Re: [Ntp] Mandatory confidentiality for ntpv5
kristof.teichel@ptb.de Thu, 21 October 2021 07:31 UTC
Return-Path: <kristof.teichel@ptb.de>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 39D743A1071; Thu, 21 Oct 2021 00:31:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YdaepM5ML-0L; Thu, 21 Oct 2021 00:30:44 -0700 (PDT)
Received: from mx1.bs.ptb.de (mx1.bs.ptb.de [192.53.103.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A24553A106F; Thu, 21 Oct 2021 00:30:42 -0700 (PDT)
Received: from smtp-hub.bs.ptb.de (smtpint01.bs.ptb.de [141.25.87.32]) by mx1.bs.ptb.de with ESMTP id 19L7UcpQ017866-19L7UcpS017866 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 21 Oct 2021 09:30:38 +0200
Received: from lotus.bs.ptb.de (lotus.bs.ptb.de [141.25.85.200]) by smtp-hub.bs.ptb.de (Postfix) with ESMTPS id 62E09C52045; Thu, 21 Oct 2021 09:30:38 +0200 (CEST)
In-Reply-To: <D6E8E0F4-C5C7-4C83-AB10-F45761578B76@gmail.com>
References: <20211015194128.5A90228C0F3@107-137-68-211.lightspeed.sntcca.sbcglobal.net> <D6E8E0F4-C5C7-4C83-AB10-F45761578B76@gmail.com>
To: Dieter Sibold <dsibold.ietf@gmail.com>
Cc: Hal Murray <halmurray+ietf@sonic.net>, NTP WG <ntp@ietf.org>, ntp <ntp-bounces@ietf.org>
MIME-Version: 1.0
Message-ID: <OFAC28A510.CC2AB2F1-ONC1258775.00278046-C1258775.002941A1@ptb.de>
From: kristof.teichel@ptb.de
Date: Thu, 21 Oct 2021 09:30:37 +0200
Content-Type: multipart/alternative; boundary="=_alternative 0029419DC1258775_="
X-FE-Policy-ID: 5:5:5:SYSTEM
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/9qhr8Aqh8ruahtdOpCRFHzkkKOU>
Subject: Re: [Ntp] Mandatory confidentiality for ntpv5
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Oct 2021 07:31:02 -0000
Hey all, for the record, mandating encryption for NTP synchronization packets has one minor disadvantage that I can think of: It makes it more difficult to introduce something like a "zero-cryptographic-latency" (let me call that ZCL) mode (like ANTP for example introduced). Such a ZCL mode would work by using a message flow a bit like two-step from PTP, where the time server/master/source sends two messages to compensate for any delays in the first one via contents of the second one. It can still be done, it just gets more complex with a mandate to "simply encrypt everything". That said, encrypting everything might still be the right call, at least it makes for less complex policy decisions, and fits well within IETF guidelines. Best regards, Kristof Von: "Dieter Sibold" <dsibold.ietf@gmail.com> An: "Hal Murray" <halmurray+ietf@sonic.net> Kopie: "NTP WG" <ntp@ietf.org> Datum: 20.10.2021 19:17 Betreff: Re: [Ntp] Mandatory confidentiality for ntpv5 Gesendet von: "ntp" <ntp-bounces@ietf.org> On 15 Oct 2021, at 21:41, Hal Murray wrote: > james.ietf@gmail.com said: >> Perhaps you can elaborate why you think confidentiality in NTP is a bad >> idea? > > Is it going to do any good? > > There is/was a draft on client data minimization. What is happening with that? > https://datatracker.ietf.org/doc/html/draft-ietf-ntp-data-minimization > > After you have minimized things, what is left to hide with encryption? > > Maybe we should encrypt everything so that we don't waste time discussing > whether we need to encrypt everything. > Maybe this is not a bad idea. NTS already has the capability to encrypt content. > ------- > > We need something like a version field in order for a server to be able to > support multiple versions on the same port number. That allows a fraction of > a bit for client tracking, probably closer to a whole bit for early adopters > when the version is changing. > > -------- > > I'm chasing buggy clients that send bursts of requests to pool servers. It > would be convenient to have the name and version of the NTP package that > generated the packet inside the packet where I can see it. :) > > > -- > These are my opinions. I hate spam. > > > > _______________________________________________ > ntp mailing list > ntp@ietf.org > https://www.ietf.org/mailman/listinfo/ntp _______________________________________________ ntp mailing list ntp@ietf.org https://www.ietf.org/mailman/listinfo/ntp
- [Ntp] Mandatory confidentiality for ntpv5 Hal Murray
- Re: [Ntp] Mandatory confidentiality for ntpv5 Dieter Sibold
- Re: [Ntp] Mandatory confidentiality for ntpv5 kristof.teichel
- Re: [Ntp] Mandatory confidentiality for ntpv5 Martin Burnicki
- Re: [Ntp] Mandatory confidentiality for ntpv5 Hal Murray
- Re: [Ntp] Mandatory confidentiality for ntpv5 Martin Burnicki
- Re: [Ntp] Mandatory confidentiality for ntpv5 Miroslav Lichvar
- [Ntp] Antw: [EXT] Re: Mandatory confidentiality f… Ulrich Windl