Hash function support, MD5 / SHA256, strawman proposal

Mark Atwood fallenpegasus at gmail.com
Sat Jan 28 00:54:35 UTC 2017


I think what we will do is implement the new "legacy" auth protocol as soon
as Daniel feels comfortable with it, and implement new new secure time
protocol on, again, as soon as Daniel feels comfortable and then delivers
the code.

Dropping support for the legacy legacy MD5 method is not on our roadmap.
Most likely what we will do is
- make the newer protocols the default
- then later, emit warning messages when MD5 is selected
- then later, making it a --enable-foo compile option

But it will take years.  About the fastest possible path would be a year
for each of those steps.

..m

On Fri, Jan 27, 2017 at 3:26 PM Kurt Roeckx <kurt at roeckx.be> wrote:

> On Fri, Jan 27, 2017 at 03:00:42PM -0800, Hal Murray wrote:
> >
> > fallenpegasus at gmail.com said:
> > > How hard would the following be?
> > > Just go ahead and add SHA256 to NTPsec then Write an I-D modifying the
> NTP4
> > > protocol documenting it. then Write a patch to NTP classic for it.
> > > (yes, I know, icky code)
> >
> > I think you are overlooking how long it takes to update the installed
> base.
>
> Just to compare this with SSL/TLS. SSLv3 exists since 1996. There
> are still webservers on the internet that only speak SSLv2 in the top
> 1 million sites. So if you really care that you can still talk to
> all servers, you would need to support things for over 20 years.
>
> But at a certain point we're willing to break things. No modern
> webbrowser will talk to those servers. And if they want you to
> talk to them, they'll just have to upgrade. And the question
> really becomes how much you're willing to break. And it seems that
> most people don't care about 0.1%.
>
> > CentOS 6.8 and NetBSD 6.1.5 are still shipping ntp 4.2.6p5
> > (I assume they have back ported all the important security patches.)
> > 4.2.8 was released at the end of 2014
>
> I think redhat supports their release for 10 years, so you'll
> probably still get near 10 years that you might see 4.2.6 servers.
>
>
> Kurt
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20170128/8d889fa6/attachment.html>


More information about the devel mailing list