On Wed, Apr 08, 2020 at 02:09:01PM -0500, Brandon Nielsen wrote:
On 4/8/20 3:42 AM, Miroslav Lichvar wrote:
> What is the issue with using untrusted DNS servers here? An NTS client
> is supposed to verify the certificates. Local MITM attackers shouldn't
> be able to force the client to synchronize to a different NTP server.
> (Of course, they can always disable the synchronization.)
>
I'm not saying there is necessarily an issue, just a logical inconsistency.
If the DNS servers provided by DHCP are trusted, why would any plain NTP
servers also provided by DHCP not be trusted? I can do nefarious things with
either.
I think it depends on the network. Is it yours or is it a random hotspot?
In general neither should be trusted, but most applications don't rely
on DNS being secure, so using random untrusted DNS servers from DHCP
is usually not a major issue. I'm ignoring privacy issues.
Generally speaking, on a network I admin, if I've configured DHCP
to provide
things like NTP and DNS servers, it's because I intend client devices to use
those things. While some devices choose to ignore DHCP provided DNS (and
NTP), I can still reroute those requests at the edge router. Is that also
possible with NTS? Even if it gets rerouted to a plain NTP server?
No, an NTS-enabled client cannot be redirected to a different server
(using a different certificate or NTS keys). That would be a security
issue. It's similar to DNS over HTTPS.
I feel like if this is on by default we're basically saying
nobody trusts
any provided NTP server unless it supports NTS. If that's the case, do away
with the 'trusted network' verbiage and just say that only NTS servers
provided over DHCP will be used.
The NTP option in DHCP doesn't provide the client with a name of the
server (at least in IPv4), so it couldn't try NTS even if it wanted.
Additionally, what about the no-internet case? Will a local, non-NTS
NTP
server be acceptable in that case? I feel like that would be handled by the
change to PEERNTP you mention above. But then can't attackers "disable the
synchronization" as you mention above, essentially forcing us back to no
additional security?
I think the installer could verify that NTS works (which implies
working Internet connection) and if not, it would leave PEERNTP
enabled.
> It would still work, even if we didn't use it by default.
The name is
> just an alias for
pool.ntp.org. The servers used in the current
> default configuration are not run by Fedora.
>
Does the alias provide no additional functionality? Does it help with an
estimate of running Fedora machines in the wild?
The alias is a "vendor" zone to give the pool admins some control in
case our NTP clients create too much traffic and need to be stopped.
I think the admins have some statistics on DNS traffic in specific
zones, but I'm not privy to the data.
Will there be some kind of 'canary domain' like there is for
DoH
(use-application-dns.net)?
I don't think I saw any suggestions for implementing that.
Again from a network admin standpoint, if I
provide a local NTP server without NTS, I want an easy way to tell the
devices I manage to use it.
The PEERNTP option will still work. It may just have a different
default and/or have a new setting.
--
Miroslav Lichvar