Internet Engineering Task Force H. Stenn
Internet-Draft D. Mayer
Intended status: Standards Track Network Time Foundation
Expires: May 2, 2017 October 29, 2016
Network Time Protocol MAC/Last Extension Fields
draft-stenn-ntp-mac-last-ef-00
Abstract
NTPv4 is defined by RFC 5905 [RFC5905], and it and earlier versions
of the NTP Protocol have supported symmetric private key Message
Authentication Code (MAC) authentication. MACs were first described
in Appendix C of RFC 1305 [RFC1305] and are further described in RFC
5905 [RFC5905]. As the number of Extension Fields grows there is an
increasing chance of a parsing ambiguity when deciding if the "next"
set of data is an Extension Field or a legacy MAC. This proposal
defines two new Extension Fields to avoid this ambiguity. One is
used to signifiy that it is the last Extension Field in the packet.
If present, any subsequent data MUST be considered to be a legacy
MAC. The other allows one or more MACs to be encapsulated in an
Extension Field. If all parties in an association support MAC-EF,
the use of a legacy MAC may be avoided.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 2, 2017.
Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved.
Stenn & Mayer Expires May 2, 2017 [Page 1]
Internet-Draft NTP MAC/Last Extension Fields October 2016
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Requirements Language . . . . . . . . . . . . . . . . . . 2
2. The Last Extension Field Extension Field . . . . . . . . . . 3
3. MAC Extension Field . . . . . . . . . . . . . . . . . . . . . 4
4. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 5
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5
6. Security Considerations . . . . . . . . . . . . . . . . . . . 6
7. Normative References . . . . . . . . . . . . . . . . . . . . 6
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 6
1. Introduction
NTPv4 is defined by RFC 5905 [RFC5905], and it and earlier versions
of the NTP Protocol have supported symmetric private key Message
Authentication Code (MAC) authentication. MACs were first described
in Appendix C of RFC 1305 [RFC1305] and are further described in RFC
5905 [RFC5905]. As the number of Extension Fields grows there is an
increasing chance of a parsing ambiguity when deciding if the "next"
set of data is an Extension Field or a legacy MAC. This proposal
defines two new Extension Fields to avoid this ambiguity. One is
used to signifiy that it is the last Extension Field in the packet.
If present, any subsequent data MUST be considered to be a legacy
MAC. The other allows one or more MACs to be encapsulated in an
Extension Field. If all parties in an association support MAC-EF,
the use of a legacy MAC may be avoided.
1.1. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
Stenn & Mayer Expires May 2, 2017 [Page 2]
Internet-Draft NTP MAC/Last Extension Fields October 2016
2. The Last Extension Field Extension Field
Now that multiple extension fields are a possibility, additional
packet data could be either an Extension Field or a legacy MAC.
Having a means to indicate that there are no more Extension Fields in
an NTP packet and any subsequent data MUST be something else, almost
certainly a legacy MAC, is a valuable facility.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+-------------------------------+
| Field Type | Field Length |
+-------------------------------+-------------------------------+
NTP Extension Field: Last Extension Field
Field Type: TBD (Recommendation for IANA: 0x2008 (Last Extension
Field, MAC OPTIONAL))
Field Length: 4
Payload: None.
Example:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+-------------------------------+
| Field Type (0x2008) | Field Length (0x0004) |
+-------------------------------+-------------------------------+
| MAC Key ID |
+-------------------------------+-------------------------------+
| Sixteen |
+-------------------------------+-------------------------------+
| Octets |
+-------------------------------+-------------------------------+
| of |
+-------------------------------+-------------------------------+
| MAC |
+-------------------------------+-------------------------------+
Example: NTP Extension Field: Last Extension Field, followed by a
Legacy MAC
Stenn & Mayer Expires May 2, 2017 [Page 3]
Internet-Draft NTP MAC/Last Extension Fields October 2016
3. MAC Extension Field
Now that multiple extension fields are a possibility, there is a
chance that additional packet data could be either an Extension Field
or a legacy MAC. There is benefit to encapsulating the MAC in an
extension field. By encapsulating the MAC in an EF, we also have the
option to include multiple MACs in a packet, which may be of use in
broadcast scenarios, for example.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+-------------------------------+
| Field Type | Field Length |
+-------------------------------+-------------------------------+
| MAC Count | MAC 1 Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| MAC 2 Length | MAC 3 Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
. MAC 1 Key ID .
. +-+-+-+-+-+-+-+-+-+-+-+-.
. MAC 1 Key Data | Random Data Padding .
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
. MAC 2 Key ID .
. +-+-+-+-+-+-+-+-+-+-+-+-+-.
. MAC 2 Key Data | Random Data Padding .
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
. MAC 3 Key ID .
. +-+-+-+-+-+-+-+-+-+-.
. MAC 3 Key Data |Random Data Padding.
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Padding (as needed) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
NTP Extension Field: MAC EF Format
Field Type: TBD (Recommendation for IANA: 0x1003 (MAC-EF, MAC
INCLUDED), 0x3003 (MAC-EF, MAC OPTIONAL, MAC INCLUDED))
Field Length: As needed
Payload: As described.
A Field Type of 0 and a Length of 0 means this extension field is a
CRYPTO-NAK, as defined by RFC5905. Otherwise, a Field Type value of
TBD (0x1003 is suggested) identifies this extension field as a MAC
Extension field. The MAC Count is an unsigned 16-bit field, as is
each MAC length field. If there are an even number of MACs specified
there is an unused 16-bit field which SHOULD be 0x0000 at the end of
Stenn & Mayer Expires May 2, 2017 [Page 4]
Internet-Draft NTP MAC/Last Extension Fields October 2016
the set of MAC length values so that the subsequent MAC data is
longword (4-octet) aligned. Each MAC SHALL be padded so that any
subsequent MAC starts on a 4-octet boundary.
A MAC SHOULD not be present if there is a crypto-NAK present in the
packet.
Each MAC within the extension field consists of a 32-bit key
identifier which SHOULD be unique to the set of key identifiers in
this MAC extension field followed by ((MAC Length) - 4) octets of
data, optionally followed by random octets to pad the key data to the
length specified earlier in the extension field. That key identifier
is a shared secret which defines the algorithm to be used and a
cookie or secret to be used in generating the digest. The MAC digest
is produced by hashing the data from the beginning of the NTP packet
up to but not including the start of the MAC extension field. The
calculation of the digest SHOULD be a hash of this data concatenated
with the 32-bit keyid (in network-order), and the key. When sending
or receiving a key identifier each side needs to agree on the key
identifier, algorithm and the cookie or secret used to produce the
digest along with the digest lengths. Note that the sender may send
more bytes than are required by the digest algorithm. This would be
done to make it more difficult for a casual observer to identify the
algorithm being used based on the length of the data. The digest
data begins immediately after the key ID, and any padding octets
SHOULD be random.
4. Acknowledgements
MAC-EF: The authors gratefully acknowledge Dave Mills for his
insightful comments.
5. IANA Considerations
This memo requests IANA to allocate NTP Extension Field Types:
0x0000 CRYPTO-NAK
0x1003 MAC-EF, MAC INCLUDED
0x3003 MAC-EF, MAC OPTIONAL, MAC INCLUDED
0x0008 LAST-EF
0x2008 LAST-EF, MAC OPTIONAL
Stenn & Mayer Expires May 2, 2017 [Page 5]
Internet-Draft NTP MAC/Last Extension Fields October 2016
6. Security Considerations
The security considerations of time protocols in general are
discussed in RFC7384 [RFC7384], and the security considerations of
NTP are discussed in [RFC5905].
Digests MD5, DES and SHA-1 are considered compromised and should not
be used [COMP].
If possible each MAC length should be at least 68 octets long to
allow for 4 octets of key ID and at least 64 octets of digest and
random padding. This means that for SHA-256 digests there are 4
octets of key ID, 32 bytes digest and 32 random octets of padding.
Using larger minimum MAC lengths makes it difficult for an attacker
to know which digest algorithms are used.
7. Normative References
[RFC1305] Mills, D., "Network Time Protocol (Version 3)
Specification, Implementation and Analysis", RFC 1305,
DOI 10.17487/RFC1305, March 1992,
<http://www.rfc-editor.org/info/rfc1305>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>.
[RFC5905] Mills, D., Martin, J., Ed., Burbank, J., and W. Kasch,
"Network Time Protocol Version 4: Protocol and Algorithms
Specification", RFC 5905, DOI 10.17487/RFC5905, June 2010,
<http://www.rfc-editor.org/info/rfc5905>.
[RFC7384] Mizrahi, T., "Security Requirements of Time Protocols in
Packet Switched Networks", RFC 7384, DOI 10.17487/RFC7384,
October 2014, <http://www.rfc-editor.org/info/rfc7384>.
Authors' Addresses
Harlan Stenn
Network Time Foundation
P.O. Box 918
Talent, OR 97540
US
Email: stenn@nwtime.org
Stenn & Mayer Expires May 2, 2017 [Page 6]
Internet-Draft NTP MAC/Last Extension Fields October 2016
Danny Mayer
Network Time Foundation
P.O. Box 918
Talent, OR 97540
US
Email: mayer@ntp.org
Stenn & Mayer Expires May 2, 2017 [Page 7]