IETF Logo Mail Archive

Re: [Ntp] Draft extension NTS for pools

Miroslav Lichvar <mlichvar@redhat.com> Thu, 11 January 2024 11:56 UTC

Return-Path: <mlichvar@redhat.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B22DEC151553 for <ntp@ietfa.amsl.com>; Thu, 11 Jan 2024 03:56:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhat.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wextZu-FDJRX for <ntp@ietfa.amsl.com>; Thu, 11 Jan 2024 03:56:55 -0800 (PST)
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 26C12C14F619 for <ntp@ietf.org>; Thu, 11 Jan 2024 03:56:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1704974214; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=Gd515xzwamPSBK5nG0LTZ592wkY5p/MFmi3zzYiCxHc=; b=JP5lrsKHUuwAUU6UFAhgUm33RopoCGGSFU3adJOPcx0PfB7hF6ofuxrlqS2hJ1a3IdhmYi lc1TgvuP0WLJ6n1JAOHsmMuf5pK+Gw0i91FkbI9PqOxKjWEJv9KFAchx1gmzX0F3NRwW/i AC2qlr5trcLrbIS6q728EItOadBEQ2E=
Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-67-bSuXY5g5NDuQu9LHbQtg7w-1; Thu, 11 Jan 2024 06:56:50 -0500
X-MC-Unique: bSuXY5g5NDuQu9LHbQtg7w-1
Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.rdu2.redhat.com [10.11.54.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id A331D811E86; Thu, 11 Jan 2024 11:56:50 +0000 (UTC)
Received: from localhost (unknown [10.43.135.229]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 2319B3C25; Thu, 11 Jan 2024 11:56:49 +0000 (UTC)
Date: Thu, 11 Jan 2024 12:56:51 +0100
From: Miroslav Lichvar <mlichvar@redhat.com>
To: David Venhoek <david@venhoek.nl>
Cc: NTP WG <ntp@ietf.org>
Message-ID: <ZZ_Xgzq2TqjpVbNS@localhost>
References: <CAPz_-SWidPW1bACgt_dN7saGfjPYbXtZLbqFpTGhPj5OOK4xYg@mail.gmail.com> <ZZUIG_6jxqtb0e5T@localhost> <CAPz_-SVpt_oz2GxO7Tn=0=tXxYdMnFWvtmFyAG4HgFipvku29g@mail.gmail.com>
MIME-Version: 1.0
In-Reply-To: <CAPz_-SVpt_oz2GxO7Tn=0=tXxYdMnFWvtmFyAG4HgFipvku29g@mail.gmail.com>
X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.1
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/GxpwWTr2plU4bddZ-62UHZSA3Hc>
Subject: Re: [Ntp] Draft extension NTS for pools
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Jan 2024 11:56:55 -0000

On Wed, Jan 10, 2024 at 12:26:18PM +0100, David Venhoek wrote:
> We have thought about similar approaches (in particular the suggestion
> from Christer Weinigel at the hackaton in London to do this with dns
> SRV records), but we in particular decided very early on to focus on
> an approach which doesn't require any modifications to the client.
> 
> We made this decision because we feel that this drop-in compatibility
> is one of the key factors also behind the success of the original ntp
> pool. Requiring modifications to clients would slow adoption and will
> likely result in clients (at least in the short and medium term) that,
> although they do support nts, will not work together with such a pool.

I don't see advantages of this approach over what is already possible.

If you are willing to modify the servers (but not clients), why do all
this complicated proxying when the server accessible under the pool
name could be running full NTS-KE itself and generating keys (e.g.
once per week) for the other servers running only NTS-NTP?

The TLS load of the NTS-KE server would be halved as it doesn't
have to connect to other servers as a client. The keys don't have to
be shared among the NTS-NTP servers (potentially running by different
people). The NTS-KE server can select the keys according to the NTP
server negotiation record.

If the goal is to interoperate between different NTS-NTP/NTS-KE
implementations, we can specify a protocol or file format for
exchanging the server keys and their validity period.

-- 
Miroslav Lichvar

v2.23.0 | Report a Bug | By Email