idnits 2.17.1 draft-stenn-ntp-mac-last-ef-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The abstract seems to contain references ([RFC5905], [RFC1305]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (February 21, 2018) is 2256 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'COMP' is mentioned on line 236, but not defined == Missing Reference: 'DISCUSS' is mentioned on line 238, but not defined ** Obsolete normative reference: RFC 1305 (Obsoleted by RFC 5905) ** Downref: Normative reference to an Informational RFC: RFC 7384 Summary: 3 errors (**), 0 flaws (~~), 3 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Engineering Task Force H. Stenn 3 Internet-Draft D. Mayer 4 Intended status: Standards Track Network Time Foundation 5 Expires: August 25, 2018 February 21, 2018 7 Network Time Protocol MAC/Last Extension Fields 8 draft-stenn-ntp-mac-last-ef-02 10 Abstract 12 NTPv4 is defined by RFC 5905 [RFC5905], and it and earlier versions 13 of the NTP Protocol have supported symmetric private key Message 14 Authentication Code (MAC) authentication. MACs were first described 15 in Appendix C of RFC 1305 [RFC1305] and are further described in RFC 16 5905 [RFC5905]. As the number of Extension Fields grows there is an 17 increasing chance of a parsing ambiguity when deciding if the "next" 18 set of data is an Extension Field or a legacy MAC. This proposal 19 defines two new Extension Fields which may be used to avoid this 20 ambiguity. One, LAST-EF, is used to signify that it is the last 21 Extension Field in the packet. If the LAST-EF is present, any 22 subsequent data MUST be considered to be a legacy MAC. The other, 23 MAC-EF, allows one or more MACs to be encapsulated in an Extension 24 Field. If all parties in an association support MAC-EF, the use of a 25 legacy MAC may be avoided. 27 Status of This Memo 29 This Internet-Draft is submitted in full conformance with the 30 provisions of BCP 78 and BCP 79. 32 Internet-Drafts are working documents of the Internet Engineering 33 Task Force (IETF). Note that other groups may also distribute 34 working documents as Internet-Drafts. The list of current Internet- 35 Drafts is at https://datatracker.ietf.org/drafts/current/. 37 Internet-Drafts are draft documents valid for a maximum of six months 38 and may be updated, replaced, or obsoleted by other documents at any 39 time. It is inappropriate to use Internet-Drafts as reference 40 material or to cite them other than as "work in progress." 42 This Internet-Draft will expire on August 25, 2018. 44 Copyright Notice 46 Copyright (c) 2018 IETF Trust and the persons identified as the 47 document authors. All rights reserved. 49 This document is subject to BCP 78 and the IETF Trust's Legal 50 Provisions Relating to IETF Documents 51 (https://trustee.ietf.org/license-info) in effect on the date of 52 publication of this document. Please review these documents 53 carefully, as they describe your rights and restrictions with respect 54 to this document. Code Components extracted from this document must 55 include Simplified BSD License text as described in Section 4.e of 56 the Trust Legal Provisions and are provided without warranty as 57 described in the Simplified BSD License. 59 Table of Contents 61 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 62 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 2 63 2. The Last Extension Field Extension Field - LAST-EF . . . . . 3 64 3. MAC Extension Field . . . . . . . . . . . . . . . . . . . . . 4 65 4. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 5 66 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 67 6. Security Considerations . . . . . . . . . . . . . . . . . . . 5 68 7. Normative References . . . . . . . . . . . . . . . . . . . . 6 69 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 6 71 1. Introduction 73 NTPv4 is defined by RFC 5905 [RFC5905], and it and earlier versions 74 of the NTP Protocol have supported symmetric private key Message 75 Authentication Code (MAC) authentication. MACs were first described 76 in Appendix C of RFC 1305 [RFC1305] and are further described in RFC 77 5905 [RFC5905]. As the number of Extension Fields grows there is an 78 increasing chance of a parsing ambiguity when deciding if the "next" 79 set of data is an Extension Field or a legacy MAC. This proposal 80 defines two new Extension Fields which may be used to avoid this 81 ambiguity. One, LAST-EF, is used to signify that it is the last 82 Extension Field in the packet. If the LAST-EF is present, any 83 subsequent data MUST be considered to be a legacy MAC, or if you 84 prefer, any subsequent data MUST NOT be considered to be an EF. The 85 other, MAC-EF, allows one or more MACs to be encapsulated in an 86 Extension Field. If all parties in an association support MAC-EF, 87 the use of a legacy MAC may be avoided. 89 1.1. Requirements Language 91 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 92 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 93 document are to be interpreted as described in RFC 2119 [RFC2119]. 95 2. The Last Extension Field Extension Field - LAST-EF 97 Now that multiple extension fields are a possibility, additional 98 packet data could be either an Extension Field or a legacy MAC. 99 Having a means to indicate that there are no more Extension Fields in 100 an NTP packet and any subsequent data MUST be something else, almost 101 certainly a legacy MAC, is a valuable facility. 103 0 1 2 3 104 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 105 +---------------+---------------+-------------------------------+ 106 | Field Type | Field Length | 107 +-------------------------------+-------------------------------+ 109 NTP Extension Field: Last Extension Field - LAST-EF 111 Field Type: TBD (Recommendation for IANA: 0x0008 (Last Extension 112 Field)) 114 Field Length: 4 116 Payload: None. 118 Example: 120 0 1 2 3 121 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 122 +---------------+---------------+-------------------------------+ 123 | Field Type (0x0008) | Field Length (0x0004) | 124 +-------------------------------+-------------------------------+ 125 | MAC Key ID | 126 +-------------------------------+-------------------------------+ 127 | Sixteen | 128 +-------------------------------+-------------------------------+ 129 | Octets | 130 +-------------------------------+-------------------------------+ 131 | of | 132 +-------------------------------+-------------------------------+ 133 | MAC | 134 +-------------------------------+-------------------------------+ 136 Example: NTP Extension Field: Last Extension Field, followed by a 137 Legacy MAC 139 3. MAC Extension Field 141 Now that multiple extension fields are a possibility, there is a 142 chance that additional packet data could be either an Extension Field 143 or a legacy MAC. There is benefit to encapsulating the MAC (or some 144 other type of authenticator) in an extension field. By encapsulating 145 the authenticator in an EF, we also have the option to include 146 multiple MACs (or similar authenticators) in a packet, which may be 147 of use in broadcast scenarios, for example. 149 0 1 2 3 150 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 151 +---------------+---------------+-------------------------------+ 152 | Field Type | Field Length | 153 +-------------------------------+-------------------------------+ 154 | MAC Count | MAC 1 Length | 155 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 156 | MAC 2 Length | MAC 3 Length | 157 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 158 . MAC 1 Key ID . 159 . +-+-+-+-+-+-+-+-+-+-+-+-. 160 . MAC 1 Key Data | Random Data Padding . 161 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 162 . MAC 2 Key ID . 163 . +-+-+-+-+-+-+-+-+-+-+-+-+-. 164 . MAC 2 Key Data | Random Data Padding . 165 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 166 . MAC 3 Key ID . 167 . +-+-+-+-+-+-+-+-+-+-. 168 . MAC 3 Key Data |Random Data Padding. 169 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 170 | Padding (as needed) | 171 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 173 NTP Extension Field: MAC EF Format 175 Field Type: TBD (Recommendation for IANA: 0x0003 (MAC-EF)) 177 Field Length: As needed. 179 Payload: As described. 181 A Field Type of 0 and a Length of 0 means this extension field is a 182 crypto-NAK, as defined by RFC5905 [RFC5905]. Otherwise, a Field Type 183 value of TBD (0x0003 is suggested) identifies this extension field as 184 a MAC Extension field. The MAC Count is an unsigned 16-bit field, as 185 is each MAC length field. If there are an even number of MACs 186 specified there is an unused 16-bit field which SHOULD be 0x0000 at 187 the end of the set of MAC length values so that the subsequent MAC 188 data is longword (4-octet) aligned. Each MAC SHALL be padded so that 189 any subsequent MAC starts on a 4-octet boundary. 191 A MAC SHOULD NOT be present if there is a crypto-NAK present in the 192 packet. 194 Each MAC within the extension field consists of a 32-bit key 195 identifier which SHOULD be unique to the set of key identifiers in 196 this MAC extension field followed by ((MAC Length) - 4) octets of 197 data, optionally followed by random octets to pad the key data to the 198 length specified earlier in the extension field. That key identifier 199 is a shared secret which defines the algorithm to be used and a 200 cookie or secret to be used in generating the digest. The MAC digest 201 is produced by hashing the data from the beginning of the NTP packet 202 up to but not including the start of the MAC extension field. The 203 calculation of the digest SHOULD be a hash of this data concatenated 204 with the 32-bit keyid (in network-order), and the key. When sending 205 or receiving a key identifier each side needs to agree on the key 206 identifier, algorithm and the cookie or secret used to produce the 207 digest along with the digest lengths. Note that the sender may send 208 more bytes than are required by the digest algorithm. This would be 209 done to make it more difficult for a casual observer to identify the 210 algorithm being used based on the length of the data. The digest 211 data begins immediately after the key ID, and any padding octets 212 SHOULD be random. 214 4. Acknowledgements 216 MAC-EF: The authors gratefully acknowledge Dave Mills for his 217 insightful comments. 219 5. IANA Considerations 221 This memo requests IANA to allocate NTP Extension Field Types: 223 0x0000 crypto-NAK 225 0x0003 MAC-EF 227 0x0008 LAST-EF 229 6. Security Considerations 231 The security considerations of time protocols in general are 232 discussed in RFC7384 [RFC7384], and the security considerations of 233 NTP are discussed in RFC5905 [RFC5905]. 235 Digests MD5, DES and SHA-1 are considered compromised and should not 236 be used [COMP]. 238 [DISCUSS] Each MAC length should be at least 20 octets long to allow 239 for 4 octets of key ID and at least 16 octets of digest and random 240 padding. For a 128-bit digest, there would be 4 octets of key ID, 16 241 octets of digest, plus any desired octets of random padding. For 242 SHA-256 digests there are 4 octets of key ID, 32 octets digest, plus 243 any desired octets of random padding. Using MAC lengths that include 244 random padding may make it more difficult for an attacker to know 245 which digest algorithms are used. 247 7. Normative References 249 [RFC1305] Mills, D., "Network Time Protocol (Version 3) 250 Specification, Implementation and Analysis", RFC 1305, 251 DOI 10.17487/RFC1305, March 1992, 252 . 254 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 255 Requirement Levels", BCP 14, RFC 2119, 256 DOI 10.17487/RFC2119, March 1997, 257 . 259 [RFC5905] Mills, D., Martin, J., Ed., Burbank, J., and W. Kasch, 260 "Network Time Protocol Version 4: Protocol and Algorithms 261 Specification", RFC 5905, DOI 10.17487/RFC5905, June 2010, 262 . 264 [RFC7384] Mizrahi, T., "Security Requirements of Time Protocols in 265 Packet Switched Networks", RFC 7384, DOI 10.17487/RFC7384, 266 October 2014, . 268 Authors' Addresses 270 Harlan Stenn 271 Network Time Foundation 272 P.O. Box 918 273 Talent, OR 97540 274 US 276 Email: stenn@nwtime.org 277 Danny Mayer 278 Network Time Foundation 279 P.O. Box 918 280 Talent, OR 97540 281 US 283 Email: mayer@ntp.org