Re: [Ntp] [EXT] Pool and DNS
David Venhoek <david@venhoek.nl> Sat, 22 October 2022 07:45 UTC
Return-Path: <david@venhoek.nl>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E3434C1522D5 for <ntp@ietfa.amsl.com>; Sat, 22 Oct 2022 00:45:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.905
X-Spam-Level:
X-Spam-Status: No, score=-1.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=venhoek-nl.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TksIEbzPgq-q for <ntp@ietfa.amsl.com>; Sat, 22 Oct 2022 00:45:26 -0700 (PDT)
Received: from mail-ed1-x529.google.com (mail-ed1-x529.google.com [IPv6:2a00:1450:4864:20::529]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 17FA7C1522D3 for <ntp@ietf.org>; Sat, 22 Oct 2022 00:45:25 -0700 (PDT)
Received: by mail-ed1-x529.google.com with SMTP id l22so13696717edj.5 for <ntp@ietf.org>; Sat, 22 Oct 2022 00:45:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=venhoek-nl.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=mNK2oVZ/otuGiJeLg5uXPD/er1ePxxZuTZsJSKbNGnY=; b=pstMPz6lFAF0MJ9wefTYmPD4i1Bhv/eeYT4ybRL1vUj8Ik1Y5uO9NFAh2n38UzvM9h 0+U6eAysHs6liuThwHJlPe4Tfn8rNrIZy5/xZ9EYBdn9kZdElngeQBkvltmsoHWY443U r7hDRNOuyfKbZ8rHUuYwtttgufIRuN5H4mIwjUUfnwT2NKyFSh37CZyf6RCgW+eMHt0q pK1+YrBxyGE3A1BFezsvKtoHAoo9hoV8MFqKbvCIimfzTyQGrXCb6LidemsJxDAPjs43 5afUCMygTiI7VEJKmlqpvRf7Q2W1QLtDRLwlwBblzHfF+msbjVf9vUggHVye9KzWiR30 P3xg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=mNK2oVZ/otuGiJeLg5uXPD/er1ePxxZuTZsJSKbNGnY=; b=QR6Uw+81+4EfG9bEsM8s0TLxIBZ0f78BNKKr4ggGcTXW+JHYTpvy/QW1LnyE5vcg1I 8zL1ryWEHsLqGMtIy7etQjYyAkV/FwfSy2siF+H/pdAlzu4moGl5iUVccHwCLnOcd8ZH un5AJhGNcSzsXNaIPGXSBPyGjefyAuOdeF1xb2pZca84T8s/gnphJHWuCHUM7Ysq5/L8 XLlkNwgORyu6gr7u6BL6Z8DAu/fLuda+WMcQHDwmnCyMApptrq9z/hTnC5z4FLuQrvLP JGVpKjO2RBL8V5wNZf18Jl6yOyXl3h9Sv8cANPxUUxwgSihwFZcrJwXsAsWSShsG1MLV RIBA==
X-Gm-Message-State: ACrzQf0bP0lFw9xei3ofXOPyqwjRdG4C6ooVnljZjzNE1hxFNckCrcFx gHfOmLC1oLm2drs2mSyUnQJBYvmkOO6Ek8Km27ubfA==
X-Google-Smtp-Source: AMsMyM6/wMvtjNLkX65++0kCUC4XPEBXOLpVoiCkOtqQuMJiy2Yd59fgk6VxnsNUP3scNeZbvMp2jlb6PUMzqy+g26o=
X-Received: by 2002:a17:907:1c8a:b0:782:1a0d:3373 with SMTP id nb10-20020a1709071c8a00b007821a0d3373mr18291781ejc.135.1666424723243; Sat, 22 Oct 2022 00:45:23 -0700 (PDT)
MIME-Version: 1.0
References: <20221019044237.8DE2C28C1DB@107-137-68-211.lightspeed.sntcca.sbcglobal.net> <634FCA5A020000A10004EB98@gwsmtp.uni-regensburg.de> <CAM-HxCP=eZoKC1OzSUDJv-3Gx9njwyemnOosGyY8mLiYFZF8pQ@mail.gmail.com>
In-Reply-To: <CAM-HxCP=eZoKC1OzSUDJv-3Gx9njwyemnOosGyY8mLiYFZF8pQ@mail.gmail.com>
From: David Venhoek <david@venhoek.nl>
Date: Sat, 22 Oct 2022 09:45:47 +0200
Message-ID: <CAPz_-SXTDKTF8KHkzXUxQXgA4n0_GCKDfe4bQ+3CpO7gx7qqYA@mail.gmail.com>
To: Neta R S <neta.r.schiff@gmail.com>
Cc: Ulrich Windl <Ulrich.Windl@rz.uni-regensburg.de>, halmurray@sonic.net, "ntp@ietf.org" <ntp@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/NoVN-6naAPdwRKfJoAVSfDWdZBY>
Subject: Re: [Ntp] [EXT] Pool and DNS
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 22 Oct 2022 07:45:30 -0000
Although Marcus is right that there isn't a strict lifetime specified for NTS cookies, I think we shouldn't disregard the potential impact this could have in terms of load when combined with NTS. RFC8915 does suggest on cookies the following (although non-normatively): Servers should periodically (e.g., once daily) generate a new pair '(I,K)' and immediately switch to using these values for all newly-generated cookies. Following each such key rotation, servers should securely erase any previously generated keys that should now be expired. Servers should continue to accept any cookie generated using keys that they have not yet erased, even if those keys are no longer current. Erasing old keys provides for forward secrecy, limiting the scope of what old information can be stolen if a master key is somehow compromised. Holding on to a limited number of old keys allows clients to seamlessly transition from one generation to the next without having to perform a new NTS-KE handshake. With multi-day polling intervals, which could easily occur with Khronos, it is not inconceivable that the cookies will be expired each and every time an NTS server is queried, which would mean a NTS-KE exchange each and every time that server is used. Given the cost of those, I think we should at least discuss why this is a reasonable cost to incur. Kind regards, David On Fri, Oct 21, 2022 at 11:08 PM Neta R S <neta.r.schiff@gmail.com> wrote: > > Hi, > > Perhaps, in order to avoid the uncertainty regarding when NTPs needs to query the DNS, we can just say that assuming the calibration period is one month, > 250 DNS queries means an average of about 10 DNS queries per day, which is usually several order of magnitude lower than the total daily number of DNS queries per machine. > > Regarding NTS, I will add a reference to it in the draft, where we say that “adding an authentication layer to Khronos will enhance its security guarantees and enable the detection of various spoofing and modification attacks.” > > Thanks, > Neta > > On Wed, Oct 19, 2022 at 12:58 PM Ulrich Windl <Ulrich.Windl@rz.uni-regensburg.de> wrote: >> >> >>> Hal Murray <halmurray@sonic.net> schrieb am 19.10.2022 um 06:42 in >> Nachricht >> <20221019044237.8DE2C28C1DB@107-137-68-211.lightspeed.sntcca.sbcglobal.net>: >> >> >> Around 250 DNS queries are required by Khronos to obtain a pool of 1000 >> NTP >> >> servers, which is equal to the number of queries performed by NTPv4 in a >> >> duration of 10 days (assuming a query per hour). >> > >> > Where did that "a query per hour" come from? >> >> Good question: maxpoll default is still 10, and on typical servers a higher >> number like 12 makes little sense. >> >> > >> > It's not wildly wrong and I don't have a better number. But I worry that >> > somebody will assume it is a solid data point and use it in some future line >> >> > >> > of reasoning. >> > >> > ‑‑‑‑‑‑‑‑ >> > >> > My reading is that pool traffic is bimodal. ntpd makes a few DNS requests >> > on >> > startup then uses those servers for a long time. sntp makes a DNS request >> > every time it is run. >> > >> > You can see that by watching the traffic on a server in the pool when you >> > disable it by setting the traffic rate to monitor‑only. The traffic drops >> >> By "disabling" you mean removing it from the DNS pool, but keep it running? >> >> > abruptly by X%, then slowly decays. "Slowly" is ballpark of 10% per day. X >> >> > >> > is ballpark of 60%. (I didn't get decent data because I only figured out >> > what >> > was going on after I had already messed things up. Next time...) >> > >> > ‑‑‑‑‑‑‑‑‑‑ >> > >> > The main problem with DNS and the pool is that there is currently no clean >> > way to remove a server from the pool. If you remove it from the pool, the >> > sntp traffic will vanish since it will get removed from future DNS answers. >> >> > But the ntpd traffic will continue to use existing servers as long as ntpd >> > keeps running and the servers keep responding. >> >> Not quite: If the server performs worse than the rest, ntpd wil request >> another one, dropping the bad one. >> We are runníng most servers using manycast here, but the mechanism should be >> similar. >> >> >> > >> > There is no way to ask if a server is still in the pool. If there was, ntpd >> >> > should check every day or week or ... That would add more DNS traffic from >> >> > the long running ntpd servers. Khronos would add much more. >> > >> > ‑‑‑‑‑‑‑‑‑‑ >> > >> > The more interesting question is NTS. The NTS‑KE step is fairly >> heavyweight, >> > much more work than a DNS lookup. >> > >> > The current parameters are 8 cookies with a lifetime of a day. A day is >> > 86400 seconds. That means we need to poll each server every 10800 seconds. >> >> > With 1000 servers and M=15 (from the draft) that will take a Khronos poll >> > every (10800/1000)*15 => 162 seconds. If Khronos runs at 10x the poll time >> of >> > ntpd, that's not going to work. >> > >> > We could gain a factor of 2 or 3 by dropping cookies older than a day. (and >> >> > asking for several more to fill up again when we do poll a server) >> > >> > Of course, NTS doesn't work with the pool and I don't see how to fix that, >> > so this is all a wild goose chase. >> > >> > >> > Maybe we should be comparing Khronos with 1 or 2 trusted servers using NTS. >> > >> > >> > ‑‑ >> > These are my opinions. I hate spam. >> > >> > >> > >> > _______________________________________________ >> > ntp mailing list >> > ntp@ietf.org >> > https://www.ietf.org/mailman/listinfo/ntp >> >> >> > _______________________________________________ > ntp mailing list > ntp@ietf.org > https://www.ietf.org/mailman/listinfo/ntp
- [Ntp] Pool and DNS Hal Murray
- [Ntp] Antw: [EXT] Pool and DNS Ulrich Windl
- Re: [Ntp] Pool and DNS Marcus Dansarie
- Re: [Ntp] [EXT] Pool and DNS Neta R S
- Re: [Ntp] [EXT] Pool and DNS David Venhoek
- Re: [Ntp] [EXT] Pool and DNS Neta R S
- Re: [Ntp] Pool and DNS Hal Murray
- [Ntp] Antw: [EXT] Re: Pool and DNS Ulrich Windl
- Re: [Ntp] Pool and DNS Miroslav Lichvar
- Re: [Ntp] Pool and DNS Christer Weinigel
- Re: [Ntp] Pool and DNS Christer Weinigel
- Re: [Ntp] Pool and DNS Miroslav Lichvar
- Re: [Ntp] Pool and DNS Leif Johansson