Internet Engineering Task Force H. Stenn Internet-Draft D. Mayer Intended status: Standards Track Network Time Foundation Expires: September 26, 2019 March 25, 2019 Network Time Protocol MAC/Last Extension Fields draft-stenn-ntp-mac-last-ef-04 Abstract NTP packets can be authenticated by a Message Authentication Code (MAC) if a MAC is present at the end of an NTP packet. The legacy format for this MAC is not formatted as an NTP Extension Field, and its presence may cause some implementations a parsing ambiguity. This proposal introduces two ways to resolve this problem. One is to provide a MAC Extension Field. The other is an extension field that unambiguously declares itself to be the last extension field in an NTP packet (so any additional data MUST be a legacy MAC). RFC EDITOR: PLEASE REMOVE THE FOLLOWING PARAGRAPH BEFORE PUBLISHING: The source code and issues list for this draft can be found in https://github.com/hstenn/ietf-ntp-mac-last-ef Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on September 26, 2019. Copyright Notice Copyright (c) 2019 IETF Trust and the persons identified as the document authors. All rights reserved. Stenn & Mayer Expires September 26, 2019 [Page 1] Internet-Draft NTP MAC/Last Extension Fields March 2019 This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 2 2. The Last Extension Field Extension Field - LAST-EF . . . . . 3 3. MAC Extension Field . . . . . . . . . . . . . . . . . . . . . 4 4. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 6 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 6. Security Considerations . . . . . . . . . . . . . . . . . . . 7 7. Normative References . . . . . . . . . . . . . . . . . . . . 7 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8 1. Introduction NTPv4 is defined by RFC 5905 [RFC5905], and it and earlier versions of the NTP Protocol have supported symmetric private key Message Authentication Code (MAC) authentication. MACs were first described in Appendix C of RFC 1305 [RFC1305] and are further described in RFC 5905 [RFC5905]. As the number of Extension Fields grows there is an increasing chance some implementations will find a parsing ambiguity when deciding if the "next" set of data is an Extension Field or a legacy MAC. This proposal defines two new Extension Fields to avoid this potential ambiguity. One, LAST-EF, is used to signify that it is the last Extension Field in the packet. If the LAST-EF is present, any subsequent data MUST be considered to be a legacy MAC, or if you prefer, any subsequent data MUST NOT be considered to be an EF. The other, MAC-EF, allows one or more MACs to be encapsulated in an Extension Field. If all parties in an association support MAC-EF, the use of a legacy MAC may be avoided. 1.1. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119]. Stenn & Mayer Expires September 26, 2019 [Page 2] Internet-Draft NTP MAC/Last Extension Fields March 2019 2. The Last Extension Field Extension Field - LAST-EF Now that multiple extension fields are a possibility, additional packet data could be either an Extension Field or a legacy MAC. Having a means to indicate that there are no more Extension Fields in an NTP packet and any subsequent data MUST be something else, almost certainly a legacy MAC, is a valuable facility. The format of a LAST-EF is an Extension Field comprised of an identified Field Type and an appropriate Field Length. In the example below the Field Length in the LAST-EF is 4, because there is clearly no need in this case for the 28 octets required by RFC 7822 [RFC7822]. But the LAST-EF could have any supported length, as any payload is ignored. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +---------------+---------------+-------------------------------+ | Field Type | Field Length | +-------------------------------+-------------------------------+ NTP Extension Field: Last Extension Field - LAST-EF Field Type: TBD (Recommendation for IANA: 0x0008 (Last Extension Field)) Field Length: 4 (minimum) Payload: Ignored if present - none needed. SHOULD be zeroes. Example: Stenn & Mayer Expires September 26, 2019 [Page 3] Internet-Draft NTP MAC/Last Extension Fields March 2019 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +---------------+---------------+-------------------------------+ | Field Type (0x0008) | Field Length (0x0004) | +-------------------------------+-------------------------------+ | MAC Key ID | +-------------------------------+-------------------------------+ | Sixteen | +-------------------------------+-------------------------------+ | Octets | +-------------------------------+-------------------------------+ | of | +-------------------------------+-------------------------------+ | MAC | +-------------------------------+-------------------------------+ Example: NTP Extension Field: Last Extension Field, followed by a Legacy MAC 3. MAC Extension Field Now that multiple extension fields are a possibility, there is a chance that additional packet data could be either an Extension Field or a legacy MAC. There is benefit to encapsulating the MAC in an extension field. By encapsulating the MAC in an EF, we also have the option to include multiple MACs in a packet, which may be of use in broadcast scenarios, for example. There are two forms of this extension field. The first supports a single MAC, requiring 4 octets' overhead for the EF header. The second form supports one or more MACs in the EF payload, and requires at least 8 octets. The format of a MAC-EF is an Extension Field comprised of an identified Field Type and an appropriate Field Length. A Field Type value of TBD (0x0003 is suggested) identifies this extension field as a MAC Extension field for a single MAC. In this case, the payload consists of the four octet MAC Key ID followed by the MAC digest, and any desired (possibly random data) padding. A Field Type value of TBD (0x0103 is suggested) identifies this extension field as a MAC extension field for one or more MACs. In this case, the payload consists of an unsigned 16-bit MAC Count (N) followed by N unsigned 16-bit MAC length fields. If there are an even number of MACs specified there is an unused 16-bit field which SHOULD be 0x0000 at the end of the set of MAC length values so that the subsequent MAC data is longword (4-octet) aligned. Each MAC Stenn & Mayer Expires September 26, 2019 [Page 4] Internet-Draft NTP MAC/Last Extension Fields March 2019 SHALL be padded so that any subsequent MAC starts on a 4-octet boundary. Optional (possibly random data) padding is allowed. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +---------------+---------------+-------------------------------+ | Field Type (0x0003) | Field Length | +-------------------------------+-------------------------------+ . MAC 1 Key ID . . +-+-+-+-+-+-+-+-+-+-+-+-. . MAC 1 Key Data | Random Data Padding . +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ NTP Extension Field: MAC EF Format (Single MAC) Field Type: TBD (Recommendation for IANA: 0x0003 (MAC-EF: Single MAC)) Field Length: As needed. Payload: As described. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +---------------+---------------+-------------------------------+ | Field Type (0x0103) | Field Length | +-------------------------------+-------------------------------+ | MAC Count | MAC 1 Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | MAC 2 Length | MAC 3 Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ . MAC 1 Key ID . . +-+-+-+-+-+-+-+-+-+-+-+-. . MAC 1 Key Data | Random Data Padding . +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ . MAC 2 Key ID . . +-+-+-+-+-+-+-+-+-+-+-+-+-. . MAC 2 Key Data | Random Data Padding . +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ . MAC 3 Key ID . . +-+-+-+-+-+-+-+-+-+-. . MAC 3 Key Data |Random Data Padding. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Padding (as needed) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ NTP Extension Field: MAC EF Format (1 or more MACs) Stenn & Mayer Expires September 26, 2019 [Page 5] Internet-Draft NTP MAC/Last Extension Fields March 2019 Field Type: TBD (Recommendation for IANA: 0x0103 (MAC-EF: 1 or more MACs)) Field Length: As needed. Payload: As described. A MAC consisting of 4 octets of zeros means the MAC is a crypto-NAK, as defined by RFC5905 [RFC5905]. Additional MACs SHOULD NOT be present if there is a crypto-NAK present in the packet. Each MAC within the extension field consists of a 32-bit key identifier which SHOULD be unique to the set of key identifiers in this MAC extension field followed by ((MAC Length) - 4) octets of data, optionally followed by random octets to pad the key data to the length specified earlier in the extension field. That key identifier is a shared secret which defines the algorithm to be used and a cookie or secret to be used in generating the digest. The MAC digest is produced by hashing the data from the beginning of the NTP packet up to but not including the start of the MAC extension field. The calculation of the digest SHOULD be a hash of this data concatenated with the 32-bit keyid (in network-order), and the key. When sending or receiving a key identifier each side needs to agree on the key identifier, algorithm and the cookie or secret used to produce the digest along with the digest lengths. Note that the sender may send more bytes than are required by the digest algorithm. This would be done to make it more difficult for a casual observer to identify the algorithm being used based on the length of the data. The digest data begins immediately after the key ID, and any padding octets SHOULD be random. 4. Acknowledgements MAC-EF: The authors gratefully acknowledge Dave Mills for his insightful comments. Hal Murray asked if there was a way for the MAC-EF to require only 4 octets of overhead if there was only a single MAC in the payload. 5. IANA Considerations This memo requests IANA to allocate NTP Extension Field Types: 0x0003 MAC-EF (Single MAC) 0x0103 MAC-EF (1 or more MACs) Stenn & Mayer Expires September 26, 2019 [Page 6] Internet-Draft NTP MAC/Last Extension Fields March 2019 0x0008 LAST-EF 6. Security Considerations The security considerations of time protocols in general are discussed in RFC7384 [RFC7384], and the security considerations of NTP are discussed in RFC5905 [RFC5905]. Digests MD5, DES and SHA-1 are considered compromised and should not be used [COMP]. [DISCUSS] Each MAC length should be at least 20 octets long to allow for 4 octets of key ID and at least 16 octets of digest and random padding. For a 128-bit digest, there would be 4 octets of key ID, 16 octets of digest, plus any desired octets of random padding. For SHA-256 digests there are 4 octets of key ID, 32 octets digest, plus any desired octets of random padding. Using MAC lengths that include random padding may make it more difficult for an attacker to know which digest algorithms are used. 7. Normative References [RFC1305] Mills, D., "Network Time Protocol (Version 3) Specification, Implementation and Analysis", RFC 1305, DOI 10.17487/RFC1305, March 1992, . [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC5905] Mills, D., Martin, J., Ed., Burbank, J., and W. Kasch, "Network Time Protocol Version 4: Protocol and Algorithms Specification", RFC 5905, DOI 10.17487/RFC5905, June 2010, . [RFC7384] Mizrahi, T., "Security Requirements of Time Protocols in Packet Switched Networks", RFC 7384, DOI 10.17487/RFC7384, October 2014, . [RFC7822] Mizrahi, T. and D. Mayer, "Network Time Protocol Version 4 (NTPv4) Extension Fields", RFC 7822, DOI 10.17487/RFC7822, March 2016, . Stenn & Mayer Expires September 26, 2019 [Page 7] Internet-Draft NTP MAC/Last Extension Fields March 2019 Authors' Addresses Harlan Stenn Network Time Foundation P.O. Box 918 Talent, OR 97540 US Email: stenn@nwtime.org Danny Mayer Network Time Foundation P.O. Box 918 Talent, OR 97540 US Email: mayer@ntp.org Stenn & Mayer Expires September 26, 2019 [Page 8]