IETF Logo Mail Archive

Re: [Ntp] New Version Notification for draft-gruessing-ntp-ntpv5-requirements-03.txt

Dieter Sibold <dsibold.ietf@gmail.com> Wed, 20 October 2021 17:46 UTC

Return-Path: <dsibold.ietf@gmail.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EBE2E3A0B20 for <ntp@ietfa.amsl.com>; Wed, 20 Oct 2021 10:46:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J_FZ70QZbILx for <ntp@ietfa.amsl.com>; Wed, 20 Oct 2021 10:46:35 -0700 (PDT)
Received: from mail-wm1-x334.google.com (mail-wm1-x334.google.com [IPv6:2a00:1450:4864:20::334]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 588F73A0B1D for <ntp@ietf.org>; Wed, 20 Oct 2021 10:46:35 -0700 (PDT)
Received: by mail-wm1-x334.google.com with SMTP id 67-20020a1c1946000000b0030d4c90fa87so11781826wmz.2 for <ntp@ietf.org>; Wed, 20 Oct 2021 10:46:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=zPXtb6UwFocr8Z/qBA6P0ih9NMPosc7hQQo0E9xlXZk=; b=S9KHa6qt17eSmukq6Qgtn7gA7sHoYoEqxqeDxijV8PJUDB2xBZIXX0Op5yhnUIzE2Y A6QlILUO1WoKrqIh2tgRORVGSlbWMmgIZSdBOLiAOFdahHWkq8chw2wfCpajVHZPJ9Dp 0LX/jd+rweUsnMfknsFSwPQH/bDKZum79KZNNZ4DTXseEoh7uavINEOGxNMo8vF9lsTZ Wa4CSH37d3GG2y9/TkiuDxDDYJ4w3Df6265mQWzSETb6mrHnKN62YlVX43mqxE0aK76a BU0QaG7Ndn53qufNwMs1cM88ZVKJPOP13BXerYsr5GGvKhJtrJbIsVleXWElySklamSp WmlA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=zPXtb6UwFocr8Z/qBA6P0ih9NMPosc7hQQo0E9xlXZk=; b=a6uglx4juxjzPUZlvmEGMU6iio3S9pTPNtUnDsj1twNOs4OmMIY2c/Eokrc4o18LLh vMR1J8KflQjxFucHV7WMK9/1rrJTuQJbUclHgUJplJYrA+Q7kCVJ7AjMjeFmQ4PmP4p8 6XSLsFHUQWRhm+z65M4yNgRr7tviBMMAXXMZ6aFUWrE99WDPZ6sZfVI+DRp8FaMP55fa T2S/odwZ2xPoPCTI93PHtnkiuWgtkvR7eF/Bu7OYR7scQBpZYYnbY1aqdg9m4VraORbJ w/9yP19QcZ9kL0lVtkY3g+uQeA0GV9elCMpNxLGXHN3C41xtjqdiOCT0x2lULuRjxcAS BAeQ==
X-Gm-Message-State: AOAM533k/flPf+uae4+dOZJxf8cvEIRDueY9XRAyAFpouyan6KADlVPT GRWMa9T/t3zm51k1Y3qqx7I=
X-Google-Smtp-Source: ABdhPJzuutuSRnzkePPOxeWtJayZD57numBiQvw4CU1pxHgw9bUURMizFueN6DETzBa2V7Z2DQF02A==
X-Received: by 2002:a05:600c:209:: with SMTP id 9mr779336wmi.42.1634751991991; Wed, 20 Oct 2021 10:46:31 -0700 (PDT)
Received: from [192.168.111.24] (p200300d17f2a9700d44ec6b6e7de4d18.dip0.t-ipconnect.de. [2003:d1:7f2a:9700:d44e:c6b6:e7de:4d18]) by smtp.gmail.com with ESMTPSA id c18sm2590030wrr.60.2021.10.20.10.46.30 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 20 Oct 2021 10:46:31 -0700 (PDT)
From: Dieter Sibold <dsibold.ietf@gmail.com>
To: Miroslav Lichvar <mlichvar@redhat.com>
Cc: James <james.ietf@gmail.com>, NTP WG <ntp@ietf.org>, Doug Arnold <doug.arnold@meinberg-usa.com>
Date: Wed, 20 Oct 2021 19:46:28 +0200
X-Mailer: MailMate (1.14r5818)
Message-ID: <7A999723-E576-4405-A83F-963556FEB039@gmail.com>
In-Reply-To: <YW2FvUiaHC/hbxkG@localhost>
References: <163386015957.12424.6997038478834885480@ietfa.amsl.com> <CAO+dDx=6baLhf9LwSMvR1F0ieuLO6NXmExYLDvcCF2tgchHs8w@mail.gmail.com> <DB8PR02MB5772AC97BFE2D7C1139EFDC0CFB89@DB8PR02MB5772.eurprd02.prod.outlook.com> <E469D9A7-7445-49D9-A8A2-82BA7BF1FA27@gmail.com> <YW2FvUiaHC/hbxkG@localhost>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/2yvGfT0swIHYAmeZNtcbCPu0pe4>
Subject: Re: [Ntp] New Version Notification for draft-gruessing-ntp-ntpv5-requirements-03.txt
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Oct 2021 17:46:41 -0000


On 18 Oct 2021, at 16:33, Miroslav Lichvar wrote:

> On Fri, Oct 15, 2021 at 11:27:20AM +0200, James wrote:
>>> On 15 Oct 2021, at 00:45, Doug Arnold <doug.arnold@meinberg-usa.com> wrote:
>>> Encryption and authentication MUST be provided by the protocol specification as a default and MUST be resistant to downgrade attacks...
>>
>> To put this another way, I think the specification must provide confidentiality as well as authentication, and that if either is applied they cannot be removed from a connection (aka a security downgrade) which makes authentication the minimum and doesn’t necessarily mandate confidentiality.
>
> I still don't understand this part. What do "as a default" and
> "authentication the minimum" exactly mean? What information needs to
> be encrypted? Everything? The first octet cannot be encrypted to allow
> detection of NTPv5 packets on the port 123.
>
> For NTPv5 to be successful in replacing NTPv4, I think it needs to
> support no authentication, symmetric keys and NTS.
>
>> This section in particular could probably use some editing and clarification to better explain this [1] as we’ll likely need consensus calls made.
>>
>>> 2. I think that it is better to allow leap smearing and make it a visible part of the protocol than to pretend it is not going to happen.  On this topic I think that Miroslav’s proposal was more realistic.  Data center network architects tell me they definitely plan to continue to do leap smearing.
>>
>> In other use cases such as publicly accessible NTP, leap smearing has effectively fragmented the pools of services a given host can use as mixing smeared and non-smeared services is not a good idea, in addition to the start/end and cadence of smearing being inconsistent between providers [2]. I think that having a “linear, monotonic timescale” and leap smearing together are contradictory and so having smearing in the wire format would requiring changing that. My proposal doesn’t prevent smearing of a clock being synchronised, it’s about removing the smear from the wire.
>
> They can be supported both as different timescales, server responding
> in the one that the client has requested.
>
> If you don't allow leap smearing in NTPv5 at all, I suspect people
> will either stick to NTPv4, missing the important improvements in
> NTPv5, or ignore the specification and use a leap-smeared version of
> NTPv5 anyway.
>
> Same for UTC vs TAI.

Many National Metrology Instituts (NMI) are using NTP to disseminate the legal time, which always is based on UTC. I suppose NMIs will appreciate if NTPv5 servers will have the option to disseminate UTC.

>
> It seems we need to agree on some very high level goals for NTPv5. Is
> it supposed to replace most NTPv4 use cases? Is it supposed to be
> implementable on current operating systems?
>
> -- 
> Miroslav Lichvar
>
> _______________________________________________
> ntp mailing list
> ntp@ietf.org
> https://www.ietf.org/mailman/listinfo/ntp

v2.23.0 | Report a Bug | By Email