[Ntp] Antwort: Re: Antwort: Why Roughtime?

kristof.teichel@ptb.de Mon, 18 December 2023 16:32 UTC

Return-Path: <kristof.teichel@ptb.de>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 729DAC14F684 for <ntp@ietfa.amsl.com>; Mon, 18 Dec 2023 08:32:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.929
X-Spam-Status: No, score=-3.929 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTML_MIME_NO_HTML_TAG=0.377, MIME_HTML_ONLY=0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ptb.de
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id Nd6NQHPMqXep for <ntp@ietfa.amsl.com>; Mon, 18 Dec 2023 08:32:52 -0800 (PST)
Received: from mx1.bs.ptb.de (mx1.bs.ptb.de []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 58AA3C14F5F1 for <ntp@ietf.org>; Mon, 18 Dec 2023 08:32:45 -0800 (PST)
Received: from s23397.bs.ptb.de ([]) by mx1.bs.ptb.de with ESMTP id 3BIGWd0v004532-3BIGWd0x004532 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 18 Dec 2023 17:32:40 +0100
MIME-Version: 1.0
In-Reply-To: <CABrd9SSeQvpSY1JiJn3Nh9FsMFOo1Djk8nR9DoQ1EfRRdOyv7w@mail.gmail.com>
References: <CABrd9SSeQvpSY1JiJn3Nh9FsMFOo1Djk8nR9DoQ1EfRRdOyv7w@mail.gmail.com>, <20231217043500.99D6128C1C3@107-137-68-211.lightspeed.sntcca.sbcglobal.net> <OFD134C0BA.CC9AC877-ONC1258A89.0029CB64-C1258A89.002CCA3E@ptb.de>
From: kristof.teichel@ptb.de
To: Ben Laurie <benl=40google.com@dmarc.ietf.org>
Cc: ntp@ietf.org
Message-ID: <OF98298486.58B10BFD-ONC1258A89.00579D8E-C1258A89.005AE12C@ptb.de>
X-Priority: 3 (Normal)
Importance: Normal
Date: Mon, 18 Dec 2023 17:32:38 +0100
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-FE-Policy-ID: 5:5:5:SYSTEM
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; d=ptb.de; s=s1-ptbde; c=relaxed/relaxed; h=mime-version:references:subject:from:to:cc:message-id:date:content-type; bh=ORBJuinqvb3DlE1chxj+v5W8f1cvl4uGh2NWSrcgdUg=; b=Kw6wPSCaR9MjdYsDtkipKDYuF7xmuxGeGWbC+4TBWf+OuKEFM2PnWZTpgK15n6wEgfaSwhoruwhF lgCLwZFattk1RNNmBOxY2iXinooV2YP1N/LxSlfWR1ocd3b9R1L7q/ncu/AfED2Uv/VkWJu1b91A d9tLKQPmDERSvj8Tm1Mx3keWtYKNl+0oB37c2t73cw1lCkXrKp7uOAi6npu2MRgrwDyzZdsWPXtJ b1PuObJmUMIGFWXH2bXAKro2Tb8RfcOsMHr4UQBTxeKgAl1ZkGF4VaohYm3Zp0r5XpVoF+iBk7Ao nZwOiclbhQd1eqlwebpwg5LHJCw87AiqdOF0Lg==
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/S3FyzHH2PJ0Y-6eBYsvcrYC2raw>
Subject: [Ntp] Antwort: Re: Antwort: Why Roughtime?
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Dec 2023 16:32:56 -0000

Hey Ben, all,

It's not, I think, so much that we missed it (Martin and I, can't speak for Hal - although he does mention the feature explicitly).
I think it's more that we don't believe it's as useful as others seem to think (honestly, I think this is explicitly talked about in our mail from June, too):

I've never heard a user express that they want to be able to get false time and then report it.
I have heard users express that they want to get correct time.
Those two goals are not the same, and the logical chain leading from the former to the latter (where I'm supposed to believe someone is trustworthy from the fact that I don't currently have a report at hand about misbehavior from them) just seems far-fetched to me.

And this is just exacerbated by putting it next to Roughtime's other most-advertised feature: use in bootstrapping phase.
If a device has just booted up and has close to zero knowledge, I think it extra unreasonable to rely on malfeasance reports that the device may simply never have gotten.

Lastly, if malfeasance reporting IS deemed an important feature by someone, I again agree with Hal that it could be put into any protocol (e.g. NTP, with an extra extension field).
It is definitely Roughtime's more complex feature, but it would also not be terribly much to ask of other protocols IMO.

Besten Gruß / Kind regards,
Kristof Teichel


Dr.-Ing. Kurt Kristof Teichel
Physikalisch-Technische Bundesanstalt (PTB)
Arbeitsgruppe 4.42 "Zeitübertragung"
Bundesallee 100
38116 Braunschweig (Germany)
Tel.: +49 531 592-4471
E-Mail: kristof.teichel@ptb.de

-----"ntp" <ntp-bounces@ietf.org> schrieb: -----
An: kristof.teichel=40ptb.de@dmarc.ietf.org
Von: "Ben Laurie" <benl=40google.com@dmarc.ietf.org>
Gesendet von: "ntp" <ntp-bounces@ietf.org>
Datum: 18.12.2023 15:11
Kopie: "Hal Murray" <halmurray@sonic.net>, ntp@ietf.org
Betreff: Re: [Ntp] Antwort: Why Roughtime?

On Mon, 18 Dec 2023 at 08:09, <kristof.teichel=40ptb.de@dmarc.ietf.org> wrote:
Hey Hal, all,

I whole-heartedly agree with Hal's points.
In June, Martin and I sent a lengthy mail containing feedback on the Roughtime draft.
Perhaps there was too much in there for these points (malfeasance reporting is unclear what it would actually do; no malfeasance report doesn't mean good intentions; any security protocol could just ditch key lifetimes and go back to pre-shared keys [and thereby eliminate TLS] with little extra work, NTS too) to really come through succinctly, but all of them have been concerns of ours as well.
Further, I still think it is a bad idea to say 'We solve the chicken-and-egg problem of bootstrapping' with what seems like a mere reduction of a security feature (key lifetimes). It feels more like navigating around one of the operational ways in which the problem manifests rather than solving it (which makes sense, since the problem is probably fundamentally unsolvable). And to be clear: I'm not saying at all that it's bad to use long-term keys - I am just saying it's dangerous to imply that this is the bootstrapping solution the world has been waiting for

I think you've both missed an important point: if an NTS server gives me incorrect time and I point that out, there's no way for you to know, in general, whether my claim is true or not. With roughtime, I can present evidence.

Besten Gruß / Kind regards,
Kristof Teichel


Dr.-Ing. Kurt Kristof Teichel
Physikalisch-Technische Bundesanstalt (PTB)
Arbeitsgruppe 4.42 "Zeitübertragung"
Bundesallee 100
38116 Braunschweig (Germany)
Tel.: +49 531 592-4471
E-Mail: kristof.teichel@ptb.de

-----"ntp" <ntp-bounces@ietf.org> schrieb: -----
An: ntp@ietf.org
Von: "Hal Murray" <halmurray@sonic.net>
Gesendet von: "ntp" <ntp-bounces@ietf.org>
Datum: 17.12.2023 05:35
Kopie: "Hal Murray" <halmurray@sonic.net>
Betreff: [Ntp] Why Roughtime?

I think Roughtime has 2 goals:

The first is:
  Furthermore clients may lack even a basic idea of the time, creating
  bootstrapping problems. Roughtime uses a list of keys and servers
  to resolve this issue.

The second is:
  Roughtime is a protocol for rough time synchronization that
  enables clients to provide cryptographic proof of server malfeasance.

Why do we need a separate protocol and separate servers?

For the bootstraping problem, the important idea is key lifetime.  NTS uses traditional web certificates and their root certificate bundle.  The root certificate bundle is distributed and maintained by OSes/distros so NTS doesn't have to operate a separate key distribution mechanism.  That path has a limited key lifetime policy.  If it isn't long enough, we will have to use self signed certificates and invent a new key distribution mechanism.  Roughtime has the same problem so whatever they are planning to use for key distribution can be used by NTS to distribute their self-signed root certificates.

Note that "lifetime" is a potentially ambiguous term.  Suppose you get a certificate with a 2 year lifetime.  That clock starts ticking when you purchase the certificate.  After a year, the useful lifetime is the time remaining, only 1 year.  The clock keeps ticking while the box and firmware are sitting on a retail shelf or the spares shelf.

We should issue a new key every year or so even if their lifetime is 10s of years.  There is no significant cost to a server to support 100s of keys.  The newer ones will have a longer useful life -- last year's key will expire a year before this year's key.

What is Roughtime's target market?  What sort of key lifetime does that need?
How about traffic volume?

On to server malfeasance.

I'm curious about the proof part.  Is Roughtime planning to take server operators to court?
Where else would you need a strong proof as compared to "Hey, your server is broken!"?

The NTP pool has a monitoring system that drops a server when it doesn't respond or returns time that is too far off.  It sends email to the operator.

NTS already signs NTP packets and that includes a nonce field.  The catch is that the key used for signing each packet is a client-server working key rather than a private key of a public/private pair.  We can fix that by adding a slot to NTS-KE which is the KE server signing the working key with it's private key.  (If the working key is exposed in a malfeasance report, the client needs to run NTS-KE again to get a new one.)

Wikipedia says;
  Malfeasance is the willful and intentional action that injures a party.

The proof scheme described by Roughtime doesn't prove the "willful and intentional" part.  Servers screwup because of bugs in software, firmware, or hardware as well as network troubles and bad luck and inadequate operational procedures.

There is another aspect to consider.  The lack of malfeasance reports doesn't prove correct operations.  If a bad guy takes over a server, he can respond correctly except to the system he is attacking.  You can't depend on monitoring by other sites.

In recent mail, Chris mentioned "consensus".  NTP already does that.  Does Roughtime have better heuristics for consensus than NTP is using?

Have I missed something that Roughtime does and NTP can't do with a simple extension?

These are my opinions.  I hate spam.

ntp mailing list
https://www.ietf.org/mailman/listinfo/ntp" target="_blank" rel="nofollow">https://www.ietf.org/mailman/listinfo/ntp
ntp mailing list
https://www.ietf.org/mailman/listinfo/ntp" rel="noreferrer nofollow" target="_blank">https://www.ietf.org/mailman/listinfo/ntp
ntp mailing list
https://www.ietf.org/mailman/listinfo/ntp" rel="nofollow">https://www.ietf.org/mailman/listinfo/ntp