IETF Logo Mail Archive

Re: [Ntp] The trick to timestamp with authentication

Hal Murray <hmurray@megapathdsl.net> Thu, 03 December 2020 23:36 UTC

Return-Path: <hmurray@megapathdsl.net>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7E2C03A0FC2 for <ntp@ietfa.amsl.com>; Thu, 3 Dec 2020 15:36:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.037
X-Spam-Level: *
X-Spam-Status: No, score=1.037 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_DYNAMIC_IPADDR=1.951, PDS_RDNS_DYNAMIC_FP=0.001, RDNS_DYNAMIC=0.982, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E6BME3YTJRfC for <ntp@ietfa.amsl.com>; Thu, 3 Dec 2020 15:36:39 -0800 (PST)
Received: from ip-64-139-1-69.sjc.megapath.net (ip-64-139-1-69.sjc.megapath.net [64.139.1.69]) by ietfa.amsl.com (Postfix) with ESMTP id B6A4C3A0FC0 for <ntp@ietf.org>; Thu, 3 Dec 2020 15:36:38 -0800 (PST)
Received: from shuksan (localhost [127.0.0.1]) by ip-64-139-1-69.sjc.megapath.net (Postfix) with ESMTP id 15F7940605C; Thu, 3 Dec 2020 15:36:34 -0800 (PST)
X-Mailer: exmh version 2.7.2 01/07/2005 with nmh-1.3
To: Doug Arnold <doug.arnold@meinberg-usa.com>
cc: Hal Murray <hmurray@megapathdsl.net>, NTP WG <ntp@ietf.org>, hmurray@megapathdsl.net
From: Hal Murray <hmurray@megapathdsl.net>
In-Reply-To: Message from Doug Arnold <doug.arnold@meinberg-usa.com> of "Thu, 03 Dec 2020 20:03:35 GMT." <BEF7C4D9-81CD-42AD-BA06-433D45C0DCD1@meinberg-usa.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Thu, 03 Dec 2020 15:36:34 -0800
Message-Id: <20201203233634.15F7940605C@ip-64-139-1-69.sjc.megapath.net>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/Rlax_FgqSfYFn1oqIci-d8TtDb0>
Subject: Re: [Ntp] The trick to timestamp with authentication
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Dec 2020 23:36:41 -0000

doug.arnold@meinberg-usa.com said:
> This could be handled using a symmetric group key that authorized nodes get
> periodically from a key exchange server.  See, for example GDOI.  I believe
> that NTS could be adapted to group key operation as well. 

The whole idea of patching an authenticated packet seems wrong.

How much effort has gone into investigating alternatives?


> I see you were paying attention. Accuracy and security are a trade-off.  If
> you want on path timing support and security, then you either have to have a
> lot of secrets or a secret that a lot of nodes are in on.  Either way it is
> less secure than just NTS between a client and a server.  However, in a
> private network where someone wants microsecond level time transfer accuracy
> that might be a sensible trade-off. 

That seems like a narrow market.  It's a private network.  They want 
authentication so they don't trust their network yet they do trust it enough 
to patch their authenticated packets.


-- 
These are my opinions.  I hate spam.

v2.23.0 | Report a Bug | By Email