Re: [Ntp] Publication has been requested for draft-ietf-ntp-using-nts-for-ntp-20

Miroslav Lichvar <> Thu, 14 November 2019 10:39 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C45C51207FE for <>; Thu, 14 Nov 2019 02:39:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 2MD3Dtr3k47G for <>; Thu, 14 Nov 2019 02:39:23 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 6B083120857 for <>; Thu, 14 Nov 2019 02:39:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=mimecast20190719; t=1573727962; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=INzRZgt31hoiX6rWR6xVvA7vpv/U5rb4oNBREddgwME=; b=IRlzGDasbjHPy5y3Sc+RrKkzgxCY0EU0V1KWUlhSD/UuMUttyXvCcv3R0XslNCmqg+bq62 m/8DLITQtlavrB1XIm5q3MBfpO3uGpw+oUJwGeGN6BBa6b+2QPXe5KS/Bb5HNjk6IhOTJH s7/+d/URboUQR3wX1kq1QioRWTe/WOc=
Received: from ( []) (Using TLS) by with ESMTP id us-mta-326-eJ0d_WinO6etiTowkM91VA-1; Thu, 14 Nov 2019 05:39:19 -0500
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C096D8C5EE8 for <>; Thu, 14 Nov 2019 10:39:18 +0000 (UTC)
Received: from localhost ( []) by (Postfix) with ESMTPS id 48AA660303 for <>; Thu, 14 Nov 2019 10:39:17 +0000 (UTC)
Date: Thu, 14 Nov 2019 11:39:15 +0100
From: Miroslav Lichvar <>
Message-ID: <20191114103915.GG2634@localhost>
References: <> <20191113160710.GD2634@localhost> <>
MIME-Version: 1.0
In-Reply-To: <>
User-Agent: Mutt/1.12.1 (2019-06-15)
X-Scanned-By: MIMEDefang 2.79 on
X-MC-Unique: eJ0d_WinO6etiTowkM91VA-1
X-Mimecast-Spam-Score: 0
Content-Type: text/plain; charset=WINDOWS-1252
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Archived-At: <>
Subject: Re: [Ntp] Publication has been requested for draft-ietf-ntp-using-nts-for-ntp-20
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 14 Nov 2019 10:39:27 -0000

On Thu, Nov 14, 2019 at 01:38:53AM -0800, Hal Murray wrote:
> said:
> >    with a list of one or more IP addresses to NTP servers for which the
> > cookies
> > Is it wrong to interpret a FQDN as a list of addresses? 
> Good question.
> I vote we add something like "use only one address, but the client gets to 
> pick which one".

I think it should prefer the address family (IPv4/IPv6) it used to
connect NTS-KE. Wasn't that the original reason for allowing hostnames
in the NTS-KE record, that some servers behind NAT may not know the
address of the client and cannot respond with the corresponding

Should multiple addresses per IPv4/IPv6 be expected and what does that
mean? Are they different addresses of the same server, or different
servers? There is only one "Server Negotiation" record allowed in the
NTS-KE response, so I think that suggests it's supposed to be only one

Another question is what should happen when a client runs out of
cookies, starts a new NTS-KE exchange, and gets a different address or
hostname than before. Is it ok to continue using the old address for
as long as it responds?

> Our code processes the list in order, using the first one that isn't already 
> in use.  Thus
>   server nts
>   server nts
> Will get 2 connnections to the same server in the typical case where the 
> server has both an IPv4 address and a IPv6 address.

I guess if you specified the same server twice, you would expect to
have two associations with that server.

What about "pool"? Does it create multiple associations if the
negotiated "hostname" resolved to multiple addresses?

In my implementation I'm currently going with the "single server"
interpretation and won't be using multiple addresses.

Miroslav Lichvar