Re: [Ntp] A simpler way to secure PTP
Doug Arnold <doug.arnold@meinberg-usa.com> Mon, 10 May 2021 14:43 UTC
Return-Path: <doug.arnold@meinberg-usa.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0744D3A1F31 for <ntp@ietfa.amsl.com>; Mon, 10 May 2021 07:43:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=meinbergfunkuhren.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3bVwZqNARIVR for <ntp@ietfa.amsl.com>; Mon, 10 May 2021 07:43:23 -0700 (PDT)
Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on2060.outbound.protection.outlook.com [40.107.20.60]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B63243A1F34 for <ntp@ietf.org>; Mon, 10 May 2021 07:43:21 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=K329I5Yk/PmEAiZCv6NsdqHpSwyO/EHWjvht4Aiyvj4wOiQ67RgfDFXNja7SPrwZNwpGbsVNRhPwnB9WPvlLgpPEZwvmFjh4cDPxtP8bwqTESDMMEA8SfWz6pljdkaBroR4+TVT4wgr05vxEe1QSMfKq19it7fSNqaerbdoKnvy3HjzXJfc+2i6h+eatQlElCqx+womRMN7m7489tNjalgd0vLf+Ry/v8x4IfVGjnE775yIpvtHVVGnELLSFxJe/xQdid2T43UDFVL+IaIlxI9z76NdlYBOAxRLWL/M3MTWyF0niaswK3cMuUQ/pA9j5EA3dWSB2eb0fxQKyxWXx4w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/7//S5NDQRul+v1ErfRdTHh43NFo2HKjFfW+Cm15aKU=; b=XKovD1VaHoseGKE1n7KSHaltCtjY7vHYafN2mSdTK22R92Gpry7VTHLdAhzUDPRl4QOSH9CB6kB5HPabl4jNJP06u0jtIxA8t+prvx/7yn0Cj+CAkMtrdXI6wo+bXIRHXWatCrZtpYFF9YO7VURJ7zy32s/fIknNTOB6rrh8EbjzEn9O4Gb2i0ysNDF+RYhT8zRXpY4eXFLvgKondvxbyeQwUdKxQpqVZbkMKu8HsoJVvZQScTFthJQIE7dvheN6aO8jj/yiedz8uubl/Lq6rnZBPXW5dJzElgEjXO5OIBM/RriR9D7lgYZY+OvUeaNX+fStJU+pyZo3Qv7kXLzwrw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=meinberg-usa.com; dmarc=pass action=none header.from=meinberg-usa.com; dkim=pass header.d=meinberg-usa.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=meinbergfunkuhren.onmicrosoft.com; s=selector1-meinbergfunkuhren-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/7//S5NDQRul+v1ErfRdTHh43NFo2HKjFfW+Cm15aKU=; b=Gu6VALFgXxrnz0QbZ8jR4OJ9ouFXym7BFJgNe/TbqoonS9ECTCHpJntffr4hWAICtbOVJ0FGL5qWJ8BPQKFfDq5Ifw16SfZryq80B2elwxWC3prjggsFrIZZUFMhNOYpNt2Y1XXhTZmq0EOvI7NaA85+r+HvGGvVRRXiC/SskpY=
Received: from AM7PR02MB5765.eurprd02.prod.outlook.com (2603:10a6:20b:102::15) by AM6PR02MB3925.eurprd02.prod.outlook.com (2603:10a6:20b:48::29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4108.29; Mon, 10 May 2021 14:43:19 +0000
Received: from AM7PR02MB5765.eurprd02.prod.outlook.com ([fe80::aca9:7944:745f:78ef]) by AM7PR02MB5765.eurprd02.prod.outlook.com ([fe80::aca9:7944:745f:78ef%5]) with mapi id 15.20.4087.050; Mon, 10 May 2021 14:43:19 +0000
From: Doug Arnold <doug.arnold@meinberg-usa.com>
To: Miroslav Lichvar <mlichvar@redhat.com>, Daniel Franke <dfoxfranke@gmail.com>
CC: NTP WG <ntp@ietf.org>
Thread-Topic: [Ntp] A simpler way to secure PTP
Thread-Index: AQHXREw3H/RmYyg7o0aEx8XpTG+waarcrFMAgAAf1zg=
Date: Mon, 10 May 2021 14:43:19 +0000
Message-ID: <AM7PR02MB57657C935D0E94D223B1D703CF549@AM7PR02MB5765.eurprd02.prod.outlook.com>
References: <CAJm83bCpio5WwigY6nc9Y0Gt_XSdjUV=sHUz04dOQ0zELPwZxw@mail.gmail.com>, <YJkrFjnRPJJHz9da@localhost>
In-Reply-To: <YJkrFjnRPJJHz9da@localhost>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: redhat.com; dkim=none (message not signed) header.d=none;redhat.com; dmarc=none action=none header.from=meinberg-usa.com;
x-originating-ip: [64.30.82.72]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: e4466058-868f-4616-a871-08d913c1f3fb
x-ms-traffictypediagnostic: AM6PR02MB3925:
x-microsoft-antispam-prvs: <AM6PR02MB39259856BF6607E66D397D7ACF549@AM6PR02MB3925.eurprd02.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:7219;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: L1+9cmm+5hz7d2H9K+BkqzlyQu0vOg+UFxN9uEEJCbBCCNNkTmE2DjKQTWzhVRalqjKeMppK4+0YEwdAXccQ8WvftyfepctGq/wWWS0e0353nrRerFJvK0Hw+jFv/VX8uZWare60AY9c0y47CHSjrvqY3E2agC1jo712v522v2nZQhbq/1mF41FwWJQ44edYIwwM5PJ3ScGVaYkg575pI2nQFk7vRjOUe+8IiF7RmIlKujQg5wpqrqfAlqqYwDr5EkE/j3lkQ/mLV5TrfNQQWwVPfJKWCJtwuAamlOWjq+coMkrOITAuBafYjxafLRt1e+9sM+6R5D8klGdX3h6gGXeZMakbpIneXyW4rYgOxoHj3W21X8o8SCHx5DkuayopvAkl3oMuA0Xbqifc3Zj/8Jq3VHy1WHB/so//trvDwKrdKUMnG/yKFWt6w025gXDXBUWp2lhVQHZ0zIWGgFgX0TBzbNUgo7Zjz+sl2SSnqaQ0K5clwf0CDuu7jck0V43uEsqw8V4KP4EgZAm7pPe3Vt8KqkoNiLBtf+9NJcKqr8UsXQQqX0RxuVebXiTNzobL3IO+toHrrlCVJj2+dUBaDafIM60n77h63Lx6BWRGwIF16ev9u8dQNu845l/5u5qvccfmI3uG3UZvX/AyCY2Yjqxa62iBYplaAblAjTsFkgbLmj5UePtLTiJBauX+/wMywHTFVE4IdpB6gplevCJNz3SZ6+GSNq2YL1EBp0dsJy0=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM7PR02MB5765.eurprd02.prod.outlook.com; PTR:; CAT:NONE; SFS:(366004)(39830400003)(376002)(346002)(396003)(136003)(2906002)(26005)(166002)(52536014)(5660300002)(76116006)(4326008)(966005)(91956017)(478600001)(86362001)(316002)(33656002)(6506007)(53546011)(71200400001)(44832011)(8676002)(9686003)(66556008)(38100700002)(64756008)(122000001)(110136005)(66446008)(66476007)(55016002)(8936002)(7696005)(83380400001)(66946007)(186003)(43043002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: +lnXgw8qRmuiWS5RZhzEIU9WoGmvof82vwXljllJIIEZJQlPI5mNYgMqMjS3TzYa51GTfmZ1w1dYTwCxkU6kIq2V2nINhJf5+yxvOKzgko1Z/q3OhD1oN4dtTh8TLqupejLJCysBznWYQ+mo4/FX8pJchr9nH2uHRakT8abVYDaERieFfJDKI7azHsUxRLjXKuCXWNLgZZy0FGTl/NNKTt+BPGor4Efetxko8DurMnq4btozPFbAQTEATElL5WN0b1+XQzJskjRlSlraH4IwEjVhVoe+1BKotWzVC/pyP2uBeITnu35L+ingXXArfU/XtU4HHW6svXGmAMbx+G+74vyq2CG5EFKkhVvyJjT9nr8bssAwI1f7+sI7B1K7ZdT38cZk6uq0Q4CIOza+MDi+3odzQyXD/shMzkhIWIVTeTVkko3ze6URIJV0ju6xgK1+OKvd2GUzAXMoCvfxTPaz+PiY7EPmBbOkRVnpNp+M8fzRScPQx8ee8ZP1UnrdPIYbDvBqAZlVX5AK9iu7Ue9xRl+mRO04Ufmm93lECODBFCaGKm6fFTIK6o775D9mGNoBAxQBdBUF6GPO8sVdEyocYkeRWHEIE2OmPj7WvgWqRJHxBY9LzOPJMROwU8If5ynF7ze7eCAesJ4GZlFqqWVx9UfEDJUHQRNyjJgGxdqER43Lrh/j6piI41E5dZ6U/VTcMXR8+uMtM6pOlq7NRrGLjHSf6e1owfUVkpu3v1FE6qCUSJn03okel+h0Pd0+hZxwVlXcX3m+ldo8XfGzAyVJ67YaTkO6fZLqeVWuF8QwytdhYTnwnzIV1oa2G9XWkiYE9cX2yH3RB4nec3rvA4bIq5oIU/GPW2YP2jFz/6UpdvgvHH+z1UHJdlTeI+9fnXoAkoKD4mbkMCPzs103wczurqYOab2PxCzh+a17wvvt9C5FbDJsdqVjMTZcW8frDLZXgS8AFCMmhaSwtZCDdUaWXcLQeyq3PtRPtvWPsh8cSjiEF4XgcNh2h/4Y4Z7lEcGfBDbmXS912a1F+TMYftloYJqsSzHFZNKh5ZK3GIxbCZXLX1zkOAC1Eb3XFGJnaGYOEnipsCdEnl5g3a4bKPBGyvmis6H1G+At4gRZjsGJFby4Ggwojqy1+y2hJ4UW/W6yBCjQhFI4yYRFirIukde5Ji6+EIsjQv/THgimHIiq2hceskiOo3JZmZqMqpJeITxnQHo60jtRE1P3dKZMBBAHO4YBahz6/MiI5H+fH3owWIUEfz8FpBJY6JvKM6oMz75phsaKKyrYvO4O0iyuDnheUfIXE/X/tqIuM26f/5JT34AIBQWFqgjoSO03foMnbN1qV/ysCz2Allk1K3olTWoHng==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_AM7PR02MB57657C935D0E94D223B1D703CF549AM7PR02MB5765eurp_"
MIME-Version: 1.0
X-OriginatorOrg: meinberg-usa.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM7PR02MB5765.eurprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: e4466058-868f-4616-a871-08d913c1f3fb
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 May 2021 14:43:19.1701 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: d59904cd-769f-4368-8bd0-f5f435893a38
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: kmCMNzV7/Ehtj1afux2S4Ye1S2b2Tq5kIx7rBzG8k5SE3gcUj5OElY0lFNe+rzik1SvudUAr9u+9etuyQyqAAfr5QJovVCkoTGNDyVdw/Ok=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR02MB3925
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/5T5dh9aPJ3eIDkgbFBBayQU3TjU>
Subject: Re: [Ntp] A simpler way to secure PTP
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 May 2021 14:43:28 -0000
I have heard of people actually doing this in the field as a sanity check. However, some applications that use PTP can be broken by introducing timing errors that are less than the expected difference between PTP and NTP. Doug From: ntp <ntp-bounces@ietf.org> on behalf of Miroslav Lichvar <mlichvar@redhat.com> Date: Monday, May 10, 2021 at 8:47 AM To: Daniel Franke <dfoxfranke@gmail.com> Cc: NTP WG <ntp@ietf.org> Subject: Re: [Ntp] A simpler way to secure PTP On Sat, May 08, 2021 at 04:53:06PM -0400, Daniel Franke wrote: > The trick is: run NTS-secured NTP and regular, unauthenticated PTP > side-by-side. Do not use the NTP responses to set the clock; instead, use > them only to establish maximum error bounds on the current time, and then > clamp all PTP messages to within those bounds. Makes sense to me. In a more general approach, this is already possible with some existing PTP and NTP implementations like linuxptp and chrony. PTP can be specified as an untrusted reference clock, which will be used for synchronization only if it agrees with trusted NTS-secured NTP source(s). We recommend combining (multiple) PTP and NTP time sources for better accuracy, resiliency, and security. -- Miroslav Lichvar _______________________________________________ ntp mailing list ntp@ietf.org https://www.ietf.org/mailman/listinfo/ntp
- [Ntp] A simpler way to secure PTP Daniel Franke
- Re: [Ntp] A simpler way to secure PTP Langer, Martin
- Re: [Ntp] A simpler way to secure PTP Daniel Franke
- Re: [Ntp] A simpler way to secure PTP Miroslav Lichvar
- Re: [Ntp] A simpler way to secure PTP Doug Arnold
- Re: [Ntp] A simpler way to secure PTP Daniel Franke
- Re: [Ntp] A simpler way to secure PTP Doug Arnold
- Re: [Ntp] A simpler way to secure PTP Langer, Martin
- [Ntp] Antwort: Re: A simpler way to secure PTP kristof.teichel
- Re: [Ntp] A simpler way to secure PTP Daniel Franke
- Re: [Ntp] A simpler way to secure PTP Heiko Gerstung
- Re: [Ntp] Antwort: Re: A simpler way to secure PTP Joachim Fabini
- Re: [Ntp] A simpler way to secure PTP Heiko Gerstung
- Re: [Ntp] Antwort: Re: A simpler way to secure PTP Heiko Gerstung
- Re: [Ntp] A simpler way to secure PTP Miroslav Lichvar
- Re: [Ntp] Antwort: Re: A simpler way to secure PTP Kurt Roeckx
- Re: [Ntp] Antwort: Re: A simpler way to secure PTP Joachim Fabini
- Re: [Ntp] A simpler way to secure PTP Heiko Gerstung
- [Ntp] Antwort: Re: Antwort: Re: A simpler way to … kristof.teichel
- Re: [Ntp] Antwort: Re: A simpler way to secure PTP Joachim Fabini
- Re: [Ntp] Antwort: Re: A simpler way to secure PTP Kurt Roeckx
- Re: [Ntp] Antwort: Re: Antwort: Re: A simpler way… Joachim Fabini
- [Ntp] Antwort: Re: Antwort: Re: Antwort: Re: A si… kristof.teichel
- Re: [Ntp] A simpler way to secure PTP Daniel Franke
- Re: [Ntp] A simpler way to secure PTP Heiko Gerstung
- Re: [Ntp] A simpler way to secure PTP Daniel Franke
- Re: [Ntp] A simpler way to secure PTP Doug Arnold
- Re: [Ntp] A simpler way to secure PTP Danny Mayer
- Re: [Ntp] A simpler way to secure PTP Doug Arnold