[Git][NTPsec/ntpsec][master] docs: Gut mode 6 authentication section.

Hal Murray (@hal.murray) gitlab at mg.gitlab.com
Tue Nov 21 07:46:28 UTC 2023 


Hal Murray pushed to branch master at NTPsec / ntpsec


Commits:
09e90f39 by James Browning at 2023-11-20T17:20:41-08:00
docs: Gut mode 6 authentication section.

- - - - -


1 changed file:

- docs/mode6.adoc


Changes:

=====================================
docs/mode6.adoc
=====================================
@@ -89,7 +89,7 @@ mode 6:
 |=====================================================================
 
 Requests to ntpd are single UDP packets; ntpd expects them to be
-padded to a 4-octet boundary.  Responses may be multiple UDP packets;
+padded to a 8-octet boundary.  Responses may be multiple UDP packets;
 they may arrive out of order, and the client is responsible for
 reassembling the payloads.
 
@@ -513,27 +513,17 @@ on that.
 [[auth]]
 == Authentication
 
-Authenticated requests require a MAC (message authentication code)
-trailer following the payload data, if any. Such requests must be
-padded to an 8-octet boundary, with those bytes not included in the
-header count field.
+Authenticated requests require a link:authentic.html#mac[MAC]
+(message authentication code) trailer following the payload data, if
+any. Pad Such requests to an 8-octet boundary, with those bytes not
+included in the header count field.
 
-The contents of the MAC trailer consists of:
+Ordinary requests with MACs will not receive a MAC with the
+response packet.
 
-1. The 32-bit identifier of the signing key in network byte order.
-
-2a. In digest mode, a cryptographic hash of the following octet spans,
-in order. First, the password entered to use the signing key, then the
-request header fields, then the payload.
-
-2b. In CMAC mode, a cryptographic hash of the packet header and
-payload with the crypto algorithim using the key.
-
-The cryptographic hash is 16 octets for MD5 ir AES-CMAC and AES and 20
-octets for SHA-1.  Longer digests are truncated.
-
-The key length for AES is 16 bytes.  Longer keys are truncated.  Shorter
-keys are padded with 0s.  MD5 and SHA-1 can use any key length.
+MD5 and SHA-1 are primarily available for legacy support.
+MD5 is deprecated by RFC 8573 and not usable for MACs on FIPS 140-2
+compliant systems.
 
 == Compatibility Notes
 



View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/commit/09e90f39f0f535683451aa27cb48c986b487ee3f

-- 
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/commit/09e90f39f0f535683451aa27cb48c986b487ee3f
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20231121/35cb0b4f/attachment-0001.htm>

More information about the vc mailing list