IETF Logo Mail Archive

Re: [Ntp] NTPv5 draft

Dieter Sibold <dsibold.ietf@gmail.com> Fri, 04 December 2020 16:58 UTC

Return-Path: <dsibold.ietf@gmail.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5427B3A0E1F for <ntp@ietfa.amsl.com>; Fri, 4 Dec 2020 08:58:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ssuyJEDXgvch for <ntp@ietfa.amsl.com>; Fri, 4 Dec 2020 08:58:21 -0800 (PST)
Received: from mail-wr1-x42c.google.com (mail-wr1-x42c.google.com [IPv6:2a00:1450:4864:20::42c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB8C33A0E04 for <ntp@ietf.org>; Fri, 4 Dec 2020 08:58:20 -0800 (PST)
Received: by mail-wr1-x42c.google.com with SMTP id g14so5963254wrm.13 for <ntp@ietf.org>; Fri, 04 Dec 2020 08:58:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=FnzIaUA1l4HaiuwJSBtF3/wtq8sa2ZhMXzmABuRNUCc=; b=G2OMN0ief3p5GuJOp3wvUcT299Me3GmEMKoKPHC2NCITpqsAbOZrJ5/wDEXLeJO+rk l+fNyW6ySVQqmgWDwuACqGwcyQupZRhdjUQjf93wUkLwUpakGIzFbqyYY+DZWZU3x4yJ fAgmUs5nPNRlH1Gpz3HlDNabRRzbDx89P1dSqBF3xNJmQlvz/xr8O10IgJBVuRcdyjEg tx/NXAdgEJ4PAw45gutPQCdJJ8h24wUHvsV39BSPaG1rvL6uezyVnciVJAQCyh1FefbG nw7sDXmrjoWTAQiomYr5WGsnMFH/N8WyGb362azlSEbOf6atsvEHSz5FWbo5jPJoP8E3 WKHw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=FnzIaUA1l4HaiuwJSBtF3/wtq8sa2ZhMXzmABuRNUCc=; b=sfpnDdhvXIdMiWXmAVwOScrMxE+4jnnk9iG1VbZH4O1B2WbhKydvNnroXCsefPpjgx czizyvZmH78kFUe0Jp2MKuqbI2rIXR1xHppxviI+d1PPz0ZcGSKAoqkx3os593EI1cnw sJIl0dDhsbId2//ZS/COb8hot7A9eh/d6duoABq2EITadvxA6MUFg/c/ATq0d4DbZ9s8 w32KaX+FZ2Ufhcc4inXx6Upm6CHn9c+/xurgUnxBNkDs9L1nES3vZ2bP7+apfhddu29k BmVOFwvK5CRv7W/UI/aMC8mkznkRL218iM8WwOtZXJ2IQHkz5Ulp2OkBPH6s/qQ2OULl 0CQg==
X-Gm-Message-State: AOAM533Y5LK2EbRT9U1r+z3lYxHe9/fMAjOIKZsr3ImzlFqAv6leVScK YoF3r6qTE5TtFo6eJflGmPU=
X-Google-Smtp-Source: ABdhPJwYH4aaQJIY96TPgotKmLOnTpGAyACq5dqB2NlX3N/ARv3Fdmkok2w8BQvTAZxLc2qMAFBCyQ==
X-Received: by 2002:adf:ed51:: with SMTP id u17mr6075859wro.61.1607101099230; Fri, 04 Dec 2020 08:58:19 -0800 (PST)
Received: from [192.168.111.41] (p200300d17f0edc008d6ec10c17b45cd6.dip0.t-ipconnect.de. [2003:d1:7f0e:dc00:8d6e:c10c:17b4:5cd6]) by smtp.gmail.com with ESMTPSA id a13sm3557265wrm.39.2020.12.04.08.58.17 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 04 Dec 2020 08:58:17 -0800 (PST)
From: Dieter Sibold <dsibold.ietf@gmail.com>
To: Miroslav Lichvar <mlichvar@redhat.com>
Cc: ntp@ietf.org
Date: Fri, 04 Dec 2020 17:58:16 +0100
X-Mailer: MailMate (1.13.2r5673)
Message-ID: <F62C1325-8409-474C-9650-FA96405D0F4B@gmail.com>
In-Reply-To: <20201201100305.GK1900232@localhost>
References: <20201111161947.GG1559650@localhost> <AA848C67-CFB7-43FC-B190-FD3911360373@gmail.com> <20201201081203.GB1900232@localhost> <2B8C7410-DFA7-4A87-A33E-F50FFA96D0F9@gmail.com> <20201201100305.GK1900232@localhost>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"; format="flowed"; markup="markdown"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/Ny7_AIxXelsROU0iEeTT0HrT0w4>
Subject: Re: [Ntp] NTPv5 draft
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Dec 2020 16:58:22 -0000


On 1 Dec 2020, at 11:03, Miroslav Lichvar wrote:

> On Tue, Dec 01, 2020 at 10:51:22AM +0100, Dieter Sibold wrote:
>> On 1 Dec 2020, at 9:12, Miroslav Lichvar wrote:
>>> You mean to require all NTP packets to be authenticated? I don't 
>>> like
>>> that idea. The improvements in NTPv5 are orthogonal to 
>>> authentication.
>>> NTPv5 is not supposed to be more secure. An NTP client that doesn't
>>> want to implement the complexity of NTS shouldn't be restricted to
>>> NTPv4.
>>>
>>
>> Yes, I would propose that by default each NTP packet has to be
>> authenticated. Not using security should be an active decision! I 
>> don’t
>> think that security and increased time sync performance have to be
>> orthogonal. The 2-step approach could provide better time sync 
>> performance
>> and security.
>
> Ok, so if the draft said something like "NTP clients SHOULD use
> authentication", would that work for you? Ultimately, it would be up
> to the client's default configuration whether authentication is
> enabled or not.
>

No. From my point of view this is not explicit. I would prefer that the 
basic protocol incorporates security. That would allow to use security 
without thinking about which approach needs to be applied to accomplish 
that. For the experts there might be additional option like the 
pre-shared key approach to acknowledge very specific circumstances. But 
the normal NTP  user should be able to use a secured NTPv5 like using a 
https protected website.

Obviously the wg needs to discuss about the objectives of NTPv5. This 
could be done, e.g., by adding a section about NTPv5’s objectives to 
the draft. Additionally we could also start a separate document for 
that.

Greetings Dieter


>>> Isn't that the NTP root delay and dispersion? Together they provide 
>>> an
>>> estimate of the maximum error in the receive and transmit timestamp.
>>
>> Uncertainty and maximum error are different. The uncertainty interval 
>> will
>> always be smaller or equal to the max. error.
>
> Can you describe an example how would the server determine the
> uncertainty?
>
> -- 
> Miroslav Lichvar

v2.23.0 | Report a Bug | By Email