Re: [Ntp] An NTPv5 design sketch
Miroslav Lichvar <mlichvar@redhat.com> Wed, 15 April 2020 07:20 UTC
Return-Path: <mlichvar@redhat.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 69A453A103B for <ntp@ietfa.amsl.com>; Wed, 15 Apr 2020 00:20:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.268
X-Spam-Level:
X-Spam-Status: No, score=-2.268 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.168, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhat.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ROvmBpzTMG9r for <ntp@ietfa.amsl.com>; Wed, 15 Apr 2020 00:20:29 -0700 (PDT)
Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [207.211.31.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B76D23A1062 for <ntp@ietf.org>; Wed, 15 Apr 2020 00:20:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1586935228; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=wNBelUwLRDiDTrVnCGrWBN7Ps6MMd1bAkpKZTemxHxU=; b=LwE/jap3UWTUnV8riqTeQAnsCTnpX4SXy2gy/NTp9XmMZqcud8aqq+4DujBQsi1Mrr7txd CaHRQL75JdPebJVuxdqAacwVnT06JCppSOnc1TuKXgeD1UPrmTQQ2OveEgXh/P6QZt1GAs /4Ee9K2nZsoy2FBS24gq+DpjgmSDIUM=
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-423-hg0L6OaoObONJUWiTsTd8A-1; Wed, 15 Apr 2020 03:20:26 -0400
X-MC-Unique: hg0L6OaoObONJUWiTsTd8A-1
Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id BD38B149C1; Wed, 15 Apr 2020 07:20:25 +0000 (UTC)
Received: from localhost (holly.tpb.lab.eng.brq.redhat.com [10.43.134.11]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 15A0D5C1C5; Wed, 15 Apr 2020 07:20:24 +0000 (UTC)
Date: Wed, 15 Apr 2020 09:20:23 +0200
From: Miroslav Lichvar <mlichvar@redhat.com>
To: Daniel Franke <dfoxfranke@gmail.com>
Cc: NTP WG <ntp@ietf.org>
Message-ID: <20200415072023.GG1945@localhost>
References: <CAJm83bBV+Pox3r6KU49ShwMOvr=R+U_vDKJtSZhfT6XX4qWmbA@mail.gmail.com> <20200414112541.GD1945@localhost> <CAJm83bCxuS_X68-pvpOWCPSmjAjTeYNJVuuOEhV-i82R7B28Mg@mail.gmail.com> <20200414155241.GF1945@localhost> <CAJm83bC1EhwQQ=+B7XPbEkvhOWvxU8zjCd290Fj5N43aMJQTkg@mail.gmail.com>
MIME-Version: 1.0
In-Reply-To: <CAJm83bC1EhwQQ=+B7XPbEkvhOWvxU8zjCd290Fj5N43aMJQTkg@mail.gmail.com>
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/1elLdiRX5jYM6tSrsHVScHUv9Nc>
Subject: Re: [Ntp] An NTPv5 design sketch
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Apr 2020 07:20:31 -0000
On Tue, Apr 14, 2020 at 12:29:57PM -0400, Daniel Franke wrote: > On Tue, Apr 14, 2020 at 11:52 AM Miroslav Lichvar <mlichvar@redhat.com> wrote: > > Even if not, the new features of NTPv5 may be useful to clients that cannot or won't support TLS. > > If you can point to some real-world examples of systems that can't > make due with SNTP and can't spare 20k for a TLS stack, then you'll > change my mind. It's not just about sparing 20k for a TLS stack. That code will likely need to be updated to fix security issues. Crypto is hard. NTS requires other things that were not needed with plain NTP. It needs a full TCP stack and AES-SIV-CMAC. It needs certificates, NTS-KE servers and some naming for the servers (e.g. DNS). It needs a much more powerful CPU to be able to perform a TLS handshake in reasonable time and processing of NTP packets is orders of magnitude slower even with a hardware AES support. There is also the requirement on having a rough idea of current time in order to validate the certificates. For people who need to synchronize computers in an isolated network it is a lot of extra work. SNTP or NTPv4 may not be good enough for accuracy (unless they support correction fields). There are other authentication mechanisms with different tradeoffs that people might want to use. I don't see a single reason why NTS should be a requirement of NTPv5. It would help if you could explain why do you think it should. -- Miroslav Lichvar
- [Ntp] An NTPv5 design sketch Daniel Franke
- Re: [Ntp] [EXT] An NTPv5 design sketch Daniel Franke
- Re: [Ntp] An NTPv5 design sketch Dieter Sibold
- Re: [Ntp] [EXT] An NTPv5 design sketch Dieter Sibold
- Re: [Ntp] An NTPv5 design sketch Miroslav Lichvar
- Re: [Ntp] An NTPv5 design sketch Daniel Franke
- Re: [Ntp] An NTPv5 design sketch Daniel Franke
- Re: [Ntp] An NTPv5 design sketch Miroslav Lichvar
- Re: [Ntp] An NTPv5 design sketch Miroslav Lichvar
- Re: [Ntp] An NTPv5 design sketch Daniel Franke
- Re: [Ntp] An NTPv5 design sketch Daniel Franke
- Re: [Ntp] An NTPv5 design sketch Miroslav Lichvar
- Re: [Ntp] An NTPv5 design sketch Daniel Franke
- Re: [Ntp] An NTPv5 design sketch Miroslav Lichvar
- Re: [Ntp] An NTPv5 design sketch Doug Arnold
- Re: [Ntp] An NTPv5 design sketch Miroslav Lichvar
- Re: [Ntp] An NTPv5 design sketch James
- Re: [Ntp] An NTPv5 design sketch Daniel Franke
- Re: [Ntp] An NTPv5 design sketch James
- Re: [Ntp] An NTPv5 design sketch Doug Arnold
- [Ntp] Antw: [EXT] Re: An NTPv5 design sketch Ulrich Windl
- Re: [Ntp] An NTPv5 design sketch Miroslav Lichvar
- Re: [Ntp] An NTPv5 design sketch Doug Arnold
- [Ntp] Antwort: Re: An NTPv5 design sketch< kristof.teichel
- Re: [Ntp] An NTPv5 design sketch Salz, Rich
- Re: [Ntp] An NTPv5 design sketch Kyle Rose
- [Ntp] Antw: [EXT] Re: An NTPv5 design sketch Ulrich Windl
- Re: [Ntp] Antw: [EXT] Re: An NTPv5 design sketch Doug Arnold
- [Ntp] Antw: Re: Antw: [EXT] Re: An NTPv5 design s… Ulrich Windl
- Re: [Ntp] Antw: Re: Antw: [EXT] Re: An NTPv5 desi… Miroslav Lichvar