Internet Engineering Task Force                                 H. Stenn
Internet-Draft                                                  D. Mayer
Intended status: Standards Track                 Network Time Foundation
Expires: April 5, 2019                                   October 2, 2018


            Network Time Protocol MAC/Last Extension Fields
                     draft-stenn-ntp-mac-last-ef-03

Abstract

   NTPv4 is defined by RFC 5905 [RFC5905], and it and earlier versions
   of the NTP Protocol have supported symmetric private key Message
   Authentication Code (MAC) authentication.  MACs were first described
   in Appendix C of RFC 1305 [RFC1305] and are further described in RFC
   5905 [RFC5905].  As the number of Extension Fields grows there is an
   increasing chance of a parsing ambiguity when deciding if the "next"
   set of data is an Extension Field or a legacy MAC.  This proposal
   defines two new Extension Fields to avoid this ambiguity.  One, LAST-
   EF, is used to signify that it is the last Extension Field in the
   packet.  If the LAST-EF is present, any subsequent data MUST be
   considered to be a legacy MAC.  The other, MAC-EF, allows one or more
   MACs to be encapsulated in an Extension Field.  If all parties in an
   association support MAC-EF, the use of a legacy MAC may be avoided.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on April 5, 2019.

Copyright Notice

   Copyright (c) 2018 IETF Trust and the persons identified as the
   document authors.  All rights reserved.





Stenn & Mayer             Expires April 5, 2019                 [Page 1]


Internet-Draft        NTP MAC/Last Extension Fields         October 2018


   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
     1.1.  Requirements Language . . . . . . . . . . . . . . . . . .   2
   2.  The Last Extension Field Extension Field - LAST-EF  . . . . .   3
   3.  MAC Extension Field . . . . . . . . . . . . . . . . . . . . .   4
   4.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .   6
   5.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   6
   6.  Security Considerations . . . . . . . . . . . . . . . . . . .   6
   7.  Normative References  . . . . . . . . . . . . . . . . . . . .   7
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   7

1.  Introduction

   NTPv4 is defined by RFC 5905 [RFC5905], and it and earlier versions
   of the NTP Protocol have supported symmetric private key Message
   Authentication Code (MAC) authentication.  MACs were first described
   in Appendix C of RFC 1305 [RFC1305] and are further described in RFC
   5905 [RFC5905].  As the number of Extension Fields grows there is an
   increasing chance of a parsing ambiguity when deciding if the "next"
   set of data is an Extension Field or a legacy MAC.  This proposal
   defines two new Extension Fields to avoid this ambiguity.  One, LAST-
   EF, is used to signify that it is the last Extension Field in the
   packet.  If the LAST-EF is present, any subsequent data MUST be
   considered to be a legacy MAC, or if you prefer, any subsequent data
   MUST NOT be considered to be an EF.  The other, MAC-EF, allows one or
   more MACs to be encapsulated in an Extension Field.  If all parties
   in an association support MAC-EF, the use of a legacy MAC may be
   avoided.

1.1.  Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [RFC2119].






Stenn & Mayer             Expires April 5, 2019                 [Page 2]


Internet-Draft        NTP MAC/Last Extension Fields         October 2018


2.  The Last Extension Field Extension Field - LAST-EF

   Now that multiple extension fields are a possibility, additional
   packet data could be either an Extension Field or a legacy MAC.
   Having a means to indicate that there are no more Extension Fields in
   an NTP packet and any subsequent data MUST be something else, almost
   certainly a legacy MAC, is a valuable facility.

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +---------------+---------------+-------------------------------+
   |          Field Type           |        Field Length           |
   +-------------------------------+-------------------------------+

            NTP Extension Field: Last Extension Field - LAST-EF

   Field Type: TBD (Recommendation for IANA: 0x0008 (Last Extension
   Field))

   Field Length: 4

   Payload: None.

   Example:

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +---------------+---------------+-------------------------------+
   |     Field Type (0x0008)       |    Field Length (0x0004)      |
   +-------------------------------+-------------------------------+
   |                          MAC Key ID                           |
   +-------------------------------+-------------------------------+
   |                            Sixteen                            |
   +-------------------------------+-------------------------------+
   |                             Octets                            |
   +-------------------------------+-------------------------------+
   |                              of                               |
   +-------------------------------+-------------------------------+
   |                              MAC                              |
   +-------------------------------+-------------------------------+

     Example: NTP Extension Field: Last Extension Field, followed by a
                                Legacy MAC








Stenn & Mayer             Expires April 5, 2019                 [Page 3]


Internet-Draft        NTP MAC/Last Extension Fields         October 2018


3.  MAC Extension Field

   Now that multiple extension fields are a possibility, there is a
   chance that additional packet data could be either an Extension Field
   or a legacy MAC.  There is benefit to encapsulating the MAC in an
   extension field.  By encapsulating the MAC in an EF, we also have the
   option to include multiple MACs in a packet, which may be of use in
   broadcast scenarios, for example.

   There are two forms of this extension field.  The first supports a
   single MAC, requiring 4 octets' overhead for the EF header.  The
   second form supports one or more MACs in the EF payload, and requires
   at least 8 octets.

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +---------------+---------------+-------------------------------+
   |     Field Type (0x0003)       |        Field Length           |
   +-------------------------------+-------------------------------+
   .                         MAC 1 Key ID                          .
   .                                       +-+-+-+-+-+-+-+-+-+-+-+-.
   .         MAC 1 Key Data                | Random Data Padding   .
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

              NTP Extension Field: MAC EF Format (Single MAC)

   Field Type: TBD (Recommendation for IANA: 0x0003 (MAC-EF: Single
   MAC))

   Field Length: As needed.

   Payload: As described.



















Stenn & Mayer             Expires April 5, 2019                 [Page 4]


Internet-Draft        NTP MAC/Last Extension Fields         October 2018


    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +---------------+---------------+-------------------------------+
   |     Field Type (0x0103)       |        Field Length           |
   +-------------------------------+-------------------------------+
   |          MAC Count            |        MAC 1 Length           |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |          MAC 2 Length         |        MAC 3 Length           |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   .                         MAC 1 Key ID                          .
   .                                       +-+-+-+-+-+-+-+-+-+-+-+-.
   .         MAC 1 Key Data                | Random Data Padding   .
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   .                         MAC 2 Key ID                          .
   .                                     +-+-+-+-+-+-+-+-+-+-+-+-+-.
   .        MAC 2 Key Data               | Random Data Padding     .
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   .                         MAC 3 Key ID                          .
   .                                           +-+-+-+-+-+-+-+-+-+-.
   .          MAC 3 Key Data                   |Random Data Padding.
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                       Padding (as needed)                     |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

            NTP Extension Field: MAC EF Format (1 or more MACs)

   Field Type: TBD (Recommendation for IANA: 0x0103 (MAC-EF: 1 or more
   MACs))

   Field Length: As needed.

   Payload: As described.

   A Field Type value of TBD (0x0003 is suggested) identifies this
   extension field as a MAC Extension field for a single MAC.

   A Field Type value of TBD (0x0103 is suggested) identifies this
   extension field as a MAC extension field for one or more MACs.  In
   this case, the MAC Count is an unsigned 16-bit field, as is each MAC
   length field.  If there are an even number of MACs specified there is
   an unused 16-bit field which SHOULD be 0x0000 at the end of the set
   of MAC length values so that the subsequent MAC data is longword
   (4-octet) aligned.  Each MAC SHALL be padded so that any subsequent
   MAC starts on a 4-octet boundary.

   A MAC consisting of 4 octets of zeros means the MAC is a crypto-NAK,
   as defined by RFC5905 [RFC5905].




Stenn & Mayer             Expires April 5, 2019                 [Page 5]


Internet-Draft        NTP MAC/Last Extension Fields         October 2018


   Additional MACs SHOULD NOT be present if there is a crypto-NAK
   present in the packet.

   Each MAC within the extension field consists of a 32-bit key
   identifier which SHOULD be unique to the set of key identifiers in
   this MAC extension field followed by ((MAC Length) - 4) octets of
   data, optionally followed by random octets to pad the key data to the
   length specified earlier in the extension field.  That key identifier
   is a shared secret which defines the algorithm to be used and a
   cookie or secret to be used in generating the digest.  The MAC digest
   is produced by hashing the data from the beginning of the NTP packet
   up to but not including the start of the MAC extension field.  The
   calculation of the digest SHOULD be a hash of this data concatenated
   with the 32-bit keyid (in network-order), and the key.  When sending
   or receiving a key identifier each side needs to agree on the key
   identifier, algorithm and the cookie or secret used to produce the
   digest along with the digest lengths.  Note that the sender may send
   more bytes than are required by the digest algorithm.  This would be
   done to make it more difficult for a casual observer to identify the
   algorithm being used based on the length of the data.  The digest
   data begins immediately after the key ID, and any padding octets
   SHOULD be random.

4.  Acknowledgements

   MAC-EF: The authors gratefully acknowledge Dave Mills for his
   insightful comments.  Hal Murray asked if there was a way for the
   MAC-EF to require only 4 octets of overhead if there was only a
   single MAC in the payload.

5.  IANA Considerations

   This memo requests IANA to allocate NTP Extension Field Types:

      0x0003 MAC-EF (Single MAC)

      0x0103 MAC-EF (1 or more MACs)

      0x0008 LAST-EF

6.  Security Considerations

   The security considerations of time protocols in general are
   discussed in RFC7384 [RFC7384], and the security considerations of
   NTP are discussed in RFC5905 [RFC5905].

   Digests MD5, DES and SHA-1 are considered compromised and should not
   be used [COMP].



Stenn & Mayer             Expires April 5, 2019                 [Page 6]


Internet-Draft        NTP MAC/Last Extension Fields         October 2018


   [DISCUSS] Each MAC length should be at least 20 octets long to allow
   for 4 octets of key ID and at least 16 octets of digest and random
   padding.  For a 128-bit digest, there would be 4 octets of key ID, 16
   octets of digest, plus any desired octets of random padding.  For
   SHA-256 digests there are 4 octets of key ID, 32 octets digest, plus
   any desired octets of random padding.  Using MAC lengths that include
   random padding may make it more difficult for an attacker to know
   which digest algorithms are used.

7.  Normative References

   [RFC1305]  Mills, D., "Network Time Protocol (Version 3)
              Specification, Implementation and Analysis", RFC 1305,
              DOI 10.17487/RFC1305, March 1992,
              <https://www.rfc-editor.org/info/rfc1305>.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.

   [RFC5905]  Mills, D., Martin, J., Ed., Burbank, J., and W. Kasch,
              "Network Time Protocol Version 4: Protocol and Algorithms
              Specification", RFC 5905, DOI 10.17487/RFC5905, June 2010,
              <https://www.rfc-editor.org/info/rfc5905>.

   [RFC7384]  Mizrahi, T., "Security Requirements of Time Protocols in
              Packet Switched Networks", RFC 7384, DOI 10.17487/RFC7384,
              October 2014, <https://www.rfc-editor.org/info/rfc7384>.

Authors' Addresses

   Harlan Stenn
   Network Time Foundation
   P.O. Box 918
   Talent, OR  97540
   US

   Email: stenn@nwtime.org


   Danny Mayer
   Network Time Foundation
   P.O. Box 918
   Talent, OR  97540
   US

   Email: mayer@ntp.org



Stenn & Mayer             Expires April 5, 2019                 [Page 7]