[Ntp] NTS4UPTP Rev 03 - Formal request for WG adoption

Marius Rohde <marius.rohde@meinberg.de> Tue, 01 June 2021 07:43 UTC

Return-Path: <marius.rohde@meinberg.de>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 30A433A1EB6 for <ntp@ietfa.amsl.com>; Tue, 1 Jun 2021 00:43:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.399
X-Spam-Level:
X-Spam-Status: No, score=-4.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=meinberg.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u9Ms-F69jvoi for <ntp@ietfa.amsl.com>; Tue, 1 Jun 2021 00:43:05 -0700 (PDT)
Received: from server1a.meinberg.de (server1a.meinberg.de [176.9.44.212]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8A4C23A1EB4 for <ntp@ietf.org>; Tue, 1 Jun 2021 00:43:05 -0700 (PDT)
Received: from seppmail.py.meinberg.de (unknown [193.158.22.2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by server1a.meinberg.de (Postfix) with ESMTPSA id 4A9BC71C077D; Tue, 1 Jun 2021 09:43:02 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=meinberg.de; s=dkim; t=1622533382; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type; bh=1tweAI/KnSMyIa1Yn/+Qdojyhv8U+yVyBVwq1IR89dM=; b=nYs+M18HFseF6Ntb884E1oa2uRg7n0qib8JWiOufhk6Csu/qkPh961fQrK2WAuyiugr2vA kHuLQkJqeop4LqzdKpmkMNZr+nhDw7uZDF1TLRy3QVpy5UFa1qUfgoaTMXg482UBH4lwMR ljDpHQQxt7jsVsnPNxwlNAzgDmgejdMVhlc19UdpE5DSRp3WBwfJ2R25LMxXRcsNO96DOM xVgdFp+ET4GRb/mbQInWMa6CK2ayM7U7+kHxMk1VxRZ8tvPUVgVC1pscu31HFNUlVD3QnO v/U5uC+F1sdlqzsTGQUEcmU539yRQ0ofA8GNdAArohJSkxlUHw4cfgM2zuN42g==
Received: from srv-kerioconnect.py.meinberg.de (srv-kerioconnect.py.meinberg.de [172.16.3.65]) (using TLSv1.3 with cipher AEAD-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by seppmail.py.meinberg.de (Postfix) with ESMTPS; Tue, 1 Jun 2021 09:43:01 +0200 (CEST)
X-Footer: bWVpbmJlcmcuZGU=
Received: from localhost ([127.0.0.1]) by srv-kerioconnect.py.meinberg.de with ESMTPSA (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256 bits)); Tue, 1 Jun 2021 09:43:00 +0200
From: Marius Rohde <marius.rohde@meinberg.de>
To: dfoxfranke@gmail.com
Cc: ntp@ietf.org
Message-ID: <4d131472-e8a9-32ce-e8b7-9deed6437bf4@meinberg.de>
Date: Tue, 1 Jun 2021 09:42:51 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.7.1
X-SM-outgoing: yes
Content-Language: en-US
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="----AB31AB4974A3E9A1B23D1ACC6949B07F"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/JB_yhVr-oCrfHyy1qjqUlv2vd70>
Subject: [Ntp] NTS4UPTP Rev 03 - Formal request for WG adoption
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Jun 2021 07:43:11 -0000

Hello Daniel,

with some aspects of your argumentation, I do not agree.

Firstly, from a security point of view, every network that is not just 
accessible physically or logically by privileged persons, processes or 
computer systems should be considered insecure. And that is not just 
true for the Internet ;). To rely only on firewalls is a flaw in the 
design of the infrastructure. You should always implement as many lines 
of defense as feasible. Additionally, think of misconfigurations, 
insiders, or everything you have not been thinking about.
Do not get me wrong, I know that it is always a question of risk 
management how many time and resources an attacker has to invest to 
break the system. I think our part is not to decide which risk/security 
goals people should achieve but to give them well documented 
opportunities to get the security level they need.

IMHO NTS4NTP/PTP is currently not on the same level of security like 
NTS4UPTP because it does not provide the security to adequately ban the 
amplification monster PTP nor the guaranteed PTP precision in the 
borders of NTP. Even the mix of a unicast time protocol to “secure” the 
broadcast/multicast part of another time protocol seems quite ugly to me.

In addition, I am not convinced that NTS4NTP/PTP would make it easier to 
setup a PTP infrastructure than to use NTS directly built in the 
protocol from a user’s point of view.

I do not have a crystal ball and cannot say what will be tomorrow but to 
say - today people are not using it over the internet, so we need no 
additional security - is not a valid argument.

With kind regards
Marius Rohde

MEINBERG Funkuhren GmbH & Co. KG
Lange Wand 9
D-31812 Bad Pyrmont, Germany
Phone: +49 (0)5281 9309-0
Fax: +49 (0)5281 9309-230
Amtsgericht Hannover 17HRA 100322
Geschäftsführer: Günter Meinberg, Werner Meinberg, Andre Hartmann, Heiko 
Gerstung
Email: marius.rohde@meinberg.de
Internet: www.meinberg.de / www.meinbergglobal.com / www.meinberg.academy