[Ntp] Minutes from the NTP/TICTOC session at IETF 105
"Dieter Sibold" <dsibold.ietf@gmail.com> Fri, 26 July 2019 22:04 UTC
Return-Path: <dsibold.ietf@gmail.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E33F7120173 for <ntp@ietfa.amsl.com>; Fri, 26 Jul 2019 15:04:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x7IxMOLxfSBq for <ntp@ietfa.amsl.com>; Fri, 26 Jul 2019 15:04:31 -0700 (PDT)
Received: from mail-qk1-x72a.google.com (mail-qk1-x72a.google.com [IPv6:2607:f8b0:4864:20::72a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 90035120181 for <ntp@ietf.org>; Fri, 26 Jul 2019 15:04:31 -0700 (PDT)
Received: by mail-qk1-x72a.google.com with SMTP id v22so40185277qkj.8 for <ntp@ietf.org>; Fri, 26 Jul 2019 15:04:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:subject:date:message-id:mime-version :content-transfer-encoding; bh=qOMkNdRnRr1z/wUhV5tTLVwzMutIK3UVI+aNZG6OOVs=; b=JI0L1+Ixjym7lJMAmm6jv05iYG5rwS9fBYfQ3b78oQeT9afovPMsDvkshDa8NhcB7e MxlvSc51KBSDrnUdn9lg5J+TtpDwLtk+3RI6lsaDixDmrguAD7WhdARIqExs5/PRYcIJ HNFOFTsTfLOS91PQohjQ/8RFXpOhyHmFHBYOopTFYUz0DlCL14hdIdkt+zRZhGFA14Bv I6g2vLmuSS2NFTglw7WxrqExw4lqSi3c/kEuvL/xPbs6e1zD4e2sr9zWL/nv0jp2ICn3 wAkQz0+r1XjYQGmpw6eRYMBt0iB5ieDZ6yOEri38UKsQnnsSef9xcH1NYhIlzoQG8VE3 6VHQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:mime-version :content-transfer-encoding; bh=qOMkNdRnRr1z/wUhV5tTLVwzMutIK3UVI+aNZG6OOVs=; b=hoy3jENCZSiimr/TTwQ62t6hBlEew9wGWzPVEe4LuUtnmZYIpk6OnzLUPZMWTvmZpp WOpW7q8ofyr1tsDV0bX2u8mBo83skQX3np7SiqMOXHfs2n37LVQl/DynyhENsU7ppPYK L9qoFWj+uiHIT2lx8mtsB6WvTJ0kwmZl0SfMS7E09RrocSWtuj49ge9PKtc3EYeHRr50 cGloB6i6RWfoowJifNz1402mt1pL9/f1b581VroF9fHIWhtZ/CkK5e1mjOR35P1vB7oz 8EeybVI51XFQmSyLF9Uo9ZcaEkX665i5bU+QKhREWFw/c8oi2mnyp+zt3eHTU/isLTMN Z4+Q==
X-Gm-Message-State: APjAAAW5DBCFxpsZKfHYkKrkDixYsY9/ZmgGGAC7N3oexCzJJ3wCOEUa 9whuUl38MQh7rNq+w096SdpVzGH5p4g=
X-Google-Smtp-Source: APXvYqw9IPlu4nIJBLBrzpiD502UigV1ZQFul8ga7h8kS4+hOPUcY+mOC7J6w/m9JQUl5MIrdYeDRA==
X-Received: by 2002:a05:620a:166a:: with SMTP id d10mr61236871qko.195.1564178670247; Fri, 26 Jul 2019 15:04:30 -0700 (PDT)
Received: from [192.168.75.97] ([207.164.201.138]) by smtp.gmail.com with ESMTPSA id t67sm23651428qkf.34.2019.07.26.15.04.27 for <ntp@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 26 Jul 2019 15:04:29 -0700 (PDT)
From: Dieter Sibold <dsibold.ietf@gmail.com>
To: NTP WG <ntp@ietf.org>
Date: Fri, 26 Jul 2019 18:04:24 -0400
X-Mailer: MailMate (1.12.5r5635)
Message-ID: <FA6F8EFE-D6AF-4EE5-A7B5-5F26E112BB7B@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/IM_-9DjtimFTy2gVnll1XLaXsdA>
Subject: [Ntp] Minutes from the NTP/TICTOC session at IETF 105
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Jul 2019 22:04:35 -0000
Dear all, below, please find the minutes from the last NTP/TICTOC session. They are also on the datatracker: https://datatracker.ietf.org/doc/minutes-105-ntp/ Many thanks to Tal for taking the minutes. Dieter =============================== NTP Session IETF 105 - Montreal Monday, July 22, 2019 15:50-17:50 (UTC-04:00) Meeting Minutes =============================== WG chairs: Karen O'Donoghue, Dieter Sibold Meeting minutes: Tal Mizrahi Jabber: Rich Salz Chair Slides ------------ Presenter: Karen O'Donoghue Slides: https://datatracker.ietf.org/meeting/105/materials/slides-105-ntp-ntp-wg-chair-slides-00 Summary: - Note well was presented. - The agenda for the current session was presented. - Agenda bashing: nothing proposed. - We will start with TICTOC related issues. - After that we will go to the NTP session. - NTP status: - The NTP BCP was finally published ! Thanks to Denis, Dieter and Harlan. - Three documents that are ready to proceed to the IESG: NTS, Guidlines for defining packet timestamps, and Interleaved Mode. These documents will be submitted to the IESG for publication in the next few days. - There was a virtual hackathon this weekend. Further details to follow. ============== TICTOC Session ============== Summary: - The IEEE 1588 Enterprise profile draft is ready to go the IESG. - Working group will conclude soon. - The following presentation is related to TICTOC. Secure Enterprise Data Center Profile for IEEE 1588 Precision Time Protocol (PTP) --------------------------------------------------------------------------------- Presenter: Doug Arnold Presentation: https://datatracker.ietf.org/meeting/105/materials/slides-105-ntp-secure-enterprise-data-center-profile-for-ieee-1588-precision-time-protocol-ptp-00 Draft: no draft Summary: - A short update about the IEEE 1588 standard revision, which is near publication. - A secure profile of IEEE 1588 for enterprise and data center networks. - Mainly for the financial industry. - Synchronization requirements are not very stringent. - One of the goals is to reuse key exchange mechanisms that are already deployed in data centers. Discussion: - Tal Mizrahi: interesting work, relevant to this working group. Have you considered other applications than financial, and other accuracy requirements? - Doug: not at this point. The main target customer we have been hearing from is the financial industry. - Stu Card: anything related to White Rabbit? - Doug: White Rabbit is very interesting to high frequency trading. In this context we are talking about the regulatory compliance in financial networks, which is on the order of 100 microseconds, and white rabbit is less interesting. - Watson Ladd: you mentioned key exchange. Have you considered the NTS key exchange? - Doug: we have not got to the point of choosing a specific key exchange. These networks will also run NTP, so a common key exchange may be useful. - Stu Card: anything related to PTP over unstable links, such as wireless? - Doug: not in this context. There is some work in 802.1 to support WiFi, but not relevant to this work. - Daniel Franke: an accuracy of 100 microseconds can be achieved in NTP in a LAN. Why not use NTP? - Doug: right, you can get this accuracy with NTP. Customer are asking for PTP because they are anticipating the future, expecting these requirements to become more strict. - Daniel: you need a trusted path between the source and client. That is the main issue. - Doug: hardware timestamping in NTP can get a very accurate time transfer. On the other hand customers are expecting secure PTP. - Daniel: if it does not solve a technical problem then it may not be interesting to solve in the IETF. - Doug: PTP is popular in a lot of industries because transparent clocks and boundary clocks are more available than edges with hardware timestamping. - Karen: I am not sure we will resolve this. - Kristof Teichel: I agree with Daniel that one way communication will always be subject to delay attacks regardless of cryptography. We are working on combining one-way and two-way approaches. Using a two-way approach in PTP will be useful. - Doug: PTP usually uses a two-way approach. You have a point that the reference delay may be calibrated for a link, and then this information can be used as a reference for detecting attacks. - Karen: the revision of IEEE 1588 called version 2.1 that will be published soon will include a security TLV, but this is just the beginning of the work on security. The more we work together on this the better. =========== NTP Session =========== NTP Hackathon Summary --------------------- - There was a remote hackathon on the weekend on NTS. - The relevant people are not available to give an update. - A summary of the test results will be available on the meeting materials page: https://datatracker.ietf.org/meeting/105/materials/slides-105-ntp-hackathon-results-01 - We will set up a separate mailing list for implementation aspects, and announce it on the NTP mailing list. A YANG Data Model for NTP ------------------------- Presenter: Dhruv Dhody Presentation: https://datatracker.ietf.org/meeting/105/materials/slides-105-ntp-a-yang-data-model-for-ntp-00 Summary: - The draft was updated based on comments. - More comments will be addressed soon. - NTS is currently not part of the YANG model. The authors suggest to continue this in a future document. Discussion: - Suresh Krishnan: I believe the NTS should be in the current YANG model. The YANG model does not have to wait for NTS to be published. - Dhruv: this may hold back the document. But we need to do the right thing. - Karen: we may want to separate the NTP server from the NTS implementation. Logically these are different modules. - Suresh: but there is some commonality. We need to do the right thing. - Dhruv: I want to know how the working group feels. - Harlan: is there a reference implementation of the YANG model? Is it possible to use any of the existing authentication methods with this YANG model? - Dhruv: reference impelmentation: we have something very basic, but not production quality. Regarding the authentication - the private key part is there. Autokey - does not exist. NTS - does not exist. - Suresh: it is possible to send the draft out like this, but make sure we do not have to do a bis version of this work. - Dhruv: it will definitely not need a bis version. It is always possible to add more content by augmentation. Port Randomization in the Network Time Protocol Version 4 --------------------------------------------------------- Presenter: Fernando Gont (remote) Draft: https://www.ietf.org/archive/id/draft-gont-ntp-port-randomization-03.txt Presentation: https://datatracker.ietf.org/meeting/105/materials/slides-105-ntp-port-randomization-in- the-network-time-protocol-version-4-00 Summary: - We want to ask whether there is interest to adopt this draft in the WG. Discussion: - Karen: can you summarize the traffic on the mailing list? - Fernando: regarding port randomization on a per-transaction basis - packets may go through different paths, and affect synchronization. Therefore the document chose to randomize on a per association basis. Another comment from Danny is that this does not address blind attacks. We argue that it addresses blind attacks in the transport layer, but it is independent of other layers, where blind attacks may be performed. - Karen: any further comments about adoption? - No answers. - Karen: does anyone oppose? - No answers. - Watson: I would be willing to read it and send comments. - Harlan: willing to review. On Implementing Time -------------------- Presenter: Aanchal Malhotra Summary: - No major changes. - One editorial change. - Karen: Any comments about adopting the document? - No comments. - Karen: we will look at adopting it. Roughtime --------- Presenter: Aanchal Malhotra Summary: - Two major changes: 1. Timestamp section: we have updated to the Julian date format, and 2. how Roughtime addresses delay attacks (thanks Tal). - Some clarifications from Marcus related to implementation. - Karen: any questions or comments? - No comments. - Watson: I am a co-author. We are working on adjusting the PLL based on time estimates. Please let me know if people think this is necessary. - Karen: we will consider adoption. A Secure Selection and Filtering Mechanism for NTP -------------------------------------------------- Presenter: Neta Schiff Draft: https://datatracker.ietf.org/doc/draft-schiff-ntp-chronos Presentation: https://datatracker.ietf.org/meeting/105/materials/slides-105-ntp-a-secure-selection-and- filtering-mechanism-for-the-network-time-protocol-version-4-00 Summary: - A short reminder about Chronos. - A summary of the comments received, and how they were addressed. Discussion: - Harlan: is this appropriate for authenticated, or for un-authenticated time? - Neta: we believe both. - Harlan: how does this work with un-authenticated time? - Neta: we assume an attacker that has powerful access to servers or to paths. - Harlan: that is a stringent assumption. - Neta: right, also delay attacks are in scope. - Harlan: it is a pretty big assumption over a large number of servers. - Neta: right, we are considering stringent assumption. - Suresh: one thing I like is that the threat model is such that we usually assume that endpoints are not compromised, but this draft does not assume that. I like this draft. - Danny: might be useful if tied together with an NTP server. - Neta: Chronos is intended for the client side, allowing easier deployment without affecting existing servers. How servers can be improved is for further research. - Karen: any other questions? - Karen: Neta will be presenting this work tomorrow in IRTF open, as she is the winner of the ANRP prize this IETF meeting. AOB --- - We have some pending call-for-adoptions. - The ref ID document may be ready for working group last call. - Harlan: should be ready to go. - Extension field drafts will also be ready for working group adoption soon. - Aanchal: what about the data minimization draft? - Karen: it went through WG last call. Waiting for some comments. We need to check again, and but I believe it will be ready to be sent to the IESG. - Harlan: I did not receive any responses to the comments for the data minimization. - Karen: we need to review the mailing list. I thought we were waiting for information from Harlan. - Harlan: did not know any information is missing. - Karen: we will hold virtual interims. We may hold virtual hackathons for NTS. - Karen: adjourned early. See you next IETF meeting. Adjourned at 16:58.
- [Ntp] Minutes from the NTP/TICTOC session at IETF… Dieter Sibold