Re: [Ntp] Pool and DNS
Marcus Dansarie <marcus@dansarie.se> Fri, 21 October 2022 09:43 UTC
Return-Path: <marcus@dansarie.se>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 43B04C1524C0 for <ntp@ietfa.amsl.com>; Fri, 21 Oct 2022 02:43:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=dansarie.se
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TlsIfYBXL3fT for <ntp@ietfa.amsl.com>; Fri, 21 Oct 2022 02:43:43 -0700 (PDT)
Received: from mail.dansarie.se (mail.dansarie.se [IPv6:2a02:7aa0:5000::14a]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ACE0BC1522BC for <ntp@ietf.org>; Fri, 21 Oct 2022 02:43:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dansarie.se; s=mail; t=1666345410; bh=U1yBP/P6TFsaEejs/SQ2SFwEsKpb+CospQ92vb6L9sc=; h=Date:To:References:From:Subject:In-Reply-To:From; b=ZaOw7xssYe3rglBOEyDAvl860dEOzf6BmlDdvLMibnfB1kqiQvojGSnf82x4ER65U zWBeUM26/Bhv7HvQIETDyAg+GsDtPRCY9Av4ZiXb6xZ7rC7CfXDbR7UOOQ2t/owHWX b207yn1A5xsXzLykRK4hGrPObkvXl3pMQDnoEFAjHhPpiQG7aAcjTCKJMUrWFXGx02 iQpEEYZFqfpmGVwX7H9n5xe3OPf/cNLPDO6MA8wK5Sv/w0XKcGaepbN+sSSTVBDUFG iyVSevVZVOvCKetAYwhi989ZQGzEscxltZYhP/bjqazyw/IJoOAsbFy06ATC4B47Cx 1tUGh2RsoP+RQ==
Message-ID: <ca2aa8b2-343b-4a52-2ee0-721b1417afe1@dansarie.se>
Date: Fri, 21 Oct 2022 11:43:27 +0200
MIME-Version: 1.0
Content-Language: en-US
To: ntp@ietf.org
References: <20221019044237.8DE2C28C1DB@107-137-68-211.lightspeed.sntcca.sbcglobal.net>
From: Marcus Dansarie <marcus@dansarie.se>
In-Reply-To: <20221019044237.8DE2C28C1DB@107-137-68-211.lightspeed.sntcca.sbcglobal.net>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------HS0LW4qkzd5uzKioe51KZZgw"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/J92okTHKby-pyOMe2NHLIFY7uOs>
Subject: Re: [Ntp] Pool and DNS
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Oct 2022 09:43:48 -0000
On 2022-10-19 06:42, Hal Murray wrote: > The more interesting question is NTS. The NTS-KE step is fairly heavyweight, much more work than a DNS lookup. > > The current parameters are 8 cookies with a lifetime of a day. A day is 86400 seconds. That means we need to poll each server every 10800 seconds. With 1000 servers and M=15 (from the draft) that will take a Khronos poll every (10800/1000)*15 => 162 seconds. If Khronos runs at 10x the poll time of ntpd, that's not going to work. I think you're basing this on a couple of false assumptions. First, I don't know where the cookie lifetime of one day comes from. That's not specified in RFC 8915. In most cases, we would expect the cookie to be valid as long as the cookie encryption parameters shared between NTS-KE server and NTP server are not changed. This could potentially be a very long time. A client that uses Khronos could just keep a cookie cache for all servers in its pool and not require any larger poll time using NTS-enabled NTP servers than for non-NTS NTP servers. The only time NTS-KE handshakes should normally be required is the first time the client gets time from a particular server. > Of course, NTS doesn't work with the pool and I don't see how to fix that, so this is all a wild goose chase. We actually thought about pool applications when writing RFC 8915. The way to implement it is not very complicated: The pool administrator runs one or more NTS-KE servers. The NTS-KE servers have a shared key with each of the pool members and indicates which server the cookies are valid for using a NTPv4 Server Negotiation NTS-KE record. Clients can also request cookies for a particular pool member using the same record. (This may also solve the server removal problem, since clients would be expected to stop polling a particular server when they run out of cookies and the NTS-KE server refuses to assign new ones for that particular server.) > Maybe we should be comparing Khronos with 1 or 2 trusted servers using NTS. I think that combining NTS with Khronos could potentially create a really robust system, since Khronos detects attacks that NTS cannot protects against. Kind regards, Marcus
- [Ntp] Pool and DNS Hal Murray
- [Ntp] Antw: [EXT] Pool and DNS Ulrich Windl
- Re: [Ntp] Pool and DNS Marcus Dansarie
- Re: [Ntp] [EXT] Pool and DNS Neta R S
- Re: [Ntp] [EXT] Pool and DNS David Venhoek
- Re: [Ntp] [EXT] Pool and DNS Neta R S
- Re: [Ntp] Pool and DNS Hal Murray
- [Ntp] Antw: [EXT] Re: Pool and DNS Ulrich Windl
- Re: [Ntp] Pool and DNS Miroslav Lichvar
- Re: [Ntp] Pool and DNS Christer Weinigel
- Re: [Ntp] Pool and DNS Christer Weinigel
- Re: [Ntp] Pool and DNS Miroslav Lichvar
- Re: [Ntp] Pool and DNS Leif Johansson