[Git][NTPsec/ntpsec][master] Following Hal Murray's interop report, we now document NTS as implemented.

Eric S. Raymond gitlab at mg.gitlab.com
Fri Mar 1 19:34:13 UTC 2019 

Eric S. Raymond pushed to branch master at NTPsec / ntpsec


Commits:
92a7344e by Eric S. Raymond at 2019-03-01T19:33:21Z
Following Hal Murray's interop report, we now document NTS as implemented.

- - - - -


2 changed files:

- docs/ntpsec.adoc
- docs/standards.adoc


Changes:

=====================================
docs/ntpsec.adoc
=====================================
@@ -36,8 +36,11 @@ We retain, however, almost full compatibility and interoperation with
 NTP Classic.  The qualification "almost" is required mainly because we
 do not support the Autokey (RFC 5906) public-key encryption scheme. It
 had interoperability and exploitable vulnerability issues too severe
-to be patched.  We are participating in an IETF's Network Time
-Security effort to develop better security features.
+to be patched.  We have also dropped broadcast and anycast modes
+because they cannot be secured.
+
+A major new feature is that we implement IETF's Network Time Security
+standard for strong cryptographic authentication of time service.
 
 This project began as an effort to address serious security issues
 with NTP Classic, and we intend to keep a particularly strong focus on
@@ -104,6 +107,9 @@ surface and hardening code.  In toto, more than 74% of the NTP Classic
 codebase has been outright removed, with less than 5% new code added
 to the security-critical core.
 
+* Network Time Security is implemented. See our page on
+  link:standards.html[Standards Conformance]
+
 * NTPsec conforms to the
   https://datatracker.ietf.org/doc/draft-ietf-ntp-data-minimization/[NTP
   Client Data Minimization] draft RFC, which changes the client-side
@@ -116,7 +122,7 @@ to the security-critical core.
 * Autokey is not supported; that code has been
   removed, as it was chronically prone to security vulnerabilities.
 
-* peer mode has been removed.  The keyword peer in ntp.conf is now
+* Peer mode has been removed.  The keyword peer in ntp.conf is now
   just an alias for keyword server.
 
 * Broadcast- and multicast modes, which are impossible to


=====================================
docs/standards.adoc
=====================================
@@ -34,6 +34,11 @@ https://tools.ietf.org/rfc/rfc5297.txt[RFC 5297] describes the
 authenticated encryption used in Network Time Security
 key exchanges.
 
+Network Time Security does not yet have a final fully accepted RFC. The
+NTPsec implementation is based on the
+https://tools.ietf.org/html/draft-ietf-ntp-network-time-security-15[version
+15 draft].
+
 [[against5905]]
 == Divergences from RFC 5905
 
@@ -65,8 +70,8 @@ and somewhat incomplete relative to the code.
 
 In the table of KISS codes (Figure 13), only RATE still exists and is
 implemented in NTPsec; others proved unnecessary or (in the cases of
-DENY and RSTR) outright dangerous. INIT and STEP are no longer KoD types
-but persist as peer statuses that may be reported by
+DENY and RSTR) outright dangerous. INIT and STEP are no longer KoD
+types but persist as peer statuses that may be reported by
 {ntpqman}/{ntpmon}.  NTPsec has additional codes DNS and NTS for
 preparatory phases in association setup.
 



View it on GitLab: https://gitlab.com/NTPsec/ntpsec/commit/92a7344e78c5bcd27d921f427f3db8a1d73db136

-- 
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/commit/92a7344e78c5bcd27d921f427f3db8a1d73db136
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20190301/7d043dae/attachment-0001.html>

More information about the vc mailing list