Re: [Ntp] A simpler way to secure PTP

Doug Arnold <doug.arnold@meinberg-usa.com> Wed, 12 May 2021 17:55 UTC

Return-Path: <doug.arnold@meinberg-usa.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E3D6F3A0744 for <ntp@ietfa.amsl.com>; Wed, 12 May 2021 10:55:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=meinbergfunkuhren.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B2QktqINJl4d for <ntp@ietfa.amsl.com>; Wed, 12 May 2021 10:55:37 -0700 (PDT)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-eopbgr70055.outbound.protection.outlook.com [40.107.7.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 63DB03A0654 for <ntp@ietf.org>; Wed, 12 May 2021 10:55:37 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=jNlmBiAd5xL2Tb3kRM+0a6XE2XnfLxwzFlIFvfUn9q5wemlKVM8caUzG/iPbsEwC7KrT08KTGnZbiCoGvGNsc38CoGeDWUxr1Aa6YUrbLIU0pZNDFnxnNF5Z28YiL9hhWVR7bBuIbv7RDKLXSvK6AZ+QoNMn06R+x8Ic3QgD5SbJ35hLIG5d95Oa8fo0S5V8teNAHU+/Yx3h3a21LOnV0Notqn90R4Wn6R+cUQzLWgk2xxDjMS8iny/vY6myuxoGusTP32HBXuljgPIF9Bj8lTILN4ZGcF+qGOeqCDKu5eL9v7RFstRF7SBbDW9yjDk+2S4d3mqHYblSW2MWvRz8vA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=rv39lA3TUk14RMwIyDKYdZKNq5Q8ln2FUBkw58rpxHo=; b=ZMV06SVNQpwwF1jlv4TANFqSATvm5LwYRyGKyVyw4PZ1VdQR/fMExgEcjnZaGlLfmxjyiJJ5E7x3cdeVNXT/TTrbK3aZyJ3EowNb7buirXOOEF+D1u85BrgVzQayY05neg13WdkeB5JATMi8SFfs2CJjOhFdbd13wA9QaVebJCuyWu9hInq8V9LLP6qTy1cWkxzfqijMONMixE9vIXicEdc1exTvXg+9JoBtzN/sNEkEPBWI3dvLH++lBzNV8QtbBVQ7uvG/m+R7pLJFNAwkKwzaYrrgnFu9DeFJLuFkHHLQzpAGJbaTrz11uWAOfQFZklCQsYprqGtX3YuDko2RhQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=meinberg-usa.com; dmarc=pass action=none header.from=meinberg-usa.com; dkim=pass header.d=meinberg-usa.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=meinbergfunkuhren.onmicrosoft.com; s=selector1-meinbergfunkuhren-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=rv39lA3TUk14RMwIyDKYdZKNq5Q8ln2FUBkw58rpxHo=; b=Gvb8IubsinYD67shuolJ4wgmXnMdMQGePxa97WJS6q2Ui+BDfoSQPxGouH6QwCKwsp5lCPgVkJy5F31XZhO2vXxHjBJMv1pvPPusH+2JLYfqqm173EdB8XZiRGTBpPJSWTqbeVd/UlmPb+0vmvDnOraA4b0vqBsBmY9jABmf+I0=
Received: from AM7PR02MB5765.eurprd02.prod.outlook.com (2603:10a6:20b:102::15) by AS8PR02MB6887.eurprd02.prod.outlook.com (2603:10a6:20b:251::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4108.26; Wed, 12 May 2021 17:55:33 +0000
Received: from AM7PR02MB5765.eurprd02.prod.outlook.com ([fe80::aca9:7944:745f:78ef]) by AM7PR02MB5765.eurprd02.prod.outlook.com ([fe80::aca9:7944:745f:78ef%5]) with mapi id 15.20.4087.050; Wed, 12 May 2021 17:55:33 +0000
From: Doug Arnold <doug.arnold@meinberg-usa.com>
To: Danny Mayer <mayer@pdmconsulting.net>, Heiko Gerstung <heiko.gerstung@meinberg.de>, Daniel Franke <dfoxfranke@gmail.com>
CC: NTP WG <ntp@ietf.org>
Thread-Topic: [Ntp] A simpler way to secure PTP
Thread-Index: AQHXREw3H/RmYyg7o0aEx8XpTG+waard4heAgADQBYCAAKDAAIAAybWngAACBQCAAAbUeg==
Date: Wed, 12 May 2021 17:55:33 +0000
Message-ID: <AM7PR02MB57651B55AC1DF1D07BEB4620CF529@AM7PR02MB5765.eurprd02.prod.outlook.com>
References: <CAJm83bCpio5WwigY6nc9Y0Gt_XSdjUV=sHUz04dOQ0zELPwZxw@mail.gmail.com> <886DDD0D-AB9A-43A1-999B-FC296D680434@meinberg.de> <CAJm83bDKrecB0d=hTZDkCiS2xnFyOHJf+Apcxkg6TnvFbdB0nA@mail.gmail.com> <54DCB402-CB39-4714-8BE6-7F491B11B0DD@meinberg.de> <AM7PR02MB5765E22D8048797F72E894BECF529@AM7PR02MB5765.eurprd02.prod.outlook.com>, <a5f9976f-5c0b-d0e2-3aba-71cb1744ebe6@pdmconsulting.net>
In-Reply-To: <a5f9976f-5c0b-d0e2-3aba-71cb1744ebe6@pdmconsulting.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: pdmconsulting.net; dkim=none (message not signed) header.d=none;pdmconsulting.net; dmarc=none action=none header.from=meinberg-usa.com;
x-originating-ip: [64.30.82.72]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 29661486-f9ae-4d31-6b2d-08d9156f23bf
x-ms-traffictypediagnostic: AS8PR02MB6887:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <AS8PR02MB68874FA16305E142F78AAF78CF529@AS8PR02MB6887.eurprd02.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: y/M1J/t8yg7E6SShp0VpbePyadbESKsdqqUslMOKLxiQyMHE3ZKownnyY5acOoqQPzH/dzPXDVj0JKRiNlqCy/XYUz5zQbTWz5XhkSvVolDkuOIj1kqY76z0s5R3rQYFfhDGrfdDH4jMYf7uFxN+WG33BizoJzOZWhoccws8VhNTYGiZdBSaoyQkOrP7mzlLZD+Mx7DpKskfhKfzlQMBfDV6iXQdP24QIIWsjNf/aAPXQSAZsffxsqcPpJ11uHWhSNvBErFrYdl0EDmW65iWjQF1En1mwJ0Gw06w+r09K3HglwtDb+K190kuxx+ycOTmE6Az7GRGnS6PebYruL/5gdzyT137rVOT2iqc2bZb+QoWiZ2CUwoXqH/7NXdqmBC1Qs8UuR2Er78/olSpa/Pi2MWTnfvalCaVui/fPoMNgvUywysnnoCAXMtl9Nbj91UVkNDKEJstaFieAw+7waluCOl54PsIFSYE2aAJU24lXTCGjIDLcl2ls7sJ+SjTed3QD2djmjG3evVUtBJugD//ykQxab33//6S7T+E7gRqr/ukMRS2VpdqLNEO0oZADxdf3DqsruQ+0E8tIQqFJZ5H6d/agO1fEFw1r3cPsUS3ECzwNqVp1m9kk0Q/93uo3EEPxonoOCynzDY2MmpFggoTuZhJj+WhRwVgn9Jr7VlnsVIEaCD6ykg9FEkwZ3OwZFUvf+HovpN2LsjdOwgYmgomrxY5DPyNeiSz8FBhhhipe08=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM7PR02MB5765.eurprd02.prod.outlook.com; PTR:; CAT:NONE; SFS:(396003)(136003)(346002)(376002)(366004)(39830400003)(478600001)(71200400001)(110136005)(45080400002)(52536014)(91956017)(66556008)(66946007)(66446008)(64756008)(76116006)(8936002)(4326008)(966005)(86362001)(66476007)(55016002)(83380400001)(8676002)(2906002)(7696005)(26005)(186003)(66574015)(38100700002)(9686003)(166002)(316002)(33656002)(44832011)(6506007)(122000001)(5660300002)(53546011)(43043002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?Windows-1252?Q?U+7URTHxhXHvefXTooo43IGrkaEzZG9T1jKX1R+AVv4t3A0kPCoC1nfo?= =?Windows-1252?Q?/FfnGLi3JDdyOWaxpauWyCylGtQ3egpqt9S0qflpF56NU8lI6h8+Qldg?= =?Windows-1252?Q?0Vlg4FY1+tGvkajy/hekjJwY8urAgeJhTmBTdEtVSUkejTGszg/707JF?= =?Windows-1252?Q?s0hYXhXgW8ZPdiCbpPZmQCFwdQ8tayYEKIw4crxcETZXBmGVrEnodx7l?= =?Windows-1252?Q?khtbyNm/vUsNxQwqWc2UbYWdNvOAjFf1NoPn400lXE9f8bcOiPSCrYf3?= =?Windows-1252?Q?j5NlTlPkYFWBDk0Kve2r2+RgeXzqv7nDMW+TCkbebcUSol4aRf42uy5C?= =?Windows-1252?Q?BO6Kz2mO+l+UddQkt8b3c0vdUUOt8wCKFYoEkSg6r1hUfr1EnbXHK2Pg?= =?Windows-1252?Q?Rtf+n93E9KIJ16qST/pRL/a0C+s4HvDGaTkfrXKwH4pQnD+4MQefHAhZ?= =?Windows-1252?Q?CV/6NAhCVCNrcCh1ch5IdaGbWMzTpPrEsEKV9DTNdhZZY7TcUypzY63e?= =?Windows-1252?Q?VrU0RZEulY2Pcd1HS3UITEJkLe/l92xEUk+wG9T7PS9Pm6ViEc4aKz/1?= =?Windows-1252?Q?GMppmPSMOEzI73fYM8wGES4iFHKwMTyg+abQMEUAxmEfJb7BDDJQl088?= =?Windows-1252?Q?iP2tftmCkqJoBJctS2sWLW1NgKw9ya2Kx4HmvMuBO/S3tGwP8p0/VvGI?= =?Windows-1252?Q?rhPt2k+0NEOHE2vkI2CDNFeNI0eNpd2gKf0v9GUwj5wY4H8CO0YAbnOa?= =?Windows-1252?Q?Hx4tKxgTFb2JHg0gfOe3NPEhZ7Ai0sW7DVZMyyb3EGSajZmfzl8zi4wa?= =?Windows-1252?Q?Iroslsnr6tejW1BvCdD6hPQ/4xSYWWZQ2bGT6i836oD4dREcvogiZ0Gk?= =?Windows-1252?Q?A7GFgdnFiOm6mwLEEiHE/OcTD5pu/TYWucr7bczuNCim5LpdvRsMcD1K?= =?Windows-1252?Q?tTDezbSmBh0TFYqFAwgSBlEy5zpEkVCwjbAbE9+AlOPDBUdGRJCvSVjY?= =?Windows-1252?Q?WrI8hM7/pycefqHDx4yHiX/ah9bqOXweTCjgO4bt9yWNOmq9bibBNjvp?= =?Windows-1252?Q?UGFo6ZomATGa7+H7zeMoqky1ysmvRx5t/RFsttF+eQnFqIxYvhFbAEFX?= =?Windows-1252?Q?8Mhn69uAsDCmAP3XNVncjUUpxp+uRQeGs7fd0yKvOMjbiGO+l3e1FQIk?= =?Windows-1252?Q?XkaqLqDHQmA2W/1lEQlcIWz1ju1ORw+QhCK6uPj5qdhn++5NhYkFDMQj?= =?Windows-1252?Q?DVYTF4qjlFRt3R528ImCVhV6IWUoe1T63g0cBXQgRObCmDEEh7dxodPJ?= =?Windows-1252?Q?YkoWdYY+HP0MhpH2HSECQMlsOagQH38+qSbNrNm9ifsDp8mAozH9YBxx?= =?Windows-1252?Q?83nwkSvFo3Dlqo5VvrncPBBnBjKlOFOJL8fFoHaLN5OygK0PZoyu4rub?= =?Windows-1252?Q?0ri+0gYDP0oMuP4NZYfeeg=3D=3D?=
Content-Type: multipart/alternative; boundary="_000_AM7PR02MB57651B55AC1DF1D07BEB4620CF529AM7PR02MB5765eurp_"
MIME-Version: 1.0
X-OriginatorOrg: meinberg-usa.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM7PR02MB5765.eurprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 29661486-f9ae-4d31-6b2d-08d9156f23bf
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 May 2021 17:55:33.4338 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: d59904cd-769f-4368-8bd0-f5f435893a38
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: +i5z/lx9+h8L2RfJXn1CgEZsaKF2xZydDHEJkrV0UUO5davrMw4wQAPCWEnpvvEc3/3PEjZUAzF9cLlDSGQwyudS4bLpvAK4rIeHUA7n2FM=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8PR02MB6887
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/LCCADEMobEMsP5yUjZtXNJoBGoI>
Subject: Re: [Ntp] A simpler way to secure PTP
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 May 2021 17:55:43 -0000

One example is NTS, since most networks that include PTP also include NTP.

I think that the important part is the underlying mechanism for establishing a secure channel for key distribution.  That is where most of the complexity is.  Nearly everyone implements TLS, at least to facilitate https.

Some implement IPsec.  For example the power industry uses GDOI key management, which is built on IPsec.

Doug

From: Danny Mayer <mayer@pdmconsulting.net>
Date: Wednesday, May 12, 2021 at 1:24 PM
To: Doug Arnold <doug.arnold@meinberg-usa.com>om>, Heiko Gerstung <heiko.gerstung@meinberg.de>de>, Daniel Franke <dfoxfranke@gmail.com>
Cc: NTP WG <ntp@ietf.org>
Subject: Re: [Ntp] A simpler way to secure PTP

Can you provide examples of automated key management solutions that they already have so we can see how they could possibly be aligned with NTS?

Danny
On 5/12/21 1:19 PM, Doug Arnold wrote:
Both equipment designers and network operators have asked if we can specify an automated key management mechanism that they already have rather than make them implement a new one.

Doug

From: ntp <ntp-bounces@ietf.org><mailto:ntp-bounces@ietf.org> on behalf of Heiko Gerstung <heiko.gerstung=40meinberg.de@dmarc.ietf.org><mailto:heiko.gerstung=40meinberg.de@dmarc.ietf.org>
Date: Wednesday, May 12, 2021 at 1:15 AM
To: Daniel Franke <dfoxfranke@gmail.com><mailto:dfoxfranke@gmail.com>
Cc: NTP WG <ntp@ietf.org><mailto:ntp@ietf.org>
Subject: Re: [Ntp] A simpler way to secure PTP
Hi Daniel,

that’s why we use the integrated security mechanism for unicast PTP and just use the NTS-KE protocol to exchange the required keys for that. Due to the fact that the two protocols NTP and PTP work in a completely different way, there is not more that can be reused. I agree we could find another way to exchange keys and it doesn’t have to be NTS. But why not using it, now that it is there?

Regards,
  Heiko



--
Heiko Gerstung
Managing Director

MEINBERG® Funkuhren GmbH & Co. KG
Lange Wand 9
D-31812 Bad Pyrmont, Germany
Phone: +49 (0)5281 9309-404
Fax: +49 (0)5281 9309-9404

Amtsgericht Hannover 17HRA 100322
Geschäftsführer/Management: Günter Meinberg, Werner Meinberg, Andre Hartmann, Heiko Gerstung

Email:
heiko.gerstung@meinberg.de<mailto:heiko.gerstung@meinberg.de>
Web:
Deutsch https://www.meinberg.de
English https://www.meinbergglobal.com

Do not miss our Time Synchronization Blog:
https://blog.meinbergglobal.com

Connect via LinkedIn:
https://www.linkedin.com/in/heikogerstung



Von: ntp <ntp-bounces@ietf.org><mailto:ntp-bounces@ietf.org> im Auftrag von Daniel Franke <dfoxfranke@gmail.com><mailto:dfoxfranke@gmail.com>
Datum: Dienstag, 11. Mai 2021 um 21:40
An: Heiko Gerstung <heiko.gerstung@meinberg.de><mailto:heiko.gerstung@meinberg.de>
Cc: NTP WG <ntp@ietf.org><mailto:ntp@ietf.org>
Betreff: Re: [Ntp] A simpler way to secure PTP

On Tue, May 11, 2021 at 3:14 AM Heiko Gerstung <heiko.gerstung@meinberg.de<mailto:heiko.gerstung@meinberg.de>> wrote:
However, especially unicast PTP is a great traffic amplification tool, maybe one of the biggest traffic amplification machines of all times. And I also believe that it would be great to (re)use the general concepts of NTS to secure the other popular time transfer protocol out there.

Amplification is definitely worth fixing, but ISTM this should be orthogonal to the NTS effort. You don't need message authentication for that, you just need the client to prove (and maybe occasionally re-prove) that it's able to receive packets at a particular IP address. There may be some crypto involved in doing so (a la TCP SYN cookies), but it doesn't have to be related to NTS crypto, and servers shouldn't have to require all their clients to support NTS just to prevent themselves from being exploited for amplification.
_______________________________________________ ntp mailing list ntp@ietf.org<mailto:ntp@ietf.org> https://www.ietf.org/mailman/listinfo/ntp



_______________________________________________

ntp mailing list

ntp@ietf.org<mailto:ntp@ietf.org>

https://www.ietf.org/mailman/listinfo/ntp