idnits 2.17.1 draft-stenn-ntp-mac-last-ef-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The abstract seems to contain references ([RFC5905], [RFC1305]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (October 2, 2018) is 2026 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'COMP' is mentioned on line 266, but not defined == Missing Reference: 'DISCUSS' is mentioned on line 268, but not defined ** Obsolete normative reference: RFC 1305 (Obsoleted by RFC 5905) ** Downref: Normative reference to an Informational RFC: RFC 7384 Summary: 3 errors (**), 0 flaws (~~), 3 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Engineering Task Force H. Stenn 3 Internet-Draft D. Mayer 4 Intended status: Standards Track Network Time Foundation 5 Expires: April 5, 2019 October 2, 2018 7 Network Time Protocol MAC/Last Extension Fields 8 draft-stenn-ntp-mac-last-ef-03 10 Abstract 12 NTPv4 is defined by RFC 5905 [RFC5905], and it and earlier versions 13 of the NTP Protocol have supported symmetric private key Message 14 Authentication Code (MAC) authentication. MACs were first described 15 in Appendix C of RFC 1305 [RFC1305] and are further described in RFC 16 5905 [RFC5905]. As the number of Extension Fields grows there is an 17 increasing chance of a parsing ambiguity when deciding if the "next" 18 set of data is an Extension Field or a legacy MAC. This proposal 19 defines two new Extension Fields to avoid this ambiguity. One, LAST- 20 EF, is used to signify that it is the last Extension Field in the 21 packet. If the LAST-EF is present, any subsequent data MUST be 22 considered to be a legacy MAC. The other, MAC-EF, allows one or more 23 MACs to be encapsulated in an Extension Field. If all parties in an 24 association support MAC-EF, the use of a legacy MAC may be avoided. 26 Status of This Memo 28 This Internet-Draft is submitted in full conformance with the 29 provisions of BCP 78 and BCP 79. 31 Internet-Drafts are working documents of the Internet Engineering 32 Task Force (IETF). Note that other groups may also distribute 33 working documents as Internet-Drafts. The list of current Internet- 34 Drafts is at https://datatracker.ietf.org/drafts/current/. 36 Internet-Drafts are draft documents valid for a maximum of six months 37 and may be updated, replaced, or obsoleted by other documents at any 38 time. It is inappropriate to use Internet-Drafts as reference 39 material or to cite them other than as "work in progress." 41 This Internet-Draft will expire on April 5, 2019. 43 Copyright Notice 45 Copyright (c) 2018 IETF Trust and the persons identified as the 46 document authors. All rights reserved. 48 This document is subject to BCP 78 and the IETF Trust's Legal 49 Provisions Relating to IETF Documents 50 (https://trustee.ietf.org/license-info) in effect on the date of 51 publication of this document. Please review these documents 52 carefully, as they describe your rights and restrictions with respect 53 to this document. Code Components extracted from this document must 54 include Simplified BSD License text as described in Section 4.e of 55 the Trust Legal Provisions and are provided without warranty as 56 described in the Simplified BSD License. 58 Table of Contents 60 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 61 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 2 62 2. The Last Extension Field Extension Field - LAST-EF . . . . . 3 63 3. MAC Extension Field . . . . . . . . . . . . . . . . . . . . . 4 64 4. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 6 65 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 66 6. Security Considerations . . . . . . . . . . . . . . . . . . . 6 67 7. Normative References . . . . . . . . . . . . . . . . . . . . 7 68 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7 70 1. Introduction 72 NTPv4 is defined by RFC 5905 [RFC5905], and it and earlier versions 73 of the NTP Protocol have supported symmetric private key Message 74 Authentication Code (MAC) authentication. MACs were first described 75 in Appendix C of RFC 1305 [RFC1305] and are further described in RFC 76 5905 [RFC5905]. As the number of Extension Fields grows there is an 77 increasing chance of a parsing ambiguity when deciding if the "next" 78 set of data is an Extension Field or a legacy MAC. This proposal 79 defines two new Extension Fields to avoid this ambiguity. One, LAST- 80 EF, is used to signify that it is the last Extension Field in the 81 packet. If the LAST-EF is present, any subsequent data MUST be 82 considered to be a legacy MAC, or if you prefer, any subsequent data 83 MUST NOT be considered to be an EF. The other, MAC-EF, allows one or 84 more MACs to be encapsulated in an Extension Field. If all parties 85 in an association support MAC-EF, the use of a legacy MAC may be 86 avoided. 88 1.1. Requirements Language 90 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 91 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 92 document are to be interpreted as described in RFC 2119 [RFC2119]. 94 2. The Last Extension Field Extension Field - LAST-EF 96 Now that multiple extension fields are a possibility, additional 97 packet data could be either an Extension Field or a legacy MAC. 98 Having a means to indicate that there are no more Extension Fields in 99 an NTP packet and any subsequent data MUST be something else, almost 100 certainly a legacy MAC, is a valuable facility. 102 0 1 2 3 103 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 104 +---------------+---------------+-------------------------------+ 105 | Field Type | Field Length | 106 +-------------------------------+-------------------------------+ 108 NTP Extension Field: Last Extension Field - LAST-EF 110 Field Type: TBD (Recommendation for IANA: 0x0008 (Last Extension 111 Field)) 113 Field Length: 4 115 Payload: None. 117 Example: 119 0 1 2 3 120 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 121 +---------------+---------------+-------------------------------+ 122 | Field Type (0x0008) | Field Length (0x0004) | 123 +-------------------------------+-------------------------------+ 124 | MAC Key ID | 125 +-------------------------------+-------------------------------+ 126 | Sixteen | 127 +-------------------------------+-------------------------------+ 128 | Octets | 129 +-------------------------------+-------------------------------+ 130 | of | 131 +-------------------------------+-------------------------------+ 132 | MAC | 133 +-------------------------------+-------------------------------+ 135 Example: NTP Extension Field: Last Extension Field, followed by a 136 Legacy MAC 138 3. MAC Extension Field 140 Now that multiple extension fields are a possibility, there is a 141 chance that additional packet data could be either an Extension Field 142 or a legacy MAC. There is benefit to encapsulating the MAC in an 143 extension field. By encapsulating the MAC in an EF, we also have the 144 option to include multiple MACs in a packet, which may be of use in 145 broadcast scenarios, for example. 147 There are two forms of this extension field. The first supports a 148 single MAC, requiring 4 octets' overhead for the EF header. The 149 second form supports one or more MACs in the EF payload, and requires 150 at least 8 octets. 152 0 1 2 3 153 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 154 +---------------+---------------+-------------------------------+ 155 | Field Type (0x0003) | Field Length | 156 +-------------------------------+-------------------------------+ 157 . MAC 1 Key ID . 158 . +-+-+-+-+-+-+-+-+-+-+-+-. 159 . MAC 1 Key Data | Random Data Padding . 160 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 162 NTP Extension Field: MAC EF Format (Single MAC) 164 Field Type: TBD (Recommendation for IANA: 0x0003 (MAC-EF: Single 165 MAC)) 167 Field Length: As needed. 169 Payload: As described. 171 0 1 2 3 172 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 173 +---------------+---------------+-------------------------------+ 174 | Field Type (0x0103) | Field Length | 175 +-------------------------------+-------------------------------+ 176 | MAC Count | MAC 1 Length | 177 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 178 | MAC 2 Length | MAC 3 Length | 179 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 180 . MAC 1 Key ID . 181 . +-+-+-+-+-+-+-+-+-+-+-+-. 182 . MAC 1 Key Data | Random Data Padding . 183 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 184 . MAC 2 Key ID . 185 . +-+-+-+-+-+-+-+-+-+-+-+-+-. 186 . MAC 2 Key Data | Random Data Padding . 187 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 188 . MAC 3 Key ID . 189 . +-+-+-+-+-+-+-+-+-+-. 190 . MAC 3 Key Data |Random Data Padding. 191 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 192 | Padding (as needed) | 193 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 195 NTP Extension Field: MAC EF Format (1 or more MACs) 197 Field Type: TBD (Recommendation for IANA: 0x0103 (MAC-EF: 1 or more 198 MACs)) 200 Field Length: As needed. 202 Payload: As described. 204 A Field Type value of TBD (0x0003 is suggested) identifies this 205 extension field as a MAC Extension field for a single MAC. 207 A Field Type value of TBD (0x0103 is suggested) identifies this 208 extension field as a MAC extension field for one or more MACs. In 209 this case, the MAC Count is an unsigned 16-bit field, as is each MAC 210 length field. If there are an even number of MACs specified there is 211 an unused 16-bit field which SHOULD be 0x0000 at the end of the set 212 of MAC length values so that the subsequent MAC data is longword 213 (4-octet) aligned. Each MAC SHALL be padded so that any subsequent 214 MAC starts on a 4-octet boundary. 216 A MAC consisting of 4 octets of zeros means the MAC is a crypto-NAK, 217 as defined by RFC5905 [RFC5905]. 219 Additional MACs SHOULD NOT be present if there is a crypto-NAK 220 present in the packet. 222 Each MAC within the extension field consists of a 32-bit key 223 identifier which SHOULD be unique to the set of key identifiers in 224 this MAC extension field followed by ((MAC Length) - 4) octets of 225 data, optionally followed by random octets to pad the key data to the 226 length specified earlier in the extension field. That key identifier 227 is a shared secret which defines the algorithm to be used and a 228 cookie or secret to be used in generating the digest. The MAC digest 229 is produced by hashing the data from the beginning of the NTP packet 230 up to but not including the start of the MAC extension field. The 231 calculation of the digest SHOULD be a hash of this data concatenated 232 with the 32-bit keyid (in network-order), and the key. When sending 233 or receiving a key identifier each side needs to agree on the key 234 identifier, algorithm and the cookie or secret used to produce the 235 digest along with the digest lengths. Note that the sender may send 236 more bytes than are required by the digest algorithm. This would be 237 done to make it more difficult for a casual observer to identify the 238 algorithm being used based on the length of the data. The digest 239 data begins immediately after the key ID, and any padding octets 240 SHOULD be random. 242 4. Acknowledgements 244 MAC-EF: The authors gratefully acknowledge Dave Mills for his 245 insightful comments. Hal Murray asked if there was a way for the 246 MAC-EF to require only 4 octets of overhead if there was only a 247 single MAC in the payload. 249 5. IANA Considerations 251 This memo requests IANA to allocate NTP Extension Field Types: 253 0x0003 MAC-EF (Single MAC) 255 0x0103 MAC-EF (1 or more MACs) 257 0x0008 LAST-EF 259 6. Security Considerations 261 The security considerations of time protocols in general are 262 discussed in RFC7384 [RFC7384], and the security considerations of 263 NTP are discussed in RFC5905 [RFC5905]. 265 Digests MD5, DES and SHA-1 are considered compromised and should not 266 be used [COMP]. 268 [DISCUSS] Each MAC length should be at least 20 octets long to allow 269 for 4 octets of key ID and at least 16 octets of digest and random 270 padding. For a 128-bit digest, there would be 4 octets of key ID, 16 271 octets of digest, plus any desired octets of random padding. For 272 SHA-256 digests there are 4 octets of key ID, 32 octets digest, plus 273 any desired octets of random padding. Using MAC lengths that include 274 random padding may make it more difficult for an attacker to know 275 which digest algorithms are used. 277 7. Normative References 279 [RFC1305] Mills, D., "Network Time Protocol (Version 3) 280 Specification, Implementation and Analysis", RFC 1305, 281 DOI 10.17487/RFC1305, March 1992, 282 . 284 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 285 Requirement Levels", BCP 14, RFC 2119, 286 DOI 10.17487/RFC2119, March 1997, 287 . 289 [RFC5905] Mills, D., Martin, J., Ed., Burbank, J., and W. Kasch, 290 "Network Time Protocol Version 4: Protocol and Algorithms 291 Specification", RFC 5905, DOI 10.17487/RFC5905, June 2010, 292 . 294 [RFC7384] Mizrahi, T., "Security Requirements of Time Protocols in 295 Packet Switched Networks", RFC 7384, DOI 10.17487/RFC7384, 296 October 2014, . 298 Authors' Addresses 300 Harlan Stenn 301 Network Time Foundation 302 P.O. Box 918 303 Talent, OR 97540 304 US 306 Email: stenn@nwtime.org 308 Danny Mayer 309 Network Time Foundation 310 P.O. Box 918 311 Talent, OR 97540 312 US 314 Email: mayer@ntp.org