Re: [chrony-users] RE: Can we deny non-NTS client?

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-users Archives ]

To: chrony-users@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [chrony-users] RE: Can we deny non-NTS client?
From: Miroslav Lichvar <mlichvar@xxxxxxxxxx>
Date: Wed, 11 Jan 2023 10:53:53 +0100
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1673430836; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=qCsG7A6xslGTKS6X2FJh3MEL7eG0vA2Do/4vhbqMF1o=; b=YNWDM9S/8BPBJBW0ZDGNWPvT2foUfPYaWB60lePZ3TUhdHRos4agGTlXf5BMzu3ORTJGda Wr62q3xULI0F5SFJVsYmD1IEnELNSW0UNdojtHut8oQ+BGHpPtxXybsDAfP13pjhoHp/2H AjTuYecqw1yelxqXKjrlMLMVvK4NX3k=

On Wed, Jan 11, 2023 at 02:31:11AM +0000, Akihiko.Izumi@xxxxxxxx wrote:
> Thank you for clarifying my question. I learned a lot.
> 
> > it would not be sent as there is an additional check made before transmission comparing the length of the request and response.
> 
> What comparison is done between the length of the request and response?

The response is sent only if it's not longer than the request. In the
source code it's in the transmit_packet() function in ntp_core.c:

  if (request_info && request_info->length < info.length) {
    DEBUG_LOG("Response longer than request req_len=%d res_len=%d",
              request_info->length, info.length);
    return 0;
  }


> > If the NTP server didn't respond to unauthenticated NTP requests, it couldn't respond with NTS NAK to indicate the client it has expired cookies.
> 
> I understand.
> I think sending NTS NAK is necessary for mis-authenticated NTP packets, but not necessary for plain NTP packets.
> Is my understanding correct?

Right. NTS NAK is sent only if the request contains the NTS-specific
extension fields and the authenticator is not valid (most likely due
to the client using an old cookie, which the server can no longer
decrypt).
> 
> I have another question.
> RFC8915 describes "8.7. NTS Stripping". Isn't is applicable to Chrony?

chronyd as an NTP client configured with the "nts" option ignores
unauthenticated responses. An NTS NAK is accepted only if no valid
authenticated response is received in the polling interval, i.e. an
off-path attacker cannot trigger a new NTS-KE session unless there is
a packet loss between the server and client, or the server cannot
respond to all requests (e.g. due to rate limiting).

-- 
Miroslav Lichvar


-- 
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.

Follow-Ups:
- RE: [chrony-users] RE: Can we deny non-NTS client?
  - From: Akihiko.Izumi@xxxxxxxx

References:
- Re: [chrony-users] RE: Can we deny non-NTS client?
  - From: Miroslav Lichvar
- RE: [chrony-users] RE: Can we deny non-NTS client?
  - From: Akihiko.Izumi@xxxxxxxx
- RE: [chrony-users] RE: Can we deny non-NTS client?
  - From: Akihiko.Izumi@xxxxxxxx

Messages sorted by: [ date | thread ]
Prev by Date: RE: [chrony-users] RE: Can we deny non-NTS client?
Next by Date: Re: [chrony-users] RE: Chrony is making NTP Server offline on the system boot
Previous by thread: RE: [chrony-users] RE: Can we deny non-NTS client?
Next by thread: RE: [chrony-users] RE: Can we deny non-NTS client?

Mail converted by MHonArc 2.6.19+

http://listengine.tuxfamily.org/