Re: [Ntp] A simpler way to secure PTP

Daniel Franke <dfoxfranke@gmail.com> Tue, 11 May 2021 19:39 UTC

Return-Path: <dfoxfranke@gmail.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A0423A23DB for <ntp@ietfa.amsl.com>; Tue, 11 May 2021 12:39:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NF4PUoCmwNSJ for <ntp@ietfa.amsl.com>; Tue, 11 May 2021 12:39:40 -0700 (PDT)
Received: from mail-pg1-x535.google.com (mail-pg1-x535.google.com [IPv6:2607:f8b0:4864:20::535]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8935C3A23D9 for <ntp@ietf.org>; Tue, 11 May 2021 12:39:40 -0700 (PDT)
Received: by mail-pg1-x535.google.com with SMTP id k15so3735691pgb.10 for <ntp@ietf.org>; Tue, 11 May 2021 12:39:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=MDsMd9KA2m8+auPuR08l6Pw6luU0fUaOe/kfy8fnbF4=; b=HiCWSpw+xhJGWgmTQ0gAq6iydoQd0VWzmiox1HzrAHrFaD+1dO0uv2VCMoukod+2Lk /029mdc2yyFk3x2rFeHpVIRVacF3B9OZSGueZb9Df2K0WgzZ/60ySIow6UAWuTK2w4Ys JRj7RIdjU0HU21r3IfIKrag6jBgoAH8+TmmI3uzkeZotTkE2HmELd5I0DAbtczuk6Tsa VIaJejhDmc7RKOLN54mPTHYbXoqyMMiVzxPK+lhhoL7q9naYQS46BSfyVKrokGikvm5b zdjcRCeQk5hXYV6Rs6SrxcLXfCVwArQ0+wRzB+PI1ewFx66N0FFoYAqmsk3DlzV4YNBo bOdg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=MDsMd9KA2m8+auPuR08l6Pw6luU0fUaOe/kfy8fnbF4=; b=k0J6bbCkVrL5jk5kawqYLw1c886ip9HIKtK4tSicQyE08wtNceQM57f29BAC0jTn1P TW6T11j57ZGWo0mC2jQtHjOXSI5vi52H4w0b4RG5eutdUqS9s3aMKpc3Szq55e6M0RdU aO7NFlkYYAPloxW93irS6WIcL/NE/AhxDIiHpSb9mmk9ZsjOEqiMbOa2II9h/weMkuju GdxeD4o/E8Wn86Y7Q4C186y/7DfnyXmcWO7g6YA94PzC8MpIsDYxlQ0zS5SAa9pclJOF /9OsVUQX+dout32bTaJWURpMlL9Y9xAVqbUcLGv8+c4aaw2AQaXAf8Fk4ea4KsL88ojy TmIg==
X-Gm-Message-State: AOAM531h8DcuBQKfdpIPmFCVokrIdeFWO3AaPJeFpDT/rQ/ss/bTlp6A FhNWCC8tBJdTkHjZHJhfCmy6DaVttYRd8jRx3Bew9HS+/dQ=
X-Google-Smtp-Source: ABdhPJym4fsT3qnKGa65G8BqIa/k0FpJQNxZcsPbtzUG3k1uzy+awtarRVEw970q3PIkUpLOMYE7jcjn6ro9DWEmo7U=
X-Received: by 2002:a63:bc19:: with SMTP id q25mr4087822pge.211.1620761978103; Tue, 11 May 2021 12:39:38 -0700 (PDT)
MIME-Version: 1.0
References: <CAJm83bCpio5WwigY6nc9Y0Gt_XSdjUV=sHUz04dOQ0zELPwZxw@mail.gmail.com> <886DDD0D-AB9A-43A1-999B-FC296D680434@meinberg.de>
In-Reply-To: <886DDD0D-AB9A-43A1-999B-FC296D680434@meinberg.de>
From: Daniel Franke <dfoxfranke@gmail.com>
Date: Tue, 11 May 2021 15:39:27 -0400
Message-ID: <CAJm83bDKrecB0d=hTZDkCiS2xnFyOHJf+Apcxkg6TnvFbdB0nA@mail.gmail.com>
To: Heiko Gerstung <heiko.gerstung@meinberg.de>
Cc: NTP WG <ntp@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f86afc05c2130d3c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/IWfxaSVkD6UvrzoGSC51RI-nY44>
Subject: Re: [Ntp] A simpler way to secure PTP
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 May 2021 19:39:45 -0000

On Tue, May 11, 2021 at 3:14 AM Heiko Gerstung <heiko.gerstung@meinberg.de>
wrote:

> However, especially unicast PTP is a great traffic amplification tool,
> maybe one of the biggest traffic amplification machines of all times. And I
> also believe that it would be great to (re)use the general concepts of NTS
> to secure the other popular time transfer protocol out there.
>

Amplification is definitely worth fixing, but ISTM this should be
orthogonal to the NTS effort. You don't need message authentication for
that, you just need the client to prove (and maybe occasionally re-prove)
that it's able to receive packets at a particular IP address. There may be
some crypto involved in doing so (a la TCP SYN cookies), but it doesn't
have to be related to NTS crypto, and servers shouldn't have to require all
their clients to support NTS just to prevent themselves from being
exploited for amplification.