Re: Big picture half-baked thoughts

[countkase--- via devel]

Hal Murray wrote:
> What's the right way to think about how security fits into our priorities? 
> How should we use that to prioritize our work?

Security *should* be the top priority, and it should have a 
significant influence on the schedule. I, however, don't bucket sort it 
that way.

> Should we split this discussion into NTP and TLS/KE?

We should split the conversation roughly that way, as TLS is not 
our area.

> Eric wants to convert our current codebase to Go.  In terms of security, how
> does that compare with getting our code running on Windows?  How do we think
> about that sort of trade-off?

 Windows deployments would likely not go beyond enthusiasts 
anytime soon if we pulled the code out of mothballs. Fleet 
deployments would have to go past management which would likely 
quash it.

IIRC the intention was to port it away from C. Go was just 
the best candidate at the time. Porting to Go would be 
mildly problematic; TLS1.3 support was absent last I checked, as 
was packet time-stamping.

My strawmen are that instead of doing a straight port to Go. We
should port NTPsec in interface-compatible pieces. 
Initially running in the same process, they could later be 
separated into different processes which communicate.

Each section would have the basics, IPC, statistics, and the 
following.
- the client core would need to run loopy math.
- the clock adjuster would need access to the clock.
- the server(s) would need packet time-stamping and, if without 
  port forwarding access to port 123.
- reference clocks would only need their specific hardware 
  interface.
- remote clocks would need packet time-stamping and high ports.

If one were ambitious, they could tie into something like a 
not-bad botnet and be deployed that way.

> There is another feature we need.  The current code wakes up every second. 
> That's evil if you want to save battery power.   How important are laptops?

We should rewrite ntpd/ntp_timer:timer() to sleep until there 
is something to do rather than waking every second and checking 
the boredom.

I think systemd-timesyncd and chrony probably have the laptop 
niche cornered at the moment. The correct channel to ask for 
its' relevance would probably be statistics from downstream or 
the (undead) ntpsec-users list.

> I think we need a script to tell somebody which root CA a site is using.

That sounds like a job for OpenSSL.
___
devel mailing list
devel@ntpsec.org
https://lists.ntpsec.org/mailman/listinfo/devel

Big picture half-baked thoughts

[Hal Murray via devel]

What's the right way to think about how security fits into our priorities?  
How should we use that to prioritize our work?

Should we split this discussion into NTP and TLS/KE?


Eric wants to convert our current code base to Go.  In terms of security, how 
does that compare with getting our code running on Windows?  How do we think 
about that sort of trade off?

There is another feature we need.  The current code wakes up every second.  
That's evil if you want to save battery power.   How important are laptops?


Our code doesn't do OCSP.  How important is that?  Alternatives?
[One example I looked at cached the answer for a week.  How does that fit into 
security?]

One of the attack modes with TLS is that one of the CAs on a distro's root 
cert list gets compromised, either due to company incompetence or state level 
arm twisting.  How important is it to restrict the root CAs?  Do we need 
features/code on the NTP package for that?  [We have a ca option on the server 
command.  I think we need a script to tell somebody which root CA a site is 
using.]



-- 
These are my opinions.  I hate spam.



___
devel mailing list
devel@ntpsec.org
https://lists.ntpsec.org/mailman/listinfo/devel