Re: [Ntp] NTS4UPTP Rev 03 - Formal request for WG adoption

Doug Arnold <doug.arnold@meinberg-usa.com> Tue, 01 June 2021 23:43 UTC

Return-Path: <doug.arnold@meinberg-usa.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A1AEF3A2BEE for <ntp@ietfa.amsl.com>; Tue, 1 Jun 2021 16:43:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=meinbergfunkuhren.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X7KiqV5epaES for <ntp@ietfa.amsl.com>; Tue, 1 Jun 2021 16:43:41 -0700 (PDT)
Received: from EUR03-AM5-obe.outbound.protection.outlook.com (mail-eopbgr30050.outbound.protection.outlook.com [40.107.3.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A2B383A2BEB for <ntp@ietf.org>; Tue, 1 Jun 2021 16:43:41 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Y2DIiLkRYPac+5Ikx4WkljjXoTFXV6dHHAH4IF5XKrLcPkCGhcRo7s6b4HDuzMyjmvUdOoKKFdB+eOH2MKeY9EikLWEjcmwSgAcKWAPArVDfwK7MTTrSGcJbjiqwJoOdAwPX9ctwv3QjMBrqJ5QD5YlGPSPuPkeR9sxDFGmhH9KnffL243mldl9/CBsu/tvX+i3Qb/pl79nQg5YvyctOQ7OSv6G7doVf32G8Rv3lfX1U+BVOqnbs1giZ5uXk9wR83s6RTUbEla0/wvr6+CCJtMv/2ZDcM7LZhVHv/mQi0cgRxvasabTEbYlDrt5H0weQek6WJpMvfg34E0tBFkWm9w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=zdQ48La4oPGU4boKWVHmtT3gBUdJblYlOiQGs8fld2A=; b=OzUUmuf2SZdW86ooEznyp9t+7u23XWoSkDDpSny48dGn50sZACUPXzudxLJkm7+oWhsqW/W1b0dy3Bkfzh4KKrFzOotI4hhZdAZ2P6874ZzieYi3KrZ7EKGDnH9BH/8Xyi2XznaIbD48CgzTmPQFxwnP4ZuE2GZUmMCY7dTNcylYM8ySnd4szcUpBDFvULvkGQJunwtaGynkAYHytaCS8LzV3mgvBfcgFm2EvC8Mnl8ReYeuYOKaph6M7xnhANyluvEw/oHayzCEoYT0o+ijtiGB2GJ97O3wGuZ9rEHmtbBOy/vbUUEv00XPjgqxvnFl0QF79vNhqDeOMQyZnP+yAw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=meinberg-usa.com; dmarc=pass action=none header.from=meinberg-usa.com; dkim=pass header.d=meinberg-usa.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=meinbergfunkuhren.onmicrosoft.com; s=selector1-meinbergfunkuhren-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=zdQ48La4oPGU4boKWVHmtT3gBUdJblYlOiQGs8fld2A=; b=CHk4EdgLp+3jkTUyydeC96cAZOV0mKNjQ9X62vMN1fmRGKOwW6+cDSYpbYzoqFxSuCXyxoTrvMa2kWLUU0G42ZsWNM9cYQLQGUdq728/I5jUMW4By6U3+hYkYX+0IdW9KpqFDnxYIltONUmvcoyOgoxOUUAx5JrmX12pF8qsh54=
Received: from AM7PR02MB5765.eurprd02.prod.outlook.com (2603:10a6:20b:102::15) by AM6PR0202MB3351.eurprd02.prod.outlook.com (2603:10a6:209:20::25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4173.21; Tue, 1 Jun 2021 23:43:38 +0000
Received: from AM7PR02MB5765.eurprd02.prod.outlook.com ([fe80::aca9:7944:745f:78ef]) by AM7PR02MB5765.eurprd02.prod.outlook.com ([fe80::aca9:7944:745f:78ef%6]) with mapi id 15.20.4173.030; Tue, 1 Jun 2021 23:43:38 +0000
From: Doug Arnold <doug.arnold@meinberg-usa.com>
To: Daniel Franke <dfoxfranke@gmail.com>, Miroslav Lichvar <mlichvar@redhat.com>
CC: "ntp@ietf.org" <ntp@ietf.org>, Heiko Gerstung <heiko.gerstung@meinberg.de>
Thread-Topic: [Ntp] NTS4UPTP Rev 03 - Formal request for WG adoption
Thread-Index: AZ2x3tU+ZTljNmQ4N2MwN2VmZGRlN/NJ2JQAAAMO24AAAZtGgAABqW4AAAGes4AADE+YgAAIyzmo
Date: Tue, 1 Jun 2021 23:43:38 +0000
Message-ID: <AM7PR02MB5765CF038A91BFE75E163D71CF3E9@AM7PR02MB5765.eurprd02.prod.outlook.com>
References: <7F9B8D13-BC90-4E15-9BDF-81714DF0F0C6@meinberg.de> <YLYCLIEA4/unB6/5@localhost> <1DAA3605-CC04-46DE-8CFC-975BED7D4160@meinberg.de> <YLYheZYTSflAdlrF@localhost> <CEB3F4AA-E318-4540-BD6C-4437E3F5F58A@meinberg.de> <YLY3f2/5k1Hjebf7@localhost>, <CAJm83bCwc9ShP4TPHN3Nz4iK_=+7m4hAYjoogArZ_ZjKfsaTcg@mail.gmail.com>
In-Reply-To: <CAJm83bCwc9ShP4TPHN3Nz4iK_=+7m4hAYjoogArZ_ZjKfsaTcg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: gmail.com; dkim=none (message not signed) header.d=none; gmail.com; dmarc=none action=none header.from=meinberg-usa.com;
x-originating-ip: [64.30.82.72]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 782753c9-f793-4ce1-1711-08d92557146d
x-ms-traffictypediagnostic: AM6PR0202MB3351:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <AM6PR0202MB3351FE02642209DF938A66DCCF3E9@AM6PR0202MB3351.eurprd02.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:5516;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: ZJqHqQKlOqBfJuqg+RlQzsH3lWlb+R1VSsi1KW2HCHof4NgiJS3iiHK5UiCge3r4B7wtvYGkxQH4Qn3SYZEDn7g05Zj2EJ7KXf6sziPamNVDHtRAivx9nPXwHat+VjZqo5FLkYpKj8xZmomKmyvxy1rruG0BAl865rWFlzZb3EdKhYbwP1jpoVxw1kacmtQzuzU/Q9jExOMhpWIOVgjCgD3qAY6l8otRfsMkXv5dlrLt1uNh3widLK4oQkhBljuajgM4+tnn7gUtzuFMrejpQ7UGqlAMfmgPZ/KgGXM/X4fSAvAAWBD+J/lO/1jjAo+MYA5qX9Ug4XRkgwoQIRIX5ylQpPxikPcl33LiFJ7fgWXICE4b/ZFPcieVTxf77FgrBB9nt3ZDlFR8VdWlMACjhqlXOI/J055FfZ8p02fZDOkL5dJuJidw+ag4SHXK9mCw9O3iTEdRpp9GZ1dqtcOoneNtE8SI0gAPrFY+qbkbj7SKgHV7SkAz0hEb8sXeofMgvIP6Do31G68PGZg3uDFU8/dg/0QuP6kOM/FFYxbnHziQPIk1leUgjkwS8KoOloh7QD+ZtWymSrXPuVWYp7MvaEy3vHy7vwz2zpengaUm8rCyCwHW/Bw53Er1YpvaVhcFxFLX8aNcJv8yBU0G25K8g8GFaeWUkxXdAb9hIbk8bXjEdd7uOcEuVZjhv+fKJvpcEmQJbzKK6RngIf1DZiNlpeUMI6lEgTHFBqL0EZYxNDS0nIz8KZQOU1XjKqr1esQode1zf3XumeHY91x9bA9WsA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM7PR02MB5765.eurprd02.prod.outlook.com; PTR:; CAT:NONE; SFS:(39830400003)(136003)(376002)(346002)(396003)(366004)(44832011)(26005)(9686003)(83380400001)(86362001)(55016002)(91956017)(8676002)(166002)(33656002)(2906002)(5660300002)(4326008)(186003)(38100700002)(316002)(110136005)(71200400001)(6506007)(53546011)(54906003)(966005)(76116006)(478600001)(66446008)(66556008)(66476007)(8936002)(64756008)(66946007)(52536014)(7696005)(122000001)(107886003)(32563001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?dvr8k75iu3i5zwn1OsCncYvUI0br3E1OqA3QZlMz0a1d7u+gDY+1uI/h7HGK?= =?us-ascii?Q?/QIJBTKgSoW3Ci+IxifnZkmZX2ZgKgJBiTtSBnSlwwqNzv8WpNOQfzULY2R8?= =?us-ascii?Q?0kjDkozq4UhFsZaloAwqLdbKMXn7Mqjj7pCGqqgwV86wD9gHo2W8R0F2vnb0?= =?us-ascii?Q?1BCx0yL4BA+QVJpEWE1Fwz5e/C/yimGOn989zz8LG9eu3x5zZfF4bhkh3ZqN?= =?us-ascii?Q?RHCX7LpNLkPG3Jxzck4hFEdwfwfQvWYcvWjUJEnR97wg5HpeTNeePptZCdZd?= =?us-ascii?Q?NocwnqiVq5GXcCBEQ5yLWjCtw1NaiBnaRaCoz1ySzJfgNJO60XxXh4KEXWFa?= =?us-ascii?Q?j3m6HdhnDHUCKlrqvg+1xO7epnLdgpE00ntFEflZPYcDCXWaCyAHmdx5/0Js?= =?us-ascii?Q?2peh0wMCkQtPmkBL6mJ6BWIfzuc3m6znkHJMRIL/NioUf1B3Tf9EQ8vJ6tYn?= =?us-ascii?Q?G6F7vp7lNcwxOuRIGoGWnPQqOCtKEOWBgt9ZPYr8jolP+eiMmL9jw7XdtDOm?= =?us-ascii?Q?xCLvUONOTXwG879D+6mM55ujMHd90YXzHujnNvgzknycMcWCDSF995feH+Q3?= =?us-ascii?Q?31CsDO+g93wWYioNVlQa6Nh4cnmgxTuHHvrOGpqifoFdWIemSmAbBth80UPd?= =?us-ascii?Q?jDxUuo92F5JlyHL5veggIjzTyDXbosRzeo9XB4uewZ4bRE0k+QfqzdSDWENf?= =?us-ascii?Q?tOe4VScqRfPemacO7Z0dUfcdCKZ1vsyVYG+2fJcHQNaU1EYkB87aehRQvVZ5?= =?us-ascii?Q?oBkAD5cH+gi/fdynKOBvrhq83HLaHCCpleXjJh80MbXOUqhXqGs5gCcQMZJi?= =?us-ascii?Q?kOZQSN5iHpKpLtn2KiUQd25VUPeme2lqX+A7kMMut3D7OwD+LzUMB9X7Zs+n?= =?us-ascii?Q?LBaJ23BjzniVVCx6nsofQ/8I+GoDGMFgvfcaYvFB/OmEA2q6PPCnXkyYpkyX?= =?us-ascii?Q?6nu0h4HlVVVVKppbUzrA6XlJpomE2RIqS2pV84KsyvWxjc05QdPigFxcXGOY?= =?us-ascii?Q?PymwhT+WTHWFPRJWqCPaNYILNSkVcJyKYf4iMD+Wl5fHW4d2KMuQ11nXw0Y2?= =?us-ascii?Q?56nbpLjBqt6cKNtcvJn/T+9DjLdZABw5c6HKAFrOLpVg/aWYFlqu6zJ2bjTm?= =?us-ascii?Q?cKELtlv//k/KaYPk4VzgCdER52wEn7SI9Z2BswAu44NLPnJkxBFKF/MvrOHb?= =?us-ascii?Q?GUH0OVlNs9Dw712VN4753Sa80Ps5i+sYmpTNLxp/jRliZg4+os+3vb9hqfp0?= =?us-ascii?Q?I2SMBFGl0fZop3Df/kXJaKPWIgLhWy/7zoZBetZUS2L6gvkVfxfavXcUxFUo?= =?us-ascii?Q?X1HN/tlst/L0Jun2W6r4F7aKGkfjQs03lpoVPW2DeCEQcQ=3D=3D?=
Content-Type: multipart/alternative; boundary="_000_AM7PR02MB5765CF038A91BFE75E163D71CF3E9AM7PR02MB5765eurp_"
MIME-Version: 1.0
X-OriginatorOrg: meinberg-usa.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM7PR02MB5765.eurprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 782753c9-f793-4ce1-1711-08d92557146d
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Jun 2021 23:43:38.3985 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: d59904cd-769f-4368-8bd0-f5f435893a38
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: tCbn6ARskrlzxPAx/pANxFO+y1tLJDExFnlbKf/uyZbiuB2Q9q8y8lYCRv6Iyf3lsx5HMt3BPOBFE1uF94yv/Re7Y7gwPdoZ/UhnXmTTPfg=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR0202MB3351
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/994UXrs-h8m_KvmZRjmM7YmtsJY>
Subject: Re: [Ntp] NTS4UPTP Rev 03 - Formal request for WG adoption
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Jun 2021 23:43:47 -0000

I think that it is clumsy to bring in another protocol to add security to the one of interest.  Why not just add the same functionality to PTP?

Doug

From: ntp <ntp-bounces@ietf.org> on behalf of Daniel Franke <dfoxfranke@gmail.com>
Date: Tuesday, June 1, 2021 at 3:27 PM
To: Miroslav Lichvar <mlichvar@redhat.com>
Cc: ntp@ietf.org <ntp@ietf.org>rg>, Heiko Gerstung <heiko.gerstung@meinberg.de>
Subject: Re: [Ntp] NTS4UPTP Rev 03 - Formal request for WG adoption
On Tue, Jun 1, 2021 at 9:35 AM Miroslav Lichvar <mlichvar@redhat.com> wrote:
> Ok, if you need as much of NTS4NTP as possible and at the same time
> keep accuracy provided by hardware timestamping as is supported in
> current hardware, I think the solution is simple: NTS4NTP over PTP.
>
> You can wrap NTP messages in a PTP event message to get hardware
> timestamps and keep all the benefits of NTS4NTP. It seems your plan is
> to provide NTS4NTP in any case. Do you see any disadvantages?

All these long and similar initialisms for the various PTP security
proposals are getting unmanageable, so I'm going to create some new
ones:

* I'm going to start calling my proposal NSCoPE, for NTP Securely
Constraining PTP Errors.

* I'm going to call Miroslav's proposal PEN, for PTP-Encapsulated NTP.

* I'll keep using NTS4NTP for RFC 8915, NTS4UPTP for the
Gerstung-Rohde-Arnold draft, and NTS4PTP for the Langer-Bermbach
draft.

I agree with Miroslav that PEN likely requires a lot less development
effort than NTS4UPTP does, but it still requires changes to both the
server and the client, unlike NSCoPE which can be implemented
unilaterally on the client. There's a tremendous gulf between changing
one line of code on the server and changing zero. A one-line change
requires a full-blown standards-track effort involving multiple
standards bodies, interop testing between vendors, and lots of network
infrastructure that needs upgrading, even if the upgrade is just a
firmware patch. If only client-side changes are needed, none of this
coordination is required.

Maybe a better way to think of PEN is not as a security layer for PTP,
but rather as a way to improve the typical-case precision of NTP by
adding hardware timestamps. It strikes me as a better alternative to
interleaved mode, one which avoids the need for server state or for
sending follow-up packets. It's hardly PTP at all; the fact that
responses come back framed as PTP event messages is just a hack to get
existing hardware to cooperate. The fact that the NTP messages can use
NTS is pretty much incidental. You can do PEN with unauthenticated NTP
messages too and (as long as you're not under attack) get all the same
benefit to precision.

_______________________________________________
ntp mailing list
ntp@ietf.org
https://www.ietf.org/mailman/listinfo/ntp