netsec-sig - Re: [Security-WG] I2 - Turning off NTP?
Subject: Internet2 Network Security SIG
List archive
- From: "Montgomery, Douglas (Fed)" <>
- To: "" <>
- Subject: Re: [Security-WG] I2 - Turning off NTP?
- Date: Wed, 26 Jul 2017 18:32:54 +0000
- Accept-language: en-US
- Authentication-results: spf=none (sender IP is ) ;
- Ironport-phdr: 9a23:5Krv5B86nBcXC/9uRHKM819IXTAuvvDOBiVQ1KB20uocTK2v8tzYMVDF4r011RmSDNWds6oMotGVmpioYXYH75eFvSJKW713fDhBt/8rmRc9CtWOE0zxIa2iRSU7GMNfSA0tpCnjYgBaF8nkelLdvGC54yIMFRXjLwp1Ifn+FpLPg8it2e2//57ebx9UiDahfLh/MAi4oQLNu8cMnIBsMLwxyhzHontJf+RZ22ZlLk+Nkhj/+8m94odt/zxftPw9+cFAV776f7kjQrxDEDsmKWE169b1uhTFUACC+2ETUmQSkhpPHgjF8BT3VYr/vyfmquZw3jSRMsPsTbAwRD+s8aFlRhH1gysDLjI17n3bhsl2galGohyuugZ/zpbUbo+LKfR+Yq3Tc9AURWVDUMlRVjBODIyzYIYUE+oOJuNYo5Xhq1YUrxazAxSnCuP1yj9Pg3/7xaM23eMmEQHAwAwgENUOsHHKo9XvNKYeSf2+wqfPzTXeYPNW3S3y6JPVeRwlof+DQ69/fc/fxUIyEA7Kk1KQqZHqPzOQzekNtWmb7/F8Ve61hG4nrB9xryGpy8wxhIfJgYcVxUrF9SV/2Is1I9y4SFVnYdK+H5tQsD+aOo1rSc0hW2FloDg2x7MctZKmYCQHxo4rywDDZ/CaaYSE/w7vWeSJLTtlmn5ofKiziheo/US+yuDxWNO43EhUoiZZlNTHq2oD2AbJ6sedT/tw5keh1iiL1wDU8uxELlw7mrbHJ5I827I/i58TvVraEi/xg0r5krWadkI5+ui08OvnZajmppmBOINukgH+KKMumtChDuskLggOXm+b+eKm2L3k4E35XLFKjvoxkqnaqpzVOcMbpquhDw9U1IYs9Qq/Ai+43NkWh3ULMU5JdRydg4T3J13CPer0Aeqjj1muiDtrwurJPrzlApXDNHjDl7LhcK5g5E5b1QozwtVf6olSCrEAO/LzRlX9tNPfDh8nKwC02froCM1h1oMCXmKCGrSZP73Ovl+V/OIvIvWMZY8MtDfzJPgo/PrujX4imV8BZqmlw4EbaHG+HvR6PUqZe3zsjckdEWsUpAYxUvHliEDRGQJUMjypUqkh/DAnGce5Aq/CQJygmrqMwH39E5FLLCgSEV2HDG3pa5TBRPgkaSSOL9VnnyBeE7WtVtly+wupsVqw7r1hMuXT/yACpNar+N9o6Onajlly2zF4To7Vh22KUm5xtmUJXCNw06dh9x8ugmyf2LR11qQLXedY4OlEB0JgbZM=
- Spamdiagnosticmetadata: NSPM
- Spamdiagnosticoutput: 1:99
I should note that my statement “it would take a very large clock skew to
begin to effect this” I meant in the validating cache.
dougm
--dougm @ NIST / ITL / ANTD
On 7/26/17, 10:05 AM, "Montgomery, Douglas (Fed)"
<>
wrote:
It is no different for BGPSEC – all the certificates, which do have
validity periods, are kept in the validating cache. The SIGS on the BGP path
etc do not have validity dates. Note also that validity periods on CERTS in
RPKI are expected to be long lived and rolled make-before-break when their
expirations approaches. While you could do this poorly of course, if you are
doing this reasonably, it would take a very large clock skew to begin to
effect this.
Folks do this now with DNSSEC – creating validity periods that are “back
dated” a bit to catch those resolvers with lagging clocks.
So, if you don’t plan to let your clocks skew by 10s of hours, or days,
you should be OK. Mind you I think the idea of doing that will present all
kinds of other problems with normal operations / logs, not just security
protocols.
--Doug Montgomery, Mgr. Internet & Scalable Systems Research @ NIST
https://www.nist.gov/itl/antd/internet-scalable-systems-research
On 7/26/17, 9:48 AM, "Andrew Gallo"
<
on behalf of
>
wrote:
I don't think that RPKI (origin validation) would be affected, since
the
crypto processing is done by an external validator. What I *think*
might
be a problem is full path validation, where each hop in an AS path
has
to sign advertisements and do crypto processing, most likely on the
router. At least that's my understanding of how secureBGP is
supposed
to work. I'll see if I can glean anything from the SIDR working
group docs.
On 7/26/2017 9:16 AM, gcbrowni wrote:
> Great points in the discussion.
>
> *) Accurate clock is convenient for looking at local logs
> *) More than Syslog timestamps, and third-party stamping can suffer
from delays almost certainly resulting in out of order messages in some
situations. (Corner? Common? Corner but when you need it most?)
> *) A potential impact to RPKI & route validation
> *) A Juniper website that turns up EX switch docs more than real
JunOS docs. :)
>
>
> And on the risk
> *) Being forced to run a server. I find this decision from Juniper
puzzling. There’s lots of filter/acl options, but "just don’t listen on the
port" doesn’t seem to one of them, beyond turning the entire NTP system off.
> *) There’s some cost in man-hours to this, from getting the filters
on the loop and edge and NTP correct, maintaining them, and dealing with
anomalous message sin the syslog about xntpd … which STILL seem to occur. IE:
you have to do everything you should do when running a server.
> *) The … risk? of running a server that is a known vector if
misconfigured, as well as yet another server for a "if the packet reaches the
loopback filter it is too late" security advisory from Juniper.
>
>
> I don’t think I2 has the "personalized support person" maintenance
option anymore; does anyone else? It might be worth it to see what Juniper
response is to "why do have to have a server to have correct time?" … and
then of course the associated coordinated feature request. :)
>
>
>
> John & Andrew, could I get you to elaborate more on the potential
drift implications in RPKI & route validation?
>
>
>
>
>
--
________________________________
Andrew Gallo
The George Washington University
- Re: [Security-WG] I2 - Turning off NTP?, (continued)
- Re: [Security-WG] I2 - Turning off NTP?, Jeff Bartig, 07/25/2017
- Re: [Security-WG] I2 - Turning off NTP?, Andrew Gallo, 07/25/2017
- Re: [Security-WG] I2 - Turning off NTP?, John Kristoff, 07/25/2017
- RE: [Security-WG] I2 - Turning off NTP?, Anthony Brock, 07/25/2017
- Re: [Security-WG] I2 - Turning off NTP?, Jeff Bartig, 07/25/2017
- Re: [Security-WG] I2 - Turning off NTP?, Andrew Gallo, 07/25/2017
- Message not available
- Re: [Security-WG] I2 - Turning off NTP?, John Kristoff, 07/25/2017
- Re: [Security-WG] I2 - Turning off NTP?, gcbrowni, 07/26/2017
- Re: [Security-WG] I2 - Turning off NTP?, Andrew Gallo, 07/26/2017
- Re: [Security-WG] I2 - Turning off NTP?, Montgomery, Douglas (Fed), 07/26/2017
- Re: [Security-WG] I2 - Turning off NTP?, Montgomery, Douglas (Fed), 07/26/2017
- Re: [Security-WG] I2 - Turning off NTP?, gcbrowni, 07/26/2017
- Re: [Security-WG] I2 - Turning off NTP?, Michael H Lambert, 07/26/2017
- RE: [Security-WG] I2 - Turning off NTP?, Magorian, Daniel F., 07/26/2017
- Re: [Security-WG] I2 - Turning off NTP?, John Kristoff, 07/25/2017
- RE: [Security-WG] I2 - Turning off NTP?, Michael Hare, 07/27/2017
- Message not available
- Re: [Security-WG] I2 - Turning off NTP?, John Kristoff, 07/26/2017
- Re: [Security-WG] I2 - Turning off NTP?, Jeff Bartig, 07/25/2017
- RE: [Security-WG] I2 - Turning off NTP?, Anthony Brock, 07/25/2017
Archive powered by MHonArc 2.6.19.