IETF Logo Mail Archive

Re: [Ntp] NTPv5 draft

Hal Murray <hmurray@megapathdsl.net> Mon, 07 December 2020 21:20 UTC

Return-Path: <hmurray@megapathdsl.net>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E8CC23A0B0C for <ntp@ietfa.amsl.com>; Mon, 7 Dec 2020 13:20:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.036
X-Spam-Level: *
X-Spam-Status: No, score=1.036 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_DYNAMIC_IPADDR=1.951, PDS_RDNS_DYNAMIC_FP=0.001, RDNS_DYNAMIC=0.982, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pW2V44qSlmLM for <ntp@ietfa.amsl.com>; Mon, 7 Dec 2020 13:20:02 -0800 (PST)
Received: from ip-64-139-1-69.sjc.megapath.net (ip-64-139-1-69.sjc.megapath.net [64.139.1.69]) by ietfa.amsl.com (Postfix) with ESMTP id 45A293A0B22 for <ntp@ietf.org>; Mon, 7 Dec 2020 13:20:02 -0800 (PST)
Received: from shuksan (localhost [127.0.0.1]) by ip-64-139-1-69.sjc.megapath.net (Postfix) with ESMTP id 511E240605C; Mon, 7 Dec 2020 13:19:58 -0800 (PST)
X-Mailer: exmh version 2.7.2 01/07/2005 with nmh-1.3
To: "Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org>
cc: "ntp@ietf.org" <ntp@ietf.org>, hmurray@megapathdsl.net
From: Hal Murray <hmurray@megapathdsl.net>
In-Reply-To: Message from "Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org> of "Mon, 07 Dec 2020 16:38:43 GMT." <1204B871-7728-45DA-B628-8F79BD074A96@akamai.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Mon, 07 Dec 2020 13:19:58 -0800
Message-Id: <20201207211958.511E240605C@ip-64-139-1-69.sjc.megapath.net>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/EJtJMyezFAuRYJxQOUL9S4T8dac>
Subject: Re: [Ntp] NTPv5 draft
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Dec 2020 21:20:04 -0000

Salz, Rich said:
> My view is that it is no longer acceptable to design a protocol for
> deployment on the open Internet that has no authentication or message
> integrity and that people who disagree are out of consensus.

That seems like a good general principle, but doesn't seen to fit this example 
very well.

What do you mean by "has no authentication"?  Do you mean supports 
authentication or requires it?  I'll agree if you mean supports, but I assume 
you mean requires since otherwise we wouldn't be having this discussion.

Assuming you do mean requires, I'll pay a lot more attention to your argument if you outline a plan for getting the existing user base to demand authenticated time.

The complexity ratio between a simple non-authenticated NTP client and a client with authentication is enormous.

With HTTP to HTTPS, there was a lot of incentive for users and servers to upgrade.  Many did financial transactions over the web.  What's the equivalent for NTP?

---------

There is also an interesting operational side.  Authentication is only useful if you trust the authenticator.  I haven't seen any proposals for how the pool would support that layer of trust.

If you want the net to use authenticated time, I think you have to set up and run something similar to the root DNS servers -- that is a group of trusted people/organizations to run NTP servers that is large enough to support the load.

-- 
These are my opinions.  I hate spam.

v2.23.0 | Report a Bug | By Email