[Ntp] NTS4UPTP Rev 03 - Formal request for WG adoption
Marius Rohde <marius.rohde@meinberg.de> Tue, 01 June 2021 07:43 UTC
Return-Path: <marius.rohde@meinberg.de>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 30A433A1EB6 for <ntp@ietfa.amsl.com>; Tue, 1 Jun 2021 00:43:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.399
X-Spam-Level:
X-Spam-Status: No, score=-4.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=meinberg.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u9Ms-F69jvoi for <ntp@ietfa.amsl.com>; Tue, 1 Jun 2021 00:43:05 -0700 (PDT)
Received: from server1a.meinberg.de (server1a.meinberg.de [176.9.44.212]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8A4C23A1EB4 for <ntp@ietf.org>; Tue, 1 Jun 2021 00:43:05 -0700 (PDT)
Received: from seppmail.py.meinberg.de (unknown [193.158.22.2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by server1a.meinberg.de (Postfix) with ESMTPSA id 4A9BC71C077D; Tue, 1 Jun 2021 09:43:02 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=meinberg.de; s=dkim; t=1622533382; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type; bh=1tweAI/KnSMyIa1Yn/+Qdojyhv8U+yVyBVwq1IR89dM=; b=nYs+M18HFseF6Ntb884E1oa2uRg7n0qib8JWiOufhk6Csu/qkPh961fQrK2WAuyiugr2vA kHuLQkJqeop4LqzdKpmkMNZr+nhDw7uZDF1TLRy3QVpy5UFa1qUfgoaTMXg482UBH4lwMR ljDpHQQxt7jsVsnPNxwlNAzgDmgejdMVhlc19UdpE5DSRp3WBwfJ2R25LMxXRcsNO96DOM xVgdFp+ET4GRb/mbQInWMa6CK2ayM7U7+kHxMk1VxRZ8tvPUVgVC1pscu31HFNUlVD3QnO v/U5uC+F1sdlqzsTGQUEcmU539yRQ0ofA8GNdAArohJSkxlUHw4cfgM2zuN42g==
Received: from srv-kerioconnect.py.meinberg.de (srv-kerioconnect.py.meinberg.de [172.16.3.65]) (using TLSv1.3 with cipher AEAD-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by seppmail.py.meinberg.de (Postfix) with ESMTPS; Tue, 1 Jun 2021 09:43:01 +0200 (CEST)
X-Footer: bWVpbmJlcmcuZGU=
Received: from localhost ([127.0.0.1]) by srv-kerioconnect.py.meinberg.de with ESMTPSA (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256 bits)); Tue, 1 Jun 2021 09:43:00 +0200
From: Marius Rohde <marius.rohde@meinberg.de>
To: dfoxfranke@gmail.com
Cc: ntp@ietf.org
Message-ID: <4d131472-e8a9-32ce-e8b7-9deed6437bf4@meinberg.de>
Date: Tue, 01 Jun 2021 09:42:51 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.7.1
X-SM-outgoing: yes
Content-Language: en-US
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="----AB31AB4974A3E9A1B23D1ACC6949B07F"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/JB_yhVr-oCrfHyy1qjqUlv2vd70>
Subject: [Ntp] NTS4UPTP Rev 03 - Formal request for WG adoption
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Jun 2021 07:43:11 -0000
Hello Daniel, with some aspects of your argumentation, I do not agree. Firstly, from a security point of view, every network that is not just accessible physically or logically by privileged persons, processes or computer systems should be considered insecure. And that is not just true for the Internet ;). To rely only on firewalls is a flaw in the design of the infrastructure. You should always implement as many lines of defense as feasible. Additionally, think of misconfigurations, insiders, or everything you have not been thinking about. Do not get me wrong, I know that it is always a question of risk management how many time and resources an attacker has to invest to break the system. I think our part is not to decide which risk/security goals people should achieve but to give them well documented opportunities to get the security level they need. IMHO NTS4NTP/PTP is currently not on the same level of security like NTS4UPTP because it does not provide the security to adequately ban the amplification monster PTP nor the guaranteed PTP precision in the borders of NTP. Even the mix of a unicast time protocol to “secure” the broadcast/multicast part of another time protocol seems quite ugly to me. In addition, I am not convinced that NTS4NTP/PTP would make it easier to setup a PTP infrastructure than to use NTS directly built in the protocol from a user’s point of view. I do not have a crystal ball and cannot say what will be tomorrow but to say - today people are not using it over the internet, so we need no additional security - is not a valid argument. With kind regards Marius Rohde MEINBERG Funkuhren GmbH & Co. KG Lange Wand 9 D-31812 Bad Pyrmont, Germany Phone: +49 (0)5281 9309-0 Fax: +49 (0)5281 9309-230 Amtsgericht Hannover 17HRA 100322 Geschäftsführer: Günter Meinberg, Werner Meinberg, Andre Hartmann, Heiko Gerstung Email: marius.rohde@meinberg.de Internet: www.meinberg.de / www.meinbergglobal.com / www.meinberg.academy
- [Ntp] NTS4UPTP Rev 03 - Formal request for WG ado… Marius Rohde
- Re: [Ntp] NTS4UPTP Rev 03 - Formal request for WG… Daniel Franke