Re: [chrony-users] RE: Can we deny non-NTS client?

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-users Archives ]


On Wed, Jan 11, 2023 at 02:31:11AM +0000, Akihiko.Izumi@xxxxxxxx wrote:
> Thank you for clarifying my question. I learned a lot.
> 
> > it would not be sent as there is an additional check made before transmission comparing the length of the request and response.
> 
> What comparison is done between the length of the request and response?

The response is sent only if it's not longer than the request. In the
source code it's in the transmit_packet() function in ntp_core.c:

  if (request_info && request_info->length < info.length) {
    DEBUG_LOG("Response longer than request req_len=%d res_len=%d",
              request_info->length, info.length);
    return 0;
  }


> > If the NTP server didn't respond to unauthenticated NTP requests, it couldn't respond with NTS NAK to indicate the client it has expired cookies.
> 
> I understand.
> I think sending NTS NAK is necessary for mis-authenticated NTP packets, but not necessary for plain NTP packets.
> Is my understanding correct?

Right. NTS NAK is sent only if the request contains the NTS-specific
extension fields and the authenticator is not valid (most likely due
to the client using an old cookie, which the server can no longer
decrypt).
> 
> I have another question.
> RFC8915 describes "8.7. NTS Stripping". Isn't is applicable to Chrony?

chronyd as an NTP client configured with the "nts" option ignores
unauthenticated responses. An NTS NAK is accepted only if no valid
authenticated response is received in the polling interval, i.e. an
off-path attacker cannot trigger a new NTS-KE session unless there is
a packet loss between the server and client, or the server cannot
respond to all requests (e.g. due to rate limiting).

-- 
Miroslav Lichvar


-- 
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.


Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/