Re: [Ntp] NTS4UPTP Rev 03 - Formal request for WG adoption

Miroslav Lichvar <> Tue, 01 June 2021 13:35 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5B7D33A1845 for <>; Tue, 1 Jun 2021 06:35:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.496
X-Spam-Status: No, score=-3.496 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.698, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 2ctiP0B5bgij for <>; Tue, 1 Jun 2021 06:35:04 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A80473A1846 for <>; Tue, 1 Jun 2021 06:35:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=mimecast20190719; t=1622554503; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=S41iKPBE28/HD6/7NOc3RA6Kuozdft1LjlZ45u0pSls=; b=M5rm2kcsAWjbPVKku8MXbvFb/bdMPoxwY16bOGXogDV+3zKgUo7ZXj2IKWuSHd8gzt3iYH VECMsiC7iRb+ywMQdki3Eehkh4VSOpZQi+5gA6Q409nrMOQ4oAzMBXdC/g9I+wHWOcSdqM VegQtYPqN2XKK8OHs4hGYtwQgq3+Lt4=
Received: from ( []) (Using TLS) by with ESMTP id us-mta-8-exWXrUemMLyS4xXMjduYQw-1; Tue, 01 Jun 2021 09:34:59 -0400
X-MC-Unique: exWXrUemMLyS4xXMjduYQw-1
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B2C3D1926DB3; Tue, 1 Jun 2021 13:34:57 +0000 (UTC)
Received: from localhost ( []) by (Postfix) with ESMTPS id 0168961F5E; Tue, 1 Jun 2021 13:34:56 +0000 (UTC)
Date: Tue, 1 Jun 2021 15:34:55 +0200
From: Miroslav Lichvar <>
To: Heiko Gerstung <>
Cc: "" <>
Message-ID: <YLY3f2/5k1Hjebf7@localhost>
References: <> <YLYCLIEA4/unB6/5@localhost> <> <YLYheZYTSflAdlrF@localhost> <>
MIME-Version: 1.0
In-Reply-To: <>
X-Scanned-By: MIMEDefang 2.79 on
Authentication-Results:; auth=pass smtp.auth=CUSA124A263
X-Mimecast-Spam-Score: 0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Archived-At: <>
Subject: Re: [Ntp] NTS4UPTP Rev 03 - Formal request for WG adoption
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 01 Jun 2021 13:35:10 -0000

On Tue, Jun 01, 2021 at 02:48:32PM +0200, Heiko Gerstung wrote:
> > Am 01.06.21, 14:01 schrieb "Miroslav Lichvar" <>om>:
> > Can you please elaborate? My (limited) understanding of DTLS is that
> > it would address the attacks. It has a 48-bit sequence number to
> > protect against replays and client authentication comes from TLS.
> I understood that you want to use DTLS to exchange the symmetric keys used to calculate the ICV of the unencrypted event messages. This unfortunately does not address the replay/amplification vulnerability of the unicast negotiation protocol itself, it just protects against replaying the DTLS messages.

The idea is that DTLS protects everything except the sync and delay
request messages. The unicast negotiation would be protected, of

> I most probably know much less about DTLS than you, Miroslav. For example, I do not know whether this requires asymmetric cryptography in every message or just at the beginning in the handshake. However, I am pretty sure that DTLS can be used to securely exchange the symmetric keys instead of using TLS in the NTS-KE phase. 

DTLS is just a datagram-based version of TLS. Asymmetric crypto is
needed only on start. Performance would certainly not be an issue. I
suspect you are already reinventing some of its wheels, like the
replay protection.

> As I tried to explain earlier, our intention with this draft was to stay close to NTS4NTP to enable implementors to re-use code and allow users to combine the required infrastructure for NTS4NTP and NTS4UPTP. I fully agree that other protocols and security mechanisms would do the trick as well, but I believe that the name "Network Time Security" indicates that it has a good chance of being a better fit for securing a network time sync protocol. And, according to our research and our experience regarding network time synchronization, we came to the conclusion that this is the case for unicast PTP. 

Ok, if you need as much of NTS4NTP as possible and at the same time
keep accuracy provided by hardware timestamping as is supported in
current hardware, I think the solution is simple: NTS4NTP over PTP.

You can wrap NTP messages in a PTP event message to get hardware
timestamps and keep all the benefits of NTS4NTP. It seems your plan is
to provide NTS4NTP in any case. Do you see any disadvantages?

This would be a very short draft and it would be useful even for
plain NTP without NTS. I think I'll give it a shot.

Miroslav Lichvar