Re: [Ntp] A simpler way to secure PTP
Heiko Gerstung <heiko.gerstung@meinberg.de> Wed, 12 May 2021 05:15 UTC
Return-Path: <heiko.gerstung@meinberg.de>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D44D3A3487 for <ntp@ietfa.amsl.com>; Tue, 11 May 2021 22:15:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.398
X-Spam-Level:
X-Spam-Status: No, score=-4.398 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=meinberg.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aU8SUECBYoPf for <ntp@ietfa.amsl.com>; Tue, 11 May 2021 22:14:58 -0700 (PDT)
Received: from server1a.meinberg.de (server1a.meinberg.de [176.9.44.212]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B39AC3A3485 for <ntp@ietf.org>; Tue, 11 May 2021 22:14:57 -0700 (PDT)
Received: from seppmail.py.meinberg.de (unknown [193.158.22.2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by server1a.meinberg.de (Postfix) with ESMTPSA id 4696E71C068E; Wed, 12 May 2021 07:14:51 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=meinberg.de; s=dkim; t=1620796491; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=F5Ckcx6b4czfq1r4N4MkRDUz7/gJA5rvFUmhkePIwmk=; b=aw2OhdfVnI6Dpdk0aVfx3v7B9a4oQ8Tb21ko1Zp810HIF7vna4S49UA/NXihpgOwpnqDbS WyIeKV2XePHbWJr/UCD6NGkhbrGjZQ6edfxk7hp6HV2/AtOwsCLBVu1goT+RkE3C5Aowx6 bUraibNcWt1VNqReK06RA0yRGI9pOKTa+5XlhpaDtTyNkFn9HZCA//vchm4yhQtp+eN+Pn c51BxCKLXSwAdnNFyCa327n+9j145ZQNQrRP7y6BdglMl44k5BWomIYwWmbxE9HqYPA79/ y7B0E/O2hmq+yWho6MqlG1Fnc9nTbhK8W0iOAYKymNjkDjmc50QiiYvJOnrgGQ==
Received: from srv-kerioconnect.py.meinberg.de (srv-kerioconnect.py.meinberg.de [172.16.3.65]) (using TLSv1.3 with cipher AEAD-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by seppmail.py.meinberg.de (Postfix) with ESMTPS; Wed, 12 May 2021 07:14:50 +0200 (CEST)
X-Footer: bWVpbmJlcmcuZGU=
User-Agent: Microsoft-MacOutlook/16.48.21041102
Date: Wed, 12 May 2021 07:14:48 +0200
Message-ID: <54DCB402-CB39-4714-8BE6-7F491B11B0DD@meinberg.de>
Thread-Topic: [Ntp] A simpler way to secure PTP
References: <CAJm83bCpio5WwigY6nc9Y0Gt_XSdjUV=sHUz04dOQ0zELPwZxw@mail.gmail.com> <886DDD0D-AB9A-43A1-999B-FC296D680434@meinberg.de> <CAJm83bDKrecB0d=hTZDkCiS2xnFyOHJf+Apcxkg6TnvFbdB0nA@mail.gmail.com>
In-Reply-To: <CAJm83bDKrecB0d=hTZDkCiS2xnFyOHJf+Apcxkg6TnvFbdB0nA@mail.gmail.com>
Importance: Normal
X-Priority: 3
Thread-Index: AZ2x3tU+NmY2YTczNjlmZDI4MmRiNQ==
From: Heiko Gerstung <heiko.gerstung@meinberg.de>
To: Daniel Franke <dfoxfranke@gmail.com>
Cc: NTP WG <ntp@ietf.org>
X-SM-outgoing: yes
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="----1609BAC9929F18D4FCB3CCD30B4B161A"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/5gnKA4rYDeUR3-_tTp1ZIazsc1E>
Subject: Re: [Ntp] A simpler way to secure PTP
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 May 2021 05:15:03 -0000
Hi Daniel, that’s why we use the integrated security mechanism for unicast PTP and just use the NTS-KE protocol to exchange the required keys for that. Due to the fact that the two protocols NTP and PTP work in a completely different way, there is not more that can be reused. I agree we could find another way to exchange keys and it doesn’t have to be NTS. But why not using it, now that it is there? Regards, Heiko -- Heiko Gerstung Managing Director MEINBERG® Funkuhren GmbH & Co. KG Lange Wand 9 D-31812 Bad Pyrmont, Germany Phone: +49 (0)5281 9309-404 Fax: +49 (0)5281 9309-9404 Amtsgericht Hannover 17HRA 100322 Geschäftsführer/Management: Günter Meinberg, Werner Meinberg, Andre Hartmann, Heiko Gerstung Email: heiko.gerstung@meinberg.de Web: Deutsch https://www.meinberg.de English https://www.meinbergglobal.com Do not miss our Time Synchronization Blog: https://blog.meinbergglobal.com Connect via LinkedIn: https://www.linkedin.com/in/heikogerstung Von: ntp <ntp-bounces@ietf.org> im Auftrag von Daniel Franke <dfoxfranke@gmail.com> Datum: Dienstag, 11. Mai 2021 um 21:40 An: Heiko Gerstung <heiko.gerstung@meinberg.de> Cc: NTP WG <ntp@ietf.org> Betreff: Re: [Ntp] A simpler way to secure PTP On Tue, May 11, 2021 at 3:14 AM Heiko Gerstung <heiko.gerstung@meinberg.de> wrote: However, especially unicast PTP is a great traffic amplification tool, maybe one of the biggest traffic amplification machines of all times. And I also believe that it would be great to (re)use the general concepts of NTS to secure the other popular time transfer protocol out there. Amplification is definitely worth fixing, but ISTM this should be orthogonal to the NTS effort. You don't need message authentication for that, you just need the client to prove (and maybe occasionally re-prove) that it's able to receive packets at a particular IP address. There may be some crypto involved in doing so (a la TCP SYN cookies), but it doesn't have to be related to NTS crypto, and servers shouldn't have to require all their clients to support NTS just to prevent themselves from being exploited for amplification. _______________________________________________ ntp mailing list ntp@ietf.org https://www.ietf.org/mailman/listinfo/ntp
- [Ntp] A simpler way to secure PTP Daniel Franke
- Re: [Ntp] A simpler way to secure PTP Langer, Martin
- Re: [Ntp] A simpler way to secure PTP Daniel Franke
- Re: [Ntp] A simpler way to secure PTP Miroslav Lichvar
- Re: [Ntp] A simpler way to secure PTP Doug Arnold
- Re: [Ntp] A simpler way to secure PTP Daniel Franke
- Re: [Ntp] A simpler way to secure PTP Doug Arnold
- Re: [Ntp] A simpler way to secure PTP Langer, Martin
- [Ntp] Antwort: Re: A simpler way to secure PTP kristof.teichel
- Re: [Ntp] A simpler way to secure PTP Daniel Franke
- Re: [Ntp] A simpler way to secure PTP Heiko Gerstung
- Re: [Ntp] Antwort: Re: A simpler way to secure PTP Joachim Fabini
- Re: [Ntp] A simpler way to secure PTP Heiko Gerstung
- Re: [Ntp] Antwort: Re: A simpler way to secure PTP Heiko Gerstung
- Re: [Ntp] A simpler way to secure PTP Miroslav Lichvar
- Re: [Ntp] Antwort: Re: A simpler way to secure PTP Kurt Roeckx
- Re: [Ntp] Antwort: Re: A simpler way to secure PTP Joachim Fabini
- Re: [Ntp] A simpler way to secure PTP Heiko Gerstung
- [Ntp] Antwort: Re: Antwort: Re: A simpler way to … kristof.teichel
- Re: [Ntp] Antwort: Re: A simpler way to secure PTP Joachim Fabini
- Re: [Ntp] Antwort: Re: A simpler way to secure PTP Kurt Roeckx
- Re: [Ntp] Antwort: Re: Antwort: Re: A simpler way… Joachim Fabini
- [Ntp] Antwort: Re: Antwort: Re: Antwort: Re: A si… kristof.teichel
- Re: [Ntp] A simpler way to secure PTP Daniel Franke
- Re: [Ntp] A simpler way to secure PTP Heiko Gerstung
- Re: [Ntp] A simpler way to secure PTP Daniel Franke
- Re: [Ntp] A simpler way to secure PTP Doug Arnold
- Re: [Ntp] A simpler way to secure PTP Danny Mayer
- Re: [Ntp] A simpler way to secure PTP Doug Arnold