IETF Logo Mail Archive

Re: [Ntp] A simpler way to secure PTP

Daniel Franke <dfoxfranke@gmail.com> Wed, 12 May 2021 05:44 UTC

Return-Path: <dfoxfranke@gmail.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9D6FD3A3553 for <ntp@ietfa.amsl.com>; Tue, 11 May 2021 22:44:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xKrb65__GzPm for <ntp@ietfa.amsl.com>; Tue, 11 May 2021 22:44:12 -0700 (PDT)
Received: from mail-pg1-x530.google.com (mail-pg1-x530.google.com [IPv6:2607:f8b0:4864:20::530]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 835003A354F for <ntp@ietf.org>; Tue, 11 May 2021 22:44:12 -0700 (PDT)
Received: by mail-pg1-x530.google.com with SMTP id t193so4850557pgb.4 for <ntp@ietf.org>; Tue, 11 May 2021 22:44:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=A/3l5Y1hWETaiVW4rgjB1wSef4Ki70c1sxcuzPcGxvo=; b=bZK05YxIVd3zBIEsRl2QWVe+YqqGEYk2oVYQFDcHB09KIM7rYxCmIb11u70rB9+fyq pmvj5wg9M8xmXJzrR/XOCT65CbUefNpDBIspjwCMeXEdZmhHVA2De+JMTnsbqyiAPHpi 9wFjr3XsQAyanPkqnzkFBQIyrdoHJLOiKAFslKu5LA/I7cl9R0mc0CKKOdByms72eSCV TPsL/U7Dij/pad8J+sH/AUL0fU30RBjYCRST44/wz3uVnct/zs2TZcH35waYqcbLoZKf lkl6LTphD7gSa1hs/qbIvMFemDVYwON5h/w+sZsyeONo43T6hkV8h5Nnf+lg1+9CIviM a37g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=A/3l5Y1hWETaiVW4rgjB1wSef4Ki70c1sxcuzPcGxvo=; b=WpWzKcaci0BMSiEP+eG4pmXASwTOmOBnaMjlVWzlBoTCJOeSP4mIg25NxFiZl+PpQW kUoHMsEe+btqN4sBMBfGDiMVqOuu04nzfxY0nq9jgh3GAnMZH/hHgvXPV3hgZ6fccply TZfvvvMBUv7yIW8V/07Y7J4zExohip6MIsPgEBUHfh7v1CBmrNfDl5UgUi+IWrhBtONo aJunY3LpaarKtVeLXgiae0vsBdrC1NEqIXT2esOgkSMzdWpmz8a0DWPegCk1cff6dUwq 2b56Y/u4zNoRznMjV1EW5bFKjhkX9Eubg/tcAGJZuLCqsTb9yKVomL5zBP/63c+rtYLp 2eww==
X-Gm-Message-State: AOAM532pimAgaHrfqgGubbV043tCKe94cY65LViYxv+GZbTZQHoVRHVT V/IIPqDH0JZ7M+wzyjJMzjSXnmA5vAyBVExtsHIVTH+fOWI=
X-Google-Smtp-Source: ABdhPJzh66shNUAn7ZqnNUW7ZT2pf5wMM+yR4SpKULYROYgWT4G2ERHkXZf2KjBblwMFA3PbV5Fw58Np3hpHSfhoFWM=
X-Received: by 2002:a63:bc19:: with SMTP id q25mr6173300pge.211.1620798251600; Tue, 11 May 2021 22:44:11 -0700 (PDT)
MIME-Version: 1.0
References: <CAJm83bCpio5WwigY6nc9Y0Gt_XSdjUV=sHUz04dOQ0zELPwZxw@mail.gmail.com> <886DDD0D-AB9A-43A1-999B-FC296D680434@meinberg.de> <CAJm83bDKrecB0d=hTZDkCiS2xnFyOHJf+Apcxkg6TnvFbdB0nA@mail.gmail.com> <54DCB402-CB39-4714-8BE6-7F491B11B0DD@meinberg.de>
In-Reply-To: <54DCB402-CB39-4714-8BE6-7F491B11B0DD@meinberg.de>
From: Daniel Franke <dfoxfranke@gmail.com>
Date: Wed, 12 May 2021 01:44:00 -0400
Message-ID: <CAJm83bC9Qh0=p3nQschPKqkPUDO6zNEoa9_RRyjnUZYSD2sf2A@mail.gmail.com>
To: Heiko Gerstung <heiko.gerstung@meinberg.de>
Cc: NTP WG <ntp@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000000a0f6d05c21b8068"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/3ZdrPSyyzy6At5GfcoM1VynfkGE>
Subject: Re: [Ntp] A simpler way to secure PTP
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 May 2021 05:44:17 -0000

On Wed, May 12, 2021, 01:14 Heiko Gerstung <heiko.gerstung@meinberg.de>
wrote:

> that’s why we use the integrated security mechanism for unicast PTP and
> just use the NTS-KE protocol to exchange the required keys for that. Due to
> the fact that the two protocols NTP and PTP work in a completely different
> way, there is not more that can be reused. I agree we could find another
> way to exchange keys and it doesn’t have to be NTS. But why not using it,
> now that it is there?
>
Return-routability checking (what I referred to in my previous message as
SYN-cookie-like schemes but I like the terminology of
https://datatracker.ietf.org/doc/html/draft-tschofenig-tls-dtls-rrc-01)
doesn't require key exchange at all. The only keys involved are held by the
server and no other party. The client just echoes back the opaque blobs
that the server sends it.

v2.23.0 | Report a Bug | By Email