . . . . . 4 64 4. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 5 65 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 66 6. Security Considerations . . . . . . . . . . . . . . . . . . . 6 67 7. Normative References . . . . . . . . . . . . . . . . . . . . 6 68 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 6 70 1. Introduction 72 NTPv4 is defined by RFC 5905 [RFC5905], and it and earlier versions 73 of the NTP Protocol have supported symmetric private key Message 74 Authentication Code (MAC) authentication. MACs were first described 75 in Appendix C of RFC 1305 [RFC1305] and are further described in RFC 76 5905 [RFC5905]. As the number of Extension Fields grows there is an 77 increasing chance of a parsing ambiguity when deciding if the "next" 78 set of data is an Extension Field or a legacy MAC. This proposal 79 defines two new Extension Fields to avoid this ambiguity. One is 80 used to signifiy that it is the last Extension Field in the packet. 81 If present, any subsequent data MUST be considered to be a legacy 82 MAC. The other allows one or more MACs to be encapsulated in an 83 Extension Field. If all parties in an association support MAC-EF, 84 the use of a legacy MAC may be avoided. 86 1.1. Requirements Language 88 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 89 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 90 document are to be interpreted as described in RFC 2119 [RFC2119]. 92 2. The Last Extension Field Extension Field 94 Now that multiple extension fields are a possibility, additional 95 packet data could be either an Extension Field or a legacy MAC. 96 Having a means to indicate that there are no more Extension Fields in 97 an NTP packet and any subsequent data MUST be something else, almost 98 certainly a legacy MAC, is a valuable facility. 100 0 1 2 3 101 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 102 +---------------+---------------+-------------------------------+ 103 | Field Type | Field Length | 104 +-------------------------------+-------------------------------+ 106 NTP Extension Field: Last Extension Field 108 Field Type: TBD (Recommendation for IANA: 0x2008 (Last Extension 109 Field, MAC OPTIONAL)) 111 Field Length: 4 113 Payload: None. 115 Example: 117 0 1 2 3 118 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 119 +---------------+---------------+-------------------------------+ 120 | Field Type (0x2008) | Field Length (0x0004) | 121 +-------------------------------+-------------------------------+ 122 | MAC Key ID | 123 +-------------------------------+-------------------------------+ 124 | Sixteen | 125 +-------------------------------+-------------------------------+ 126 | Octets | 127 +-------------------------------+-------------------------------+ 128 | of | 129 +-------------------------------+-------------------------------+ 130 | MAC | 131 +-------------------------------+-------------------------------+ 133 Example: NTP Extension Field: Last Extension Field, followed by a 134 Legacy MAC 136 3. MAC Extension Field 138 Now that multiple extension fields are a possibility, there is a 139 chance that additional packet data could be either an Extension Field 140 or a legacy MAC. There is benefit to encapsulating the MAC in an 141 extension field. By encapsulating the MAC in an EF, we also have the 142 option to include multiple MACs in a packet, which may be of use in 143 broadcast scenarios, for example. 145 0 1 2 3 146 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 147 +---------------+---------------+-------------------------------+ 148 | Field Type | Field Length | 149 +-------------------------------+-------------------------------+ 150 | MAC Count | MAC 1 Length | 151 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 152 | MAC 2 Length | MAC 3 Length | 153 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 154 . MAC 1 Key ID . 155 . +-+-+-+-+-+-+-+-+-+-+-+-. 156 . MAC 1 Key Data | Random Data Padding . 157 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 158 . MAC 2 Key ID . 159 . +-+-+-+-+-+-+-+-+-+-+-+-+-. 160 . MAC 2 Key Data | Random Data Padding . 161 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 162 . MAC 3 Key ID . 163 . +-+-+-+-+-+-+-+-+-+-. 164 . MAC 3 Key Data |Random Data Padding. 165 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 166 | Padding (as needed) | 167 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 169 NTP Extension Field: MAC EF Format 171 Field Type: TBD (Recommendation for IANA: 0x1003 (MAC-EF, MAC 172 INCLUDED), 0x3003 (MAC-EF, MAC OPTIONAL, MAC INCLUDED)) 174 Field Length: As needed 176 Payload: As described. 178 A Field Type of 0 and a Length of 0 means this extension field is a 179 CRYPTO-NAK, as defined by RFC5905. Otherwise, a Field Type value of 180 TBD (0x1003 is suggested) identifies this extension field as a MAC 181 Extension field. The MAC Count is an unsigned 16-bit field, as is 182 each MAC length field. If there are an even number of MACs specified 183 there is an unused 16-bit field which SHOULD be 0x0000 at the end of 184 the set of MAC length values so that the subsequent MAC data is 185 longword (4-octet) aligned. Each MAC SHALL be padded so that any 186 subsequent MAC starts on a 4-octet boundary. 188 A MAC SHOULD not be present if there is a crypto-NAK present in the 189 packet. 191 Each MAC within the extension field consists of a 32-bit key 192 identifier which SHOULD be unique to the set of key identifiers in 193 this MAC extension field followed by ((MAC Length) - 4) octets of 194 data, optionally followed by random octets to pad the key data to the 195 length specified earlier in the extension field. That key identifier 196 is a shared secret which defines the algorithm to be used and a 197 cookie or secret to be used in generating the digest. The MAC digest 198 is produced by hashing the data from the beginning of the NTP packet 199 up to but not including the start of the MAC extension field. The 200 calculation of the digest SHOULD be a hash of this data concatenated 201 with the 32-bit keyid (in network-order), and the key. When sending 202 or receiving a key identifier each side needs to agree on the key 203 identifier, algorithm and the cookie or secret used to produce the 204 digest along with the digest lengths. Note that the sender may send 205 more bytes than are required by the digest algorithm. This would be 206 done to make it more difficult for a casual observer to identify the 207 algorithm being used based on the length of the data. The digest 208 data begins immediately after the key ID, and any padding octets 209 SHOULD be random. 211 4. Acknowledgements 213 MAC-EF: The authors gratefully acknowledge Dave Mills for his 214 insightful comments. 216 5. IANA Considerations 218 This memo requests IANA to allocate NTP Extension Field Types: 220 0x0000 CRYPTO-NAK 222 0x1003 MAC-EF, MAC INCLUDED 224 0x3003 MAC-EF, MAC OPTIONAL, MAC INCLUDED 226 0x0008 LAST-EF 228 0x2008 LAST-EF, MAC OPTIONAL 230 6. Security Considerations 232 The security considerations of time protocols in general are 233 discussed in RFC7384 [RFC7384], and the security considerations of 234 NTP are discussed in [RFC5905]. 236 Digests MD5, DES and SHA-1 are considered compromised and should not 237 be used [COMP]. 239 If possible each MAC length should be at least 68 octets long to 240 allow for 4 octets of key ID and at least 64 octets of digest and 241 random padding. This means that for SHA-256 digests there are 4 242 octets of key ID, 32 bytes digest and 32 random octets of padding. 243 Using larger minimum MAC lengths makes it difficult for an attacker 244 to know which digest algorithms are used. 246 7. Normative References 248 [RFC1305] Mills, D., "Network Time Protocol (Version 3) 249 Specification, Implementation and Analysis", RFC 1305, 250 DOI 10.17487/RFC1305, March 1992, 251 . 253 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 254 Requirement Levels", BCP 14, RFC 2119, 255 DOI 10.17487/RFC2119, March 1997, 256 . 258 [RFC5905] Mills, D., Martin, J., Ed., Burbank, J., and W. Kasch, 259 "Network Time Protocol Version 4: Protocol and Algorithms 260 Specification", RFC 5905, DOI 10.17487/RFC5905, June 2010, 261 . 263 [RFC7384] Mizrahi, T., "Security Requirements of Time Protocols in 264 Packet Switched Networks", RFC 7384, DOI 10.17487/RFC7384, 265 October 2014, . 267 Authors' Addresses 269 Harlan Stenn 270 Network Time Foundation 271 P.O. Box 918 272 Talent, OR 97540 273 US 275 Email: stenn@nwtime.org 276 Danny Mayer 277 Network Time Foundation 278 P.O. Box 918 279 Talent, OR 97540 280 US 282 Email: mayer@ntp.org