Re: [Ntp] Comments on draft-langer-ntp-nts-for-ptp
Heiko Gerstung <heiko.gerstung@meinberg.de> Mon, 08 March 2021 10:43 UTC
Return-Path: <heiko.gerstung@meinberg.de>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 078E43A0553 for <ntp@ietfa.amsl.com>; Mon, 8 Mar 2021 02:43:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.088
X-Spam-Level:
X-Spam-Status: No, score=-2.088 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_FILL_THIS_FORM_SHORT=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=meinberg.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TiWsMIWlxRBQ for <ntp@ietfa.amsl.com>; Mon, 8 Mar 2021 02:43:35 -0800 (PST)
Received: from server1a.meinberg.de (server1a.meinberg.de [176.9.44.212]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D194C3A046B for <ntp@ietf.org>; Mon, 8 Mar 2021 02:43:34 -0800 (PST)
Received: from seppmail.py.meinberg.de (unknown [193.158.22.2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by server1a.meinberg.de (Postfix) with ESMTPSA id E81B071C0918; Mon, 8 Mar 2021 11:43:32 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=meinberg.de; s=dkim; t=1615200213; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=NC9vFqECmuQO4p1ldYJhwtp6GmRyjNJ1hNOhBifBCew=; b=jOIO1RuUkWERWLiuTSU19HMowtD8qKQWiUsAg2533grH6rZPeEBxnBJ4w/oA9B4ihFKBuy +Q4G+uZwO7G+u7hR7U95F8n1oYrPy5F243eo8OwpdGroaHZq7UXdHUXXoJT0O7oV/sZsR8 ninGbcf7RFS6e6Er4SipMjTfrUWJT7w/O4x5gcSLJCs2JS/HiD2etKLRsdiI/+LEaBG8FY 88EmJOVZbJUw+mOWFDeZ8uVg9oJ1l0Iw36d6IVO4Cqqn+jTmTU1Ru9KhGz/qjKHsw7S6o1 DkWAPyLMKjIwjjDGTke22+rSIRiPtLmdB92chJpvKzx9/mjqDvwRI0ht5w23UA==
Received: from srv-kerioconnect.py.meinberg.de (srv-kerioconnect.py.meinberg.de [172.16.3.65]) (using TLSv1.3 with cipher AEAD-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by seppmail.py.meinberg.de (Postfix) with ESMTPS; Mon, 8 Mar 2021 11:43:32 +0100 (CET)
X-Footer: bWVpbmJlcmcuZGU=
User-Agent: Microsoft-MacOutlook/16.46.21021202
Date: Mon, 08 Mar 2021 11:43:29 +0100
Message-ID: <6C614D22-A00E-432E-A65E-9A21F8B4476E@meinberg.de>
Thread-Topic: [Ntp] Comments on draft-langer-ntp-nts-for-ptp
References: <CACsn0cnz1GfKUKn6q61qmAbs=VPgTGFZnP=kEeQHk9CUxLACXg@mail.gmail.com> <f51dfb1db7c843ecaf58efac526d30ef@ostfalia.de>
In-Reply-To: <f51dfb1db7c843ecaf58efac526d30ef@ostfalia.de>
Importance: Normal
X-Priority: 3
Thread-Index: AZ2x3tU+NmUxZmZlYTJhY2NhZTU2Mg==
From: Heiko Gerstung <heiko.gerstung@meinberg.de>
To: "Langer, Martin" <mart.langer@ostfalia.de>, Watson Ladd <watsonbladd@gmail.com>, NTP WG <ntp@ietf.org>
X-SM-outgoing: yes
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="----82164E472C250A378102CD60C660B506"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/FiVLb4YMFc11Aopi6hNZE3qeJLk>
Subject: Re: [Ntp] Comments on draft-langer-ntp-nts-for-ptp
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Mar 2021 10:43:39 -0000
Hi WG, I would agree that we should stay as close as possible to NTS4NTP here. I propose to focus on unicast first, as this is closer to the NTS4NTP use case and “easier” to protect than Multicast communication. Securing multicast NTP and PTP is for sure a different beast. As multicast is the prevalent mode of operation for PTP, I would expect that once we found a good solution for PTP in the future, we can adopt this for Multicast NTP as well. And vice versa, since Unicast is the prevalent modus operandi for NTP, we should re-use what has been already developed here for PTP. My proposal would be to use exactly the same NTS mechanisms for unicast PTP that we use for NTP, with one addition: First step is, just like with NTS4NTP, to run the NTS-KE procedure between the NTS/PTP client and the NTS-KE server to allow the client to obtain a number of cookies. Then, use those cookies when running the unicast message negotiation between the NTS/PTP client and the Unicast PTP grandmaster. As far as I can see, up until this point the mechanism can be very similar to NTS4NTP. We most probably need a different cookie format, but the rest should be OK. Once we did 1 + 2, the unicast master will start the PTP packet transmission to the authenticated (via the cookie) PTP client. The client will also start sending Delay Req packets and requires the GM to respond with unicast delay responses. During this packet transmission phase I propose to use the S2C to secure the packets from the GM to the client (ANNOUNCE, SYNC, DELAY_RESP) and the C2S key to secure the packets from the NTS/PTP client to the GM (i.e. DELAY_REQ). The question is how often we need to change the S2C and C2S keys to avoid that some MITM gets enough time to break the keys before they change. As far as I understood, those keys are part of the cookie and could change in every cookie. That would result in the NTS/PTP client to use a different key after every successful unicast negotiation, something that happens very frequently (and can be configured / chosen by the client). This way we could support higher packet rates without any problems as the cookie-secured communication would be limited to the unicast negotiation phase. Regards, Heiko -- Heiko Gerstung Managing Director MEINBERG® Funkuhren GmbH & Co. KG Lange Wand 9 D-31812 Bad Pyrmont, Germany Phone: +49 (0)5281 9309-404 Fax: +49 (0)5281 9309-9404 Amtsgericht Hannover 17HRA 100322 Geschäftsführer/Management: Günter Meinberg, Werner Meinberg, Andre Hartmann, Heiko Gerstung Email: heiko.gerstung@meinberg.de Web: Deutsch https://www.meinberg.de English https://www.meinbergglobal.com Do not miss our Time Synchronization Blog: https://blog.meinbergglobal.com Connect via LinkedIn: https://www.linkedin.com/in/heikogerstung Von: ntp <ntp-bounces@ietf.org> im Auftrag von "Langer, Martin" <mart.langer@ostfalia.de> Datum: Sonntag, 7. März 2021 um 18:06 An: Watson Ladd <watsonbladd@gmail.com>, NTP WG <ntp@ietf.org> Betreff: Re: [Ntp] Comments on draft-langer-ntp-nts-for-ptp Hello Watson, first of all thank you very much for the feedback. It is a challenge for me to design the protocol. NTS4PTP is much more complex than NTS4NTP because the requirements are very different. Tomorrow there will probably be an update of the draft which will include the missing chapters. Here once briefly my comments to your feedback: 1) ..."first concern is that this draft doesn't play nicely with NTS"... The message/communication structure is indeed a problem. While with NTP we only have a generic request/response to the NTS-KE, with PTP I have to distinguish between different message types (e.g. unicast/multicast). While with NTS4NTP the communication between time server and NTS-KE is implementation specific, with NTS4PTP it has to be defined. This makes it more complex and currently collides with the "NTS Next Protocol Negotiatin" record. I am open to any suggestions. 2) ..."second concern is cryptographic"... For keys, we need to distinguish between multicast and unicast. For multicast we use a group key. This has to be generated, distributed and managed accordingly by the NTS-KE. A derivation from the TLS session would therefore not be possible, since all participants need the same key. With unicast it would be possible, but it makes it more complicated. Theoretically a PTP client ('requester') can get up to 10 security associations per request, depending on the PTP profile. The transport of the security parameters to the grantor (e.g. PTP time server) is done via an encrypted ticket (similar to the cookie in NTP). The cookie solution as with NTP cannot be applied to PTP, because the message rate is much higher in PTP and the grantor is stateful. So tracking protection and parameter outsourcing are not needed. The keys all have a certain lifetime and have to be updated periodically. For NTS4PTP this is done by the NTS-KE. With NTS4NTP it is done by the time server. But I still see a problem with NTS4NTP: The MasterKey is rotated, S2C and C2S are not. This contradicts a bit the key freshness (if I am right). But here's a question: in what way is it worse to generate a random number (CSPRNG) instead of deriving it from the TLS connection (TLS Key Exporter)? 3) ..."Group keys have weaker authentication"... Yes, with a group key we have poor source authentication. To solve this we would need an approach with asymmetric cryptography (slow) or delayed key disclosure like TESLA (vulnerable and complex). I don't know of any better alternatives. ... anyway, thank you very much. Tuesday I'm unfortunately not at the IETF meeting due to an exam. best regards, Martin ------------------- Martin Langer, M.Eng. Ostfalia Hochschule für angewandte Wissenschaften - Hochschule Braunschweig/Wolfenbüttel University of Applied Sciences Labor Datentechnik, Labor Design Digitaler Systeme Fakultät Elektrotechnik Salzdahlumer Straße 46/48 38302 Wolfenbüttel Germany Tel.: +49 5331 939 43370 Web: https://www.ostfalia.de/cms/de/pws/bermbach/mitarbeiter/martin-langer Von: ntp <ntp-bounces@ietf.org> im Auftrag von Watson Ladd <watsonbladd@gmail.com> Gesendet: Freitag, 5. März 2021 20:55:22 An: NTP WG Betreff: [Ntp] Comments on draft-langer-ntp-nts-for-ptp Dear WG, I recognize that this is a pretty early draft and so I'm going to focus on the aspects that are outlined that I think may be problematic, rather than nitpick the clear and well written, although somewhat incomplete text. My first concern is that this draft doesn't play nicely with NTS. NTS doesn't have a hierarchical record structure defined, deliberately to avoid a well-trod class of security and correctness issues. An NTS way to do this would be to unmake the PTP key grant structure and send a NTP Next Protocol Negotiation field directly, and use new noncritical PTP server or group negotiation messages. Obviously it's a bit complicated by the layering of PTP. My second concern is cryptographic. Instead of deriving the key from the TLS handshake, the server sets it. We didn't do this in NTS for NTP for a reason. The way we do forced key rotations is by getting new tickets. Group keys have weaker authentication and security properties than a tree of unicast associations. I think this is an important draft that covers a real usecase, but should try to break the flow of NTS a bit less. I hope these comments are useful. Sincerely, Watson Ladd -- Astra mortemque praestare gradatim _______________________________________________ ntp mailing list ntp@ietf.org https://www.ietf.org/mailman/listinfo/ntp _______________________________________________ ntp mailing list ntp@ietf.org https://www.ietf.org/mailman/listinfo/ntp
- [Ntp] Comments on draft-langer-ntp-nts-for-ptp Watson Ladd
- Re: [Ntp] Comments on draft-langer-ntp-nts-for-ptp Langer, Martin
- Re: [Ntp] Comments on draft-langer-ntp-nts-for-ptp Miroslav Lichvar
- Re: [Ntp] Comments on draft-langer-ntp-nts-for-ptp Heiko Gerstung
- Re: [Ntp] Comments on draft-langer-ntp-nts-for-ptp Langer, Martin
- Re: [Ntp] Comments on draft-langer-ntp-nts-for-ptp Miroslav Lichvar
- Re: [Ntp] Comments on draft-langer-ntp-nts-for-ptp Miroslav Lichvar
- Re: [Ntp] Comments on draft-langer-ntp-nts-for-ptp Langer, Martin
- Re: [Ntp] Comments on draft-langer-ntp-nts-for-ptp Langer, Martin
- Re: [Ntp] Comments on draft-langer-ntp-nts-for-ptp Hal Murray
- Re: [Ntp] Comments on draft-langer-ntp-nts-for-ptp Dieter Sibold
- Re: [Ntp] Comments on draft-langer-ntp-nts-for-ptp Langer, Martin
- Re: [Ntp] Comments on draft-langer-ntp-nts-for-ptp Heiko Gerstung
- Re: [Ntp] Comments on draft-langer-ntp-nts-for-ptp Miroslav Lichvar
- Re: [Ntp] Comments on draft-langer-ntp-nts-for-ptp Heiko Gerstung
- Re: [Ntp] Comments on draft-langer-ntp-nts-for-ptp Miroslav Lichvar
- Re: [Ntp] Comments on draft-langer-ntp-nts-for-ptp Heiko Gerstung
- Re: [Ntp] Comments on draft-langer-ntp-nts-for-ptp Heiko Gerstung
- Re: [Ntp] Comments on draft-langer-ntp-nts-for-ptp Doug Arnold
- Re: [Ntp] Comments on draft-langer-ntp-nts-for-ptp Langer, Martin
- Re: [Ntp] Comments on draft-langer-ntp-nts-for-ptp Heiko Gerstung