Re: [Ntp] Mandatory confidentiality for ntpv5
Martin Burnicki <martin.burnicki@meinberg.de> Thu, 21 October 2021 13:33 UTC
Return-Path: <martin.burnicki@meinberg.de>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 389E83A167A for <ntp@ietfa.amsl.com>; Thu, 21 Oct 2021 06:33:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=meinberg.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CvjdqYExGUFX for <ntp@ietfa.amsl.com>; Thu, 21 Oct 2021 06:33:32 -0700 (PDT)
Received: from server1a.meinberg.de (server1a.meinberg.de [176.9.44.212]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D37A33A0FFA for <ntp@ietf.org>; Thu, 21 Oct 2021 06:33:31 -0700 (PDT)
Received: from seppmail.py.meinberg.de (unknown [193.158.22.2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by server1a.meinberg.de (Postfix) with ESMTPSA id C942271C1412; Thu, 21 Oct 2021 15:33:29 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=meinberg.de; s=d2021; t=1634823209; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=gO+hsxIqMMuFKpfgHgQDelJceKwOut5tmRpLHZ2xCcc=; b=no2/bRcoukBA+n5tGThT95U5V0PBN3dFUkrco3x5B3LQomIxGexJzzot3yjWiA/mk1t+M6 F+qNzBOi5uAAHFip+xv8iewqscwBLQPbnsOl3SuFHrLdOW2PI57A1xs40GvqlZJSHbQCYa //8JWH+GYPcPduGCvoGXvK/HwiJguvswvSUtz6JOHCh49mMZOXVq+U303pYzo7yeRk8R24 DivyIPKI/yk8i3xuEw9Y0/Li7SzmL9lQyZl/GQnLxhiMFwUAxgDkvKpKKHN4zF8A0xNK4N Zbq+O0lhxizobs/2xiBvh6wwaJSSTneeC/2n6VjVi8K8IP8hqoBGZ5uptmtWyA==
Received: from srv-kerioconnect.py.meinberg.de (srv-kerioconnect.py.meinberg.de [172.16.3.65]) (using TLSv1.3 with cipher AEAD-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by seppmail.py.meinberg.de (Postfix) with ESMTPS; Thu, 21 Oct 2021 15:33:29 +0200 (CEST)
X-Footer: bWVpbmJlcmcuZGU=
Received: from localhost ([127.0.0.1]) by srv-kerioconnect.py.meinberg.de with ESMTPSA (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256 bits)); Thu, 21 Oct 2021 15:33:27 +0200
Message-ID: <faea6fa2-b269-94b8-f101-f00ebe4ed584@meinberg.de>
Date: Thu, 21 Oct 2021 15:33:27 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.2.0
Content-Language: en-US
To: Hal Murray <halmurray+ietf@sonic.net>, ntp@ietf.org
References: <20211021113635.6576528C157@107-137-68-211.lightspeed.sntcca.sbcglobal.net>
From: Martin Burnicki <martin.burnicki@meinberg.de>
Organization: Meinberg Funkuhren GmbH & Co. KG, Bad Pyrmont, Germany
In-Reply-To: <20211021113635.6576528C157@107-137-68-211.lightspeed.sntcca.sbcglobal.net>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------n0Q7z83rZhNrFaOgPlyHdplB"
X-SM-outgoing: yes
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/CLWleO1RwAJeA-DqVcxvjeZRNuM>
Subject: Re: [Ntp] Mandatory confidentiality for ntpv5
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Oct 2021 13:33:38 -0000
Hal Murray wrote: > martin.burnicki@meinberg.de said: >> How much of the packet would be encrypted? >> If it's fully encrypted, how could a NIC find out that an incoming packet is >> an NTP packet that may need to be timestamped (if timestamping of NTP packets >> is supported at all)? > > Why not have the NIC timestamp everything and let the driver discard the ones > that the client software desn't want? From what I've yet heard from kernel developers, collecting data in which no one is interested would be too expensive. In my opinion this is similar to multicast: if a consumer is interested, it tells in *what* it is interested, and only the requested information is provided. > How does current NIC firmware decide which packets to time stamp? I#m not familiar with too many different NICs, but I know that some have a hard-coded pattern e.g. for PTP packets, and others have a configurable packet matcher, to which you can download a specific pattern. Anyway, as far as I know, you would have problems to detect the network packets that are to be timestamped if the packets are fully encrypted. And, similar to the topic above, IMO it would be too expensive to timestamp all packets and drop most of them in which no NTP or PTP daemon is interested. > Are you using "timestamp" in the PTP sense of modify the packet? I don't know > how to do that with encrypted data. I was thinking of "timestamp" in the > sense of SO_TIMESTAMP. See above. It would be hard to even *detect* the packets that need to be timestamped, regardless whether you try to put the timestamp into the encrypted packet (which isn't possible, of course) or make it available in a different way. Lately I haven't been too much involved in the PTP stuff, but from the past I remember that it was also important at which point/bit the timestamp is taken when it comes in and passes along the packet matcher. Martin -- Martin Burnicki Senior Software Engineer MEINBERG Funkuhren GmbH & Co. KG Email: martin.burnicki@meinberg.de Phone: +49 5281 9309-414 Linkedin: https://www.linkedin.com/in/martinburnicki/ Lange Wand 9, 31812 Bad Pyrmont, Germany Amtsgericht Hannover 17HRA 100322 Geschäftsführer/Managing Directors: Günter Meinberg, Werner Meinberg, Andre Hartmann, Heiko Gerstung Websites: https://www.meinberg.de https://www.meinbergglobal.com Training: https://www.meinberg.academy
- [Ntp] Mandatory confidentiality for ntpv5 Hal Murray
- Re: [Ntp] Mandatory confidentiality for ntpv5 Dieter Sibold
- Re: [Ntp] Mandatory confidentiality for ntpv5 kristof.teichel
- Re: [Ntp] Mandatory confidentiality for ntpv5 Martin Burnicki
- Re: [Ntp] Mandatory confidentiality for ntpv5 Hal Murray
- Re: [Ntp] Mandatory confidentiality for ntpv5 Martin Burnicki
- Re: [Ntp] Mandatory confidentiality for ntpv5 Miroslav Lichvar
- [Ntp] Antw: [EXT] Re: Mandatory confidentiality f… Ulrich Windl