IETF Logo Mail Archive

Re: [Ntp] An NTPv5 design sketch

Miroslav Lichvar <mlichvar@redhat.com> Wed, 15 April 2020 07:20 UTC

Return-Path: <mlichvar@redhat.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 69A453A103B for <ntp@ietfa.amsl.com>; Wed, 15 Apr 2020 00:20:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.268
X-Spam-Level:
X-Spam-Status: No, score=-2.268 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.168, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhat.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ROvmBpzTMG9r for <ntp@ietfa.amsl.com>; Wed, 15 Apr 2020 00:20:29 -0700 (PDT)
Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [207.211.31.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B76D23A1062 for <ntp@ietf.org>; Wed, 15 Apr 2020 00:20:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1586935228; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=wNBelUwLRDiDTrVnCGrWBN7Ps6MMd1bAkpKZTemxHxU=; b=LwE/jap3UWTUnV8riqTeQAnsCTnpX4SXy2gy/NTp9XmMZqcud8aqq+4DujBQsi1Mrr7txd CaHRQL75JdPebJVuxdqAacwVnT06JCppSOnc1TuKXgeD1UPrmTQQ2OveEgXh/P6QZt1GAs /4Ee9K2nZsoy2FBS24gq+DpjgmSDIUM=
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-423-hg0L6OaoObONJUWiTsTd8A-1; Wed, 15 Apr 2020 03:20:26 -0400
X-MC-Unique: hg0L6OaoObONJUWiTsTd8A-1
Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id BD38B149C1; Wed, 15 Apr 2020 07:20:25 +0000 (UTC)
Received: from localhost (holly.tpb.lab.eng.brq.redhat.com [10.43.134.11]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 15A0D5C1C5; Wed, 15 Apr 2020 07:20:24 +0000 (UTC)
Date: Wed, 15 Apr 2020 09:20:23 +0200
From: Miroslav Lichvar <mlichvar@redhat.com>
To: Daniel Franke <dfoxfranke@gmail.com>
Cc: NTP WG <ntp@ietf.org>
Message-ID: <20200415072023.GG1945@localhost>
References: <CAJm83bBV+Pox3r6KU49ShwMOvr=R+U_vDKJtSZhfT6XX4qWmbA@mail.gmail.com> <20200414112541.GD1945@localhost> <CAJm83bCxuS_X68-pvpOWCPSmjAjTeYNJVuuOEhV-i82R7B28Mg@mail.gmail.com> <20200414155241.GF1945@localhost> <CAJm83bC1EhwQQ=+B7XPbEkvhOWvxU8zjCd290Fj5N43aMJQTkg@mail.gmail.com>
MIME-Version: 1.0
In-Reply-To: <CAJm83bC1EhwQQ=+B7XPbEkvhOWvxU8zjCd290Fj5N43aMJQTkg@mail.gmail.com>
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/1elLdiRX5jYM6tSrsHVScHUv9Nc>
Subject: Re: [Ntp] An NTPv5 design sketch
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Apr 2020 07:20:31 -0000

On Tue, Apr 14, 2020 at 12:29:57PM -0400, Daniel Franke wrote:
> On Tue, Apr 14, 2020 at 11:52 AM Miroslav Lichvar <mlichvar@redhat.com> wrote:
> > Even if not, the new features of NTPv5 may be useful to clients that cannot or won't support TLS.
> 
> If you can point to some real-world examples of systems that can't
> make due with SNTP and can't spare 20k for a TLS stack, then you'll
> change my mind.

It's not just about sparing 20k for a TLS stack. That code will likely
need to be updated to fix security issues. Crypto is hard. NTS
requires other things that were not needed with plain NTP. It needs a
full TCP stack and AES-SIV-CMAC. It needs certificates, NTS-KE servers
and some naming for the servers (e.g. DNS). It needs a much more
powerful CPU to be able to perform a TLS handshake in reasonable time
and processing of NTP packets is orders of magnitude slower even with
a hardware AES support. There is also the requirement on having a
rough idea of current time in order to validate the certificates.

For people who need to synchronize computers in an isolated network it
is a lot of extra work. SNTP or NTPv4 may not be good enough for
accuracy (unless they support correction fields).

There are other authentication mechanisms with different tradeoffs
that people might want to use.

I don't see a single reason why NTS should be a requirement of NTPv5.
It would help if you could explain why do you think it should.

-- 
Miroslav Lichvar

v2.23.0 | Report a Bug | By Email