Re: [Ntp] Comments on draft-langer-ntp-nts-for-ptp

Miroslav Lichvar <> Mon, 08 March 2021 13:06 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E5D213A2327 for <>; Mon, 8 Mar 2021 05:06:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.068
X-Spam-Status: No, score=-3.068 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.248, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id yJp7U7Lty28I for <>; Mon, 8 Mar 2021 05:06:34 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 2D5353A22C8 for <>; Mon, 8 Mar 2021 05:06:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=mimecast20190719; t=1615208793; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=hco6nWzgSqibQrRYp5zRqkw44+/ehV+zWnIuJWtIKrM=; b=bfvNT8fjVbDNkaSvMqBDTVkr5Kco09mTpccIjwj0JTQTsr5yVf0te88euPilLSKli1Y2Uc UW+YX51R+9NijIlCTEnag3FDat0UI9P+SzM1D31c/T3wFL0NlNAgefNQMGJcDUW8VeYyBV Q0uaBFvOO0Q+Din2b0JewNSqG2dIN0c=
Received: from ( []) (Using TLS) by with ESMTP id us-mta-65-XIkFjVx2PLqys-2kVOexLw-1; Mon, 08 Mar 2021 08:06:31 -0500
X-MC-Unique: XIkFjVx2PLqys-2kVOexLw-1
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 47C835223; Mon, 8 Mar 2021 13:06:30 +0000 (UTC)
Received: from localhost ( []) by (Postfix) with ESMTPS id 24F7C1F413; Mon, 8 Mar 2021 13:06:28 +0000 (UTC)
Date: Mon, 08 Mar 2021 14:06:27 +0100
From: Miroslav Lichvar <>
To: Heiko Gerstung <>
Cc: "Langer, Martin" <>, Watson Ladd <>, NTP WG <>
Message-ID: <YEYhUyx1r6aAO1Xi@localhost>
References: <> <> <> <YEYHHhIrYv4ZhTkl@localhost> <>
MIME-Version: 1.0
In-Reply-To: <>
X-Scanned-By: MIMEDefang 2.84 on
Authentication-Results:; auth=pass smtp.auth=CUSA124A263
X-Mimecast-Spam-Score: 0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
Archived-At: <>
Subject: Re: [Ntp] Comments on draft-langer-ntp-nts-for-ptp
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 08 Mar 2021 13:06:36 -0000

On Mon, Mar 08, 2021 at 01:41:40PM +0100, Heiko Gerstung wrote:
> Hi Miroslav,
> even if cookies would not be required, I would still want to keep this concept simply because we can re-use the whole NTS4NTP mechanism and do not have to invent yet another protocol etc. 

If I understand it correctly, the authentication mechanism is already
specified in 1588-2019. It just needs some keys to be set up. This
draft proposes an NTS-KE based protocol for that.

> Plus, you do not need any state for the unicast negotiation itself. It is a short, quick packet exchange between a client and a GM and once it has been completed, the GM does not need to store any data about the client for the next unicast negotiation. When successful, the GM enters the packet transmission phase (which requires state as the GM needs to set up a packet transmission for a slave), but using the cookie concept for the unicast negotiation phase would allow a NTS-KE server to hand out cookies to a NTS/PTP client who could then use them to request packet transmission from a separate list of Unicast GMs. 

If you don't have any client-specific state on the server (and
hardcode the address in the cookie), how do you prevent replay
attacks, e.g. canceling a previous request, or changing the message
rate to a previous value, or requesting unicast transmissions for
clients that no longer exist to cause a DoS attack on the server?

Miroslav Lichvar