Re: [Ntp] NTP over PTP

Heiko Gerstung <heiko.gerstung@meinberg.de> Fri, 25 June 2021 13:00 UTC

Return-Path: <heiko.gerstung@meinberg.de>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C623E3A162D for <ntp@ietfa.amsl.com>; Fri, 25 Jun 2021 06:00:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=meinberg.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bUNQ7rkJRdtM for <ntp@ietfa.amsl.com>; Fri, 25 Jun 2021 06:00:31 -0700 (PDT)
Received: from server1a.meinberg.de (server1a.meinberg.de [176.9.44.212]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6FD0A3A1630 for <ntp@ietf.org>; Fri, 25 Jun 2021 06:00:30 -0700 (PDT)
Received: from seppmail.py.meinberg.de (unknown [193.158.22.2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by server1a.meinberg.de (Postfix) with ESMTPSA id 703D171C0916; Fri, 25 Jun 2021 15:00:28 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=meinberg.de; s=d2021; t=1624626028; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=2rMT7Z8wz3dVQvxuB7Rk0DCDljcj941EJU3g8rKmWTA=; b=BLb0mKOHEftbvODQNpC/pYCvinVTMmW1c982LEWwxuL7jXFub35ahus2QtWYOcFUfhORAX StqDljOVfmrD0WzgKen4n9Gum0+FOqQ2mnruf8glFaWZwXe/2rHOzqkdPEuayQco48D18e /88sAoHsRzlgsRjDuW9EIC3mDMnuXiYI0HXlsfZvmQd7V+pPRY6jSK34jEvvwaU6pADHjL jsXUGJS/GmsB7Ouw2wrmElCt2I7usKrWQLA1wm2AZ5l8E8+SsbfIR4NYY/3GT1nhJdvrsX DzWqB67PKEY12YAyZrLptyqF/JV4PPGeEZcczuxduchFLbeEoHmUakMw4I4ZzQ==
Received: from srv-kerioconnect.py.meinberg.de (srv-kerioconnect.py.meinberg.de [172.16.3.65]) (using TLSv1.3 with cipher AEAD-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by seppmail.py.meinberg.de (Postfix) with ESMTPS; Fri, 25 Jun 2021 15:00:27 +0200 (CEST)
X-Footer: bWVpbmJlcmcuZGU=
User-Agent: Microsoft-MacOutlook/16.50.21061301
Date: Fri, 25 Jun 2021 15:00:25 +0200
Message-ID: <36AAC858-BFED-40CE-A7F7-8C49C7E6782C@meinberg.de>
Thread-Topic: [Ntp] NTP over PTP
References: <YNRtXhduDjU4/0T9@localhost>
In-Reply-To: <YNRtXhduDjU4/0T9@localhost>
Importance: Normal
X-Priority: 3
Thread-Index: AZ2x3tU+NDJhN2EyODFjMTJjOGIyYg==
From: Heiko Gerstung <heiko.gerstung@meinberg.de>
To: Miroslav Lichvar <mlichvar@redhat.com>, "ntp@ietf.org" <ntp@ietf.org>
X-SM-outgoing: yes
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="----E51ABB6B96BB330AE1D827D3ABF78FB8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/KlyoljhnLQ5VGBdMG33QbW68IOk>
Subject: Re: [Ntp] NTP over PTP
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Jun 2021 13:00:37 -0000

If I follow your argument that unicast PTP is like the NTP control mode then yes, both mode 6 and unicast PTP are not secured against replay and amplification attacks. The NTS4UPTP draft is exactly addressing this for unicast PTP and provides the required protection. I outlined in the draft that the proposed approach achieves most of the stated objectives/goals of NTS4NTP, which is well secured (we certainly agree on that). 

In the interim meeting I believe there have been multiple participants that agreed that 
a) PTP should be secured (it is worth it)
b) the NTP WG is the right place for this

Arguing that the two drafts on the table might just need TLS instead of NTS-KE is something I cannot understand, too. PTP already has a security mechanism that is standardized and, with some extensions (provided by the submitted drafts), can be used to significantly enhance security of the protocol. What is needed is a key exchange mechanism and some additional features to close the security holes (i.e. no protection for the source IP address) - again, exactly what the two drafts provide. 

Regarding "NTP over PTP": trying to trick the hardware timestamping engines of a large variety of vendors into timestamping a PTP packet is bound to fail IMHO. There is no standard for how these timestamping engines work, some may even look at sizes of packets (they should not do that, as PTP messages can theoretically carry TLVs, but sometimes hardware vendors take shortcuts). Some implementations will forward packets to a management CPU when the forwarding plane detects a PTP frame. The CPU will not recognize that this is NTP and will probably throw away the packet. Again, most likely not the right way to do it, but alas ... 

Why did the telcos choose to go for unicast PTP instead of NTP? Well, one reason was that PTP already provided hardware timestamping capabilities at that time, to dramatically increase the accuracy to a sub-microsecond level that is required for modern telecommunication networks. I know of some hardware vendors in that application space that implemented hardware timestamping for NTP, but there are not a lot of them (Meinberg offers a NTP module which has hw timestamping for NTP, providing 10ns accuracy in the timestamp of the outgoing NTP packets). And, maybe the main reason: the first unicast PTP telco profile ITU-T G8265.1 was designed for frequency-only applications. Unicast PTP as a protocol allows that you do not measure the delay from the client to the server, something that is not required for frequnecy only mode. Using unicast PTP was a lot more efficient that NTP, because the PTP client only has to ask for packets once every minute for example, and gets a constant stream of highly accuracy and hardware timestamped packets from the server for that 60 seconds without having to send a request for each of the packets. 

Well, this is all history now. PTP is here to stay and unicast PTP is probably not going to take over the world, but will for sure be used in some new applications in the future. 

Regards,
  Heiko


-- 
Heiko Gerstung 
Managing Director 
 
MEINBERG® Funkuhren GmbH & Co. KG 
Lange Wand 9 
D-31812 Bad Pyrmont, Germany 
Phone: +49 (0)5281 9309-404 
Fax: +49 (0)5281 9309-9404 
 
Amtsgericht Hannover 17HRA 100322 
Geschäftsführer/Management: Günter Meinberg, Werner Meinberg, Andre Hartmann, Heiko Gerstung 
 
Email: 
heiko.gerstung@meinberg.de
Web: 
Deutsch https://www.meinberg.de
English https://www.meinbergglobal.com
 
Do not miss our Time Synchronization Blog: 
https://blog.meinbergglobal.com
 
Connect via LinkedIn: 
https://www.linkedin.com/in/heikogerstung
 
 

Am 24.06.21, 13:33 schrieb "ntp im Auftrag von Miroslav Lichvar" <ntp-bounces@ietf.org im Auftrag von mlichvar@redhat.com>gt;:

    The NTP WG was asked to secure the PTP unicast mode considering it has
    experience with securing NTP. The problem is that the PTP unicast mode
    is very different from the NTP client/server mode, the only mode which
    I think we can claim to be well secured (by symmetric key and NTS).
    The closest thing to the PTP unicast mode would be the NTP control
    mode (6), which is not secured (e.g. against replay attacks).

    I suspect there is nothing here to be reused to secure the unicast
    PTP. There might be some practical advantages of sharing NTS-KE with
    NTP, but I don't see any security benefits. The two drafts that were
    discussed here just need TLS and might actually be simpler if they
    used it directly.

    With this WG still having NTP in its name, there is the uncomfortable
    question that has to be asked. Why can't you just use the NTP
    client/server mode instead of the PTP unicast mode?

    A point was made that there is still a lot of hardware that supports
    only plain PTP. It doesn't support PTP secured by IPSec, MACSec, DTLS,
    etc, either. This was apparently one of the reasons for writing the
    NTS4UPTP draft.

    That has a simple solution. Use PTP as a transport for NTP messages.
    The hardware doesn't care what is inside as long as it can recognize
    the PTP header to trigger the timestamping.

    I submit this idea as a (very short) draft:
    https://datatracker.ietf.org/doc/html/draft-mlichvar-ntp-over-ptp-00

    I understand some people won't like this as an answer to the question
    of securing the unicast PTP. It would be useful in other cases too.

    But is it worth trying to invent a PTP-specific solution to secure its
    unicast mode, when the result cannot possibly be as good as what NTP
    already has?

    As I understand it, the unicast mode of PTP was invented mainly for
    some of the telco profiles, which for the most part seem to emulate
    NTP. What exactly was missing in NTP when those profiles were written?
    IIRC someone mentioned it was discussed with the NTP WG at the time,
    but I don't have any references.

    -- 
    Miroslav Lichvar

    _______________________________________________
    ntp mailing list
    ntp@ietf.org
    https://www.ietf.org/mailman/listinfo/ntp