Changes in draft-12

[Marcus Dansarie]

Hi all,

Roughtime draft-12 (https://www.ietf.org/archive/id/draft-ietf-ntp-roughtime-12.html) was published in the beginning of December, with the aim of resolving the issues we found during the hackathon. Although we had hoped to avoid making more breaking changes to the protocol, this turned out to be unavoidable. Yesterday, I updated my two implementations (Pyroughtime and Roughtimed) to support draft-12.

To help anyone else working on updating their implementation, I compiled this list of necessary changes to the line protocol from draft-11:

Draft version number changed to 0x8000000c

We have received requests not to change the draft version numbers unless we make changes to the line protocol. However, since we made breaking changes in this update, we had to bump the version number.

Sorted values in VER tag

In requests, the version numbers in the VER tag now have to be sorted in ascending numerical order.

VER tag moved inside SREP

During the hackathon, we realized that the protocol is vulnerable to version downgrade attacks. Moving the VER tag inside SREP ensures that it is authenticated.

VERS tag introduced

The VERS tag has been added to SREP. It provides clients with an authenticated list of versions supported by the server, making version downgrade attacks where the attacker selectively drops packets with certain versions detectable by the client.

Maximum PATH length introduced

The length of PATH is not limited to 32. This has no effect in practice (unless someone is signing 2^32 responses at once) and serves to simplify implementations.

Minimum RADI reduced to one

The minimum value of RADI is now one second. Some guidance on increasing the value around leap seconds has been added.

Changed delegation signature context string

During the Hackathon, we discovered that the two dashes at the end of the delegation signature context string had been removed and then added again by mistake in a subsequent draft. Since we are already making breaking changes in this update, we decided to fix this at the same time. The dashes have once again been removed from the delegation signature context string.

Hash over the entire request packet used in Merkle tree

As another mitigation against version downgrade attacks, the hash value of the entire request packet, including the ROUGHTIM header, is used for building the Merkle tree (instead of the NONC value). This means that any changes to the request packet will cause the client's verification of the response to fail.

Draft-12 also contains specification of the JSON formats for server list and malfeasance reporting (sections 8.3 and 8.4). We are very interested in comments from implementers on these formats.

Finally, another issue raised during the hackathon was that no server implementations appear to be greasing their responses. Advice on grease has been expanded somewhat in draft-12. I will try to do my part and implement greasing in Roughtimed.

As always, any comments are more than welcome.

Kind regards,

Marcus