Re: [Ntp] I-D Action: draft-ietf-ntp-using-nts-for-ntp-27.txt
Ragnar Sundblad <ragge@netnod.se> Thu, 26 March 2020 13:01 UTC
Return-Path: <ragge@netnod.se>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 979423A0CF6 for <ntp@ietfa.amsl.com>; Thu, 26 Mar 2020 06:01:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=netnod-se.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0OlL3E80ldTX for <ntp@ietfa.amsl.com>; Thu, 26 Mar 2020 06:01:22 -0700 (PDT)
Received: from mail-lj1-x22c.google.com (mail-lj1-x22c.google.com [IPv6:2a00:1450:4864:20::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 67E6E3A0CEC for <ntp@ietf.org>; Thu, 26 Mar 2020 06:01:22 -0700 (PDT)
Received: by mail-lj1-x22c.google.com with SMTP id n17so6283343lji.8 for <ntp@ietf.org>; Thu, 26 Mar 2020 06:01:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netnod-se.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=LQCXzNLFD5HoLfXGnvWOEpdoEy1VOSfy1Cl+HD/qBmM=; b=KoU/bOBIpxJvRGDVbW4fie357zfOGadjA+MsB5CMwLq+XrG4TWGx8pjm+aMgT1fvp7 /4sTU9Sp54M0r5KxfguUsj3IFK/F1t2gqhwkltU7ZVRt6AAn5O134NeJMQ1wLuh1QPsd XnSg5atHOwn9g9CV0Zurg9a+dwFQI5WmigpCYy5NMBVa1oXDrHrkR1gLiG+vjSlDmJV/ 27RFtlQWhzvevpnLEuteWW5uHExPZnQNuYxUUyummCF1h5MA/HORpOVamecl2uWpAG9n U/UhqlZA56Z6X2rT9dkPp0LHw+MqR5V+xy3Ux4iKKV+r8oeoi8C2IanVXEH0d3iDFvNs 5XxQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=LQCXzNLFD5HoLfXGnvWOEpdoEy1VOSfy1Cl+HD/qBmM=; b=M0perv5u86joSX2niPmk/HiwEk6k7v/I/vBOKacLu9KVDmazq7UOVnHiFwdYZ4BJSX 5JuqzFsbl440cmuxg4+Efnu1RvL/MPXxT9KAFE+yCr6PStQ8k5AZhP0EVwrhvrd2KSNd XEYY3vSUreX0xTbOdffwU00n6q9l8Q6hUpV180gxcdxVESaTQSPPGvQrHel6qZ4+Xluh GmIYJoYZtSZzer3+ZirVwRcKzls2q43Sqb9s7cTEbBBY2EzGCkutTc2/Dipnbi8zfy6J u2Bfc1yFht1yLS2jCyJMTsxvikZ9SYQXSsAJytBCx/AoJjFqte8lvyRaPwHUeK/1AIx9 PHIQ==
X-Gm-Message-State: ANhLgQ2ZYU6/3VrCQMGBnfRbMNZMbqjEQ6u+u9WY2Dt6e043U1oqnpms gWsOtHBz8GYkN6qklQSHUnHLBw==
X-Google-Smtp-Source: APiQypKVkzrKUUzOO8BUDfAKxMjcoyuEJS/l5QjFWh3PUZYZVtm7PhFz8siUhDM9rxc3ilIN2DUClQ==
X-Received: by 2002:a2e:85c6:: with SMTP id h6mr4979054ljj.218.1585227679520; Thu, 26 Mar 2020 06:01:19 -0700 (PDT)
Received: from [10.0.1.14] (h-122-211.A530.priv.bahnhof.se. [213.80.122.211]) by smtp.gmail.com with ESMTPSA id a19sm1413505ljm.48.2020.03.26.06.01.16 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 26 Mar 2020 06:01:17 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
From: Ragnar Sundblad <ragge@netnod.se>
In-Reply-To: <20200326113745.GC9039@localhost>
Date: Thu, 26 Mar 2020 14:01:16 +0100
Cc: ntp@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <97BDCE6D-205D-4727-A585-602AD141B245@netnod.se>
References: <158507294813.11622.18159158243943940302@ietfa.amsl.com> <20200325115834.GC25803@localhost> <74B1B8F5-5762-4AB1-B3F2-D5AC2BC325C1@netnod.se> <20200325145956.GF25803@localhost> <400E7210-ABB7-48F7-B52D-A69A96968255@netnod.se> <20200326095602.GB9039@localhost> <842BEA8F-35F7-41B7-8FEC-30515F88A60D@netnod.se> <20200326113745.GC9039@localhost>
To: Miroslav Lichvar <mlichvar@redhat.com>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/J0ILMH0RVN9UrV9Hm-SV07DAnXw>
Subject: Re: [Ntp] I-D Action: draft-ietf-ntp-using-nts-for-ntp-27.txt
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Mar 2020 13:01:25 -0000
> On 26 Mar 2020, at 12:37, Miroslav Lichvar <mlichvar@redhat.com> wrote: > > On Thu, Mar 26, 2020 at 11:49:57AM +0100, Ragnar Sundblad wrote: >>> On 26 Mar 2020, at 10:56, Miroslav Lichvar <mlichvar@redhat.com> wrote: >>> But it seems we don't agree on how long actually will be the NTS >>> sessions. You seem to be saying that a short initial interval in the >>> exponential backoff is ok (in the name of simplicity), because the NTS >>> sessions will be so long that the average rate will be insignificant >>> over those long periods. Is that correct? >> >> Hmm, I don’t think so. Also, do you mean one KE negotiation is one session, >> or from one KE negotiation to the next one, if the clients reboots runs out >> of cookies is one session? > > By session I mean how long the client is using or trying to use the > server, including all NTS-KE and NTS-NTP requests. Ok! Yes, then I think you could say so. >> I did mean, that the initial 10 seconds will only be 10 seconds if the server >> is up but will not accept the TCP connection, if for example the listener >> has not started, or is so overloaded that the TCP connection queue is full >> (and this will be very cheap for the server, handled by TCP). >> If the server is not up or not reachable, TCP will retry for a while before >> giving up. (This will of course not cost the server anything.) >> If the server accepts the TCP connection but is overloaded and slow to >> respond, the client will just wait for the request to be handled (and could, >> likely should, timeout after a while). There is no extra cost for the >> server for this, really. > > Yes, but I'm concerned with the cases where something breaks after the > connection is made and when much more resources are wasted per > request. Oh, so you think there is a risk that both the KE negotiation works and at least one NTP requests works, and soon thereafter the connection breaks, frequently? I am not sure why that would happen very often, but if it did, there Should at least be 8 NTP requests (until the client has exhausted its cookies) until it contacts the KE server again. >>> Computers >>> are shut down or suspended frequently. >> >> If they are suspended, there is no need to renegotiate. > > Usually, but the system may need to restart the NTP client due to a > different DHCP configuration for example. (If it is implemented like that, persistent cookies could be a nice addition.) But this is also something that isn’t affected by the retry timer constants - it should work on the first attempt anyways. >>> Clients are switching between >>> different servers of a pool. >> >> Only when the ntp client is restarted, right (at least with the clients >> of today). > > No, clients may switch between servers when they become unreachable > (e.g. due to rate limiting). I see this often with my mini-pool of NTS > servers. Oh really, I didn’t know. So chrony does that? (Nice!) >>> I think it will take only a small portion of NTS clients to be >>> consistently failing in NTS-KE or NTS-NTP after the TLS handshake >>> (e.g. due to a network issue, bug, or incompatibility) and overwhelm >>> the server with their short retry intervals. >> >> They should not fail with a working server, why would they? >> And if they do, they will very quickly get to long retry intervals, >> and there is likely something broken with the server anyway. > > Well, as I said above, there are many reasons why NTS-KE or NTS-NTP > may be consistently failing. For example, an ISP may have a firewall > that blocks large NTP packets. NTS-KE will work as expected, but > no NTS-NTP reply will be ever received, so the clients will be > constantly restarting NTS-KE. If the clients were restarted once per > day and used the 1024*2^(n - 1) retry interval I suggested, the number > of NTS-KE requests would drop to 30%. Ok - in this case too, there should be 8 NTP requests before it contacts the KE server again, and it will increase the retry interval each time since it has not completed a full cycle of getting cookies and succeeded in using them. Ragnar
- [Ntp] I-D Action: draft-ietf-ntp-using-nts-for-nt… internet-drafts
- Re: [Ntp] I-D Action: draft-ietf-ntp-using-nts-fo… Miroslav Lichvar
- [Ntp] Antw: [EXT] Re: I-D Action: draft-ietf-ntp-… Ulrich Windl
- Re: [Ntp] I-D Action: draft-ietf-ntp-using-nts-fo… Ragnar Sundblad
- Re: [Ntp] I-D Action: draft-ietf-ntp-using-nts-fo… Salz, Rich
- Re: [Ntp] Antw: [EXT] Re: I-D Action: draft-ietf-… Ragnar Sundblad
- Re: [Ntp] I-D Action: draft-ietf-ntp-using-nts-fo… Miroslav Lichvar
- Re: [Ntp] I-D Action: draft-ietf-ntp-using-nts-fo… Ragnar Sundblad
- Re: [Ntp] I-D Action: draft-ietf-ntp-using-nts-fo… Miroslav Lichvar
- Re: [Ntp] I-D Action: draft-ietf-ntp-using-nts-fo… Ragnar Sundblad
- Re: [Ntp] I-D Action: draft-ietf-ntp-using-nts-fo… Miroslav Lichvar
- Re: [Ntp] I-D Action: draft-ietf-ntp-using-nts-fo… Ragnar Sundblad
- Re: [Ntp] I-D Action: draft-ietf-ntp-using-nts-fo… Miroslav Lichvar
- Re: [Ntp] I-D Action: draft-ietf-ntp-using-nts-fo… Hal Murray
- Re: [Ntp] I-D Action: draft-ietf-ntp-using-nts-fo… Hal Murray
- Re: [Ntp] I-D Action: draft-ietf-ntp-using-nts-fo… Ragnar Sundblad
- Re: [Ntp] I-D Action: draft-ietf-ntp-using-nts-fo… Ragnar Sundblad
- Re: [Ntp] I-D Action: draft-ietf-ntp-using-nts-fo… Ragnar Sundblad
- Re: [Ntp] I-D Action: draft-ietf-ntp-using-nts-fo… Hal Murray
- [Ntp] Antw: Re: Antw: [EXT] Re: I-D Action: draft… Ulrich Windl
- Re: [Ntp] I-D Action: draft-ietf-ntp-using-nts-fo… Ragnar Sundblad
- [Ntp] Antw: [EXT] Re: I-D Action: draft-ietf-ntp-… Ulrich Windl
- Re: [Ntp] Antw: Re: Antw: [EXT] Re: I-D Action: d… Ragnar Sundblad
- Re: [Ntp] I-D Action: draft-ietf-ntp-using-nts-fo… Harlan Stenn
- Re: [Ntp] Antw: [EXT] Re: I-D Action: draft-ietf-… Ragnar Sundblad
- [Ntp] Antw: Re: Antw: [EXT] Re: I-D Action: draft… Ulrich Windl
- Re: [Ntp] I-D Action: draft-ietf-ntp-using-nts-fo… Ragnar Sundblad
- Re: [Ntp] I-D Action: draft-ietf-ntp-using-nts-fo… Miroslav Lichvar
- [Ntp] Antw: [EXT] Re: I-D Action: draft-ietf-ntp-… Ulrich Windl
- Re: [Ntp] Antw: [EXT] Re: I-D Action: draft-ietf-… Miroslav Lichvar