Re: [Ntp] Antwort: Re: A simpler way to secure PTP

Kurt Roeckx <> Tue, 11 May 2021 08:39 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 426E43A0890 for <>; Tue, 11 May 2021 01:39:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id jAY2S7Mfl7hs for <>; Tue, 11 May 2021 01:39:05 -0700 (PDT)
Received: from ( [IPv6:2a05:7300:0:100::3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 1D2C83A0887 for <>; Tue, 11 May 2021 01:39:05 -0700 (PDT)
Received: from (localhost []) by (Postfix) with ESMTP id 52D14A8A0158; Tue, 11 May 2021 08:38:59 +0000 (UTC)
Received: by (Postfix, from userid 1000) id E7BC11FE0E23; Tue, 11 May 2021 10:38:58 +0200 (CEST)
Date: Tue, 11 May 2021 10:38:58 +0200
From: Kurt Roeckx <>
To: Joachim Fabini <>
Cc:, Doug Arnold <>, Miroslav Lichvar <>, NTP WG <>, Daniel Franke <>
Message-ID: <YJpConUHNVvB/>
References: <> <> <YJkrFjnRPJJHz9da@localhost> <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
Archived-At: <>
Subject: Re: [Ntp] Antwort: Re: A simpler way to secure PTP
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 11 May 2021 08:39:10 -0000

On Tue, May 11, 2021 at 09:59:10AM +0200, Joachim Fabini wrote:
> On 5/10/21 7:05 PM, wrote:
> > @Doug: Daniel is correct; you can apply all kinds of magic, but
> > ultimately, your hard, 100% certain guarantees are going to be at best
> > "half of RTT" for two-way time transfer and "none at all" for one-way
> > transfer.
> "At best" is too little. 100% certain guarantees (for two-way time sync)
> apply for *RTT* - and definitely *not* for half of RTT. The link symmetry
> assumption is one of the weakest point of today's network time
> synchronization protocols that malicious actors can exploit.

I don't agree. Because we compensate for half the RTT, the maximum
error is reduced to half the RTT. Without the compensation for
half the RTT I would agree.

Assume the real time it takes between peers is 1 ms and that there
are no other sources of errors. If there is an artificial
additional delay of 998 ms in the reply direction, we measure an
RTT of 1000 ms.

We will then assume that it took 500 ms instead of 999 ms to
arrive, and add 500 ms instead of 999 ms to the received time
as our estimate of the time. So we have an error of 499 ms.
I see no way to get an error that is larger than half the RTT
(ignoring other sources of errors.)

Note that this requires a packet in each direction with
enough meta data to be able to calculate an RTT. If you
don't have a RTT, you don't have a maximum bound.