idnits 2.17.1 draft-stenn-ntp-mac-last-ef-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (March 25, 2019) is 1859 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'COMP' is mentioned on line 280, but not defined == Missing Reference: 'DISCUSS' is mentioned on line 282, but not defined ** Obsolete normative reference: RFC 1305 (Obsoleted by RFC 5905) ** Downref: Normative reference to an Informational RFC: RFC 7384 Summary: 2 errors (**), 0 flaws (~~), 3 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Engineering Task Force H. Stenn 3 Internet-Draft D. Mayer 4 Intended status: Standards Track Network Time Foundation 5 Expires: September 26, 2019 March 25, 2019 7 Network Time Protocol MAC/Last Extension Fields 8 draft-stenn-ntp-mac-last-ef-04 10 Abstract 12 NTP packets can be authenticated by a Message Authentication Code 13 (MAC) if a MAC is present at the end of an NTP packet. The legacy 14 format for this MAC is not formatted as an NTP Extension Field, and 15 its presence may cause some implementations a parsing ambiguity. 17 This proposal introduces two ways to resolve this problem. One is to 18 provide a MAC Extension Field. The other is an extension field that 19 unambiguously declares itself to be the last extension field in an 20 NTP packet (so any additional data MUST be a legacy MAC). 22 RFC EDITOR: PLEASE REMOVE THE FOLLOWING PARAGRAPH BEFORE PUBLISHING: 24 The source code and issues list for this draft can be found in 25 https://github.com/hstenn/ietf-ntp-mac-last-ef 27 Status of This Memo 29 This Internet-Draft is submitted in full conformance with the 30 provisions of BCP 78 and BCP 79. 32 Internet-Drafts are working documents of the Internet Engineering 33 Task Force (IETF). Note that other groups may also distribute 34 working documents as Internet-Drafts. The list of current Internet- 35 Drafts is at https://datatracker.ietf.org/drafts/current/. 37 Internet-Drafts are draft documents valid for a maximum of six months 38 and may be updated, replaced, or obsoleted by other documents at any 39 time. It is inappropriate to use Internet-Drafts as reference 40 material or to cite them other than as "work in progress." 42 This Internet-Draft will expire on September 26, 2019. 44 Copyright Notice 46 Copyright (c) 2019 IETF Trust and the persons identified as the 47 document authors. All rights reserved. 49 This document is subject to BCP 78 and the IETF Trust's Legal 50 Provisions Relating to IETF Documents 51 (https://trustee.ietf.org/license-info) in effect on the date of 52 publication of this document. Please review these documents 53 carefully, as they describe your rights and restrictions with respect 54 to this document. Code Components extracted from this document must 55 include Simplified BSD License text as described in Section 4.e of 56 the Trust Legal Provisions and are provided without warranty as 57 described in the Simplified BSD License. 59 Table of Contents 61 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 62 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 2 63 2. The Last Extension Field Extension Field - LAST-EF . . . . . 3 64 3. MAC Extension Field . . . . . . . . . . . . . . . . . . . . . 4 65 4. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 6 66 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 67 6. Security Considerations . . . . . . . . . . . . . . . . . . . 7 68 7. Normative References . . . . . . . . . . . . . . . . . . . . 7 69 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8 71 1. Introduction 73 NTPv4 is defined by RFC 5905 [RFC5905], and it and earlier versions 74 of the NTP Protocol have supported symmetric private key Message 75 Authentication Code (MAC) authentication. MACs were first described 76 in Appendix C of RFC 1305 [RFC1305] and are further described in RFC 77 5905 [RFC5905]. As the number of Extension Fields grows there is an 78 increasing chance some implementations will find a parsing ambiguity 79 when deciding if the "next" set of data is an Extension Field or a 80 legacy MAC. This proposal defines two new Extension Fields to avoid 81 this potential ambiguity. One, LAST-EF, is used to signify that it 82 is the last Extension Field in the packet. If the LAST-EF is 83 present, any subsequent data MUST be considered to be a legacy MAC, 84 or if you prefer, any subsequent data MUST NOT be considered to be an 85 EF. The other, MAC-EF, allows one or more MACs to be encapsulated in 86 an Extension Field. If all parties in an association support MAC-EF, 87 the use of a legacy MAC may be avoided. 89 1.1. Requirements Language 91 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 92 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 93 document are to be interpreted as described in RFC 2119 [RFC2119]. 95 2. The Last Extension Field Extension Field - LAST-EF 97 Now that multiple extension fields are a possibility, additional 98 packet data could be either an Extension Field or a legacy MAC. 99 Having a means to indicate that there are no more Extension Fields in 100 an NTP packet and any subsequent data MUST be something else, almost 101 certainly a legacy MAC, is a valuable facility. 103 The format of a LAST-EF is an Extension Field comprised of an 104 identified Field Type and an appropriate Field Length. 106 In the example below the Field Length in the LAST-EF is 4, because 107 there is clearly no need in this case for the 28 octets required by 108 RFC 7822 [RFC7822]. But the LAST-EF could have any supported length, 109 as any payload is ignored. 111 0 1 2 3 112 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 113 +---------------+---------------+-------------------------------+ 114 | Field Type | Field Length | 115 +-------------------------------+-------------------------------+ 117 NTP Extension Field: Last Extension Field - LAST-EF 119 Field Type: TBD (Recommendation for IANA: 0x0008 (Last Extension 120 Field)) 122 Field Length: 4 (minimum) 124 Payload: Ignored if present - none needed. SHOULD be zeroes. 126 Example: 128 0 1 2 3 129 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 130 +---------------+---------------+-------------------------------+ 131 | Field Type (0x0008) | Field Length (0x0004) | 132 +-------------------------------+-------------------------------+ 133 | MAC Key ID | 134 +-------------------------------+-------------------------------+ 135 | Sixteen | 136 +-------------------------------+-------------------------------+ 137 | Octets | 138 +-------------------------------+-------------------------------+ 139 | of | 140 +-------------------------------+-------------------------------+ 141 | MAC | 142 +-------------------------------+-------------------------------+ 144 Example: NTP Extension Field: Last Extension Field, followed by a 145 Legacy MAC 147 3. MAC Extension Field 149 Now that multiple extension fields are a possibility, there is a 150 chance that additional packet data could be either an Extension Field 151 or a legacy MAC. There is benefit to encapsulating the MAC in an 152 extension field. By encapsulating the MAC in an EF, we also have the 153 option to include multiple MACs in a packet, which may be of use in 154 broadcast scenarios, for example. 156 There are two forms of this extension field. The first supports a 157 single MAC, requiring 4 octets' overhead for the EF header. The 158 second form supports one or more MACs in the EF payload, and requires 159 at least 8 octets. 161 The format of a MAC-EF is an Extension Field comprised of an 162 identified Field Type and an appropriate Field Length. 164 A Field Type value of TBD (0x0003 is suggested) identifies this 165 extension field as a MAC Extension field for a single MAC. In this 166 case, the payload consists of the four octet MAC Key ID followed by 167 the MAC digest, and any desired (possibly random data) padding. 169 A Field Type value of TBD (0x0103 is suggested) identifies this 170 extension field as a MAC extension field for one or more MACs. In 171 this case, the payload consists of an unsigned 16-bit MAC Count (N) 172 followed by N unsigned 16-bit MAC length fields. If there are an 173 even number of MACs specified there is an unused 16-bit field which 174 SHOULD be 0x0000 at the end of the set of MAC length values so that 175 the subsequent MAC data is longword (4-octet) aligned. Each MAC 176 SHALL be padded so that any subsequent MAC starts on a 4-octet 177 boundary. Optional (possibly random data) padding is allowed. 179 0 1 2 3 180 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 181 +---------------+---------------+-------------------------------+ 182 | Field Type (0x0003) | Field Length | 183 +-------------------------------+-------------------------------+ 184 . MAC 1 Key ID . 185 . +-+-+-+-+-+-+-+-+-+-+-+-. 186 . MAC 1 Key Data | Random Data Padding . 187 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 189 NTP Extension Field: MAC EF Format (Single MAC) 191 Field Type: TBD (Recommendation for IANA: 0x0003 (MAC-EF: Single 192 MAC)) 194 Field Length: As needed. 196 Payload: As described. 198 0 1 2 3 199 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 200 +---------------+---------------+-------------------------------+ 201 | Field Type (0x0103) | Field Length | 202 +-------------------------------+-------------------------------+ 203 | MAC Count | MAC 1 Length | 204 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 205 | MAC 2 Length | MAC 3 Length | 206 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 207 . MAC 1 Key ID . 208 . +-+-+-+-+-+-+-+-+-+-+-+-. 209 . MAC 1 Key Data | Random Data Padding . 210 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 211 . MAC 2 Key ID . 212 . +-+-+-+-+-+-+-+-+-+-+-+-+-. 213 . MAC 2 Key Data | Random Data Padding . 214 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 215 . MAC 3 Key ID . 216 . +-+-+-+-+-+-+-+-+-+-. 217 . MAC 3 Key Data |Random Data Padding. 218 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 219 | Padding (as needed) | 220 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 222 NTP Extension Field: MAC EF Format (1 or more MACs) 224 Field Type: TBD (Recommendation for IANA: 0x0103 (MAC-EF: 1 or more 225 MACs)) 227 Field Length: As needed. 229 Payload: As described. 231 A MAC consisting of 4 octets of zeros means the MAC is a crypto-NAK, 232 as defined by RFC5905 [RFC5905]. 234 Additional MACs SHOULD NOT be present if there is a crypto-NAK 235 present in the packet. 237 Each MAC within the extension field consists of a 32-bit key 238 identifier which SHOULD be unique to the set of key identifiers in 239 this MAC extension field followed by ((MAC Length) - 4) octets of 240 data, optionally followed by random octets to pad the key data to the 241 length specified earlier in the extension field. That key identifier 242 is a shared secret which defines the algorithm to be used and a 243 cookie or secret to be used in generating the digest. The MAC digest 244 is produced by hashing the data from the beginning of the NTP packet 245 up to but not including the start of the MAC extension field. The 246 calculation of the digest SHOULD be a hash of this data concatenated 247 with the 32-bit keyid (in network-order), and the key. When sending 248 or receiving a key identifier each side needs to agree on the key 249 identifier, algorithm and the cookie or secret used to produce the 250 digest along with the digest lengths. Note that the sender may send 251 more bytes than are required by the digest algorithm. This would be 252 done to make it more difficult for a casual observer to identify the 253 algorithm being used based on the length of the data. The digest 254 data begins immediately after the key ID, and any padding octets 255 SHOULD be random. 257 4. Acknowledgements 259 MAC-EF: The authors gratefully acknowledge Dave Mills for his 260 insightful comments. Hal Murray asked if there was a way for the 261 MAC-EF to require only 4 octets of overhead if there was only a 262 single MAC in the payload. 264 5. IANA Considerations 266 This memo requests IANA to allocate NTP Extension Field Types: 268 0x0003 MAC-EF (Single MAC) 270 0x0103 MAC-EF (1 or more MACs) 271 0x0008 LAST-EF 273 6. Security Considerations 275 The security considerations of time protocols in general are 276 discussed in RFC7384 [RFC7384], and the security considerations of 277 NTP are discussed in RFC5905 [RFC5905]. 279 Digests MD5, DES and SHA-1 are considered compromised and should not 280 be used [COMP]. 282 [DISCUSS] Each MAC length should be at least 20 octets long to allow 283 for 4 octets of key ID and at least 16 octets of digest and random 284 padding. For a 128-bit digest, there would be 4 octets of key ID, 16 285 octets of digest, plus any desired octets of random padding. For 286 SHA-256 digests there are 4 octets of key ID, 32 octets digest, plus 287 any desired octets of random padding. Using MAC lengths that include 288 random padding may make it more difficult for an attacker to know 289 which digest algorithms are used. 291 7. Normative References 293 [RFC1305] Mills, D., "Network Time Protocol (Version 3) 294 Specification, Implementation and Analysis", RFC 1305, 295 DOI 10.17487/RFC1305, March 1992, 296 . 298 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 299 Requirement Levels", BCP 14, RFC 2119, 300 DOI 10.17487/RFC2119, March 1997, 301 . 303 [RFC5905] Mills, D., Martin, J., Ed., Burbank, J., and W. Kasch, 304 "Network Time Protocol Version 4: Protocol and Algorithms 305 Specification", RFC 5905, DOI 10.17487/RFC5905, June 2010, 306 . 308 [RFC7384] Mizrahi, T., "Security Requirements of Time Protocols in 309 Packet Switched Networks", RFC 7384, DOI 10.17487/RFC7384, 310 October 2014, . 312 [RFC7822] Mizrahi, T. and D. Mayer, "Network Time Protocol Version 4 313 (NTPv4) Extension Fields", RFC 7822, DOI 10.17487/RFC7822, 314 March 2016, . 316 Authors' Addresses 318 Harlan Stenn 319 Network Time Foundation 320 P.O. Box 918 321 Talent, OR 97540 322 US 324 Email: stenn@nwtime.org 326 Danny Mayer 327 Network Time Foundation 328 P.O. Box 918 329 Talent, OR 97540 330 US 332 Email: mayer@ntp.org