Re: [Ntp] NTS Pools Thu, 22 February 2024 22:12 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5E4E4C1519AE for <>; Thu, 22 Feb 2024 14:12:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -7.105
X-Spam-Status: No, score=-7.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 6i0W4LObRDUQ for <>; Thu, 22 Feb 2024 14:12:43 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C5240C14F6B7 for <>; Thu, 22 Feb 2024 14:12:41 -0800 (PST)
Received: from ([]) by with ESMTP id 41MMCcF3015481-41MMCcF5015481 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 22 Feb 2024 23:12:38 +0100
In-Reply-To: <>
References: <> <>
To: "\"Dr. Dieter Sibold\"" <>
Cc: David Venhoek <>, NTP WG <>,,, Rainer Bermbach <>
MIME-Version: 1.0
Message-ID: <>
Date: Thu, 22 Feb 2024 23:12:36 +0100
Content-Type: multipart/alternative; boundary="=_alternative 007A00DCC1258ACB_="
X-FE-Policy-ID: 5:5:5:SYSTEM
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt;; s=s1-ptbde; c=relaxed/relaxed; h=references:to:cc:mime-version:subject:from:message-id:date:content-type; bh=S8tP4MTR3qLJPf5Lra1HeArPBXiF0zBwPIivy6c6nEM=; b=IhsowjgGEBkDeJMuN18F1xAI3Y3mcnVLqlhY8PcSfDDKDUNkEiyaqntIm39EvTtWVUxmN2uTERFt olggk8JjePQhwy/0tECWCj0/2NTTZPt9i4zipaAgB68ouLbIXEfyI9LAMNTV/TPFtxSogfN9n/Bs K/rtGcejQKdAYceoySQETSTokdxT4qCY1Bel2k0YCX56DB5KV2iNowX2aIB/Uf/mN6vNJve8cI2N BSxMT/djGy32bTRsgEmfOvVVSc2dCynPlC35up5gEw+Pg0zKdPhm7j6aCgdWzfA+XWPYXFOqUDKC CO3IpRVEXE1pDElJIDrxH18/xi9gBACPKuBO8A==
Archived-At: <>
Subject: Re: [Ntp] NTS Pools
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Network Time Protocol <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 22 Feb 2024 22:12:47 -0000

Hello Dieter,

yes, you are right. :)
Thanks for your clarification.

kind regards,

Dr.-Ing. Martin Langer
Physikalisch-Technische Bundesanstalt (PTB) 
Working Group 4.42 "Dissemination of Time"
Bundesallee 100,
38116 Braunschweig (Germany)
Tel.: +49 531 592-4470

Von:    "\"Dr. Dieter Sibold\"" <>
Kopie:  "David Venhoek" <>, "NTP WG" <>,,, "Rainer Bermbach" 
Datum:  22.02.2024 16:44
Betreff:        Re: [Ntp] NTS Pools

Hi Martin,

thanks for your thought an NTS protected NTP pools.

Please find comments below.

On 22 Feb 2024, at 15:39, wrote:

> Hi David,
> I was talking with Krisof Teichel, Dieter Sibold and Rainer Bermbach 
about how we should handle NTS secured NTP pools. It's not easy as there 
are different perspectives on the purpose, use cases and security 
considerations. In general, I think I can provide support from the PTB 
side, even though I have very little time for it at the moment. 
(...NTS4PTP is very time consuming)
> I also spent a lot of time thinking about this and discussed the 
possibilities intensively with Rainer Bermbach. The main results are 
described in my recently published dissertation [
, Chapter 4.2]. I would like to give you a brief overview here. First of 
all: NTS4PTP already solves this problem for PTP and provides an NTS 
subprotocol that can also be used for NTP (more details below).
> My personal goal
> -----------------------------------
> From my point of view, I would like to see the communication between the 
NTS-KE server and the NTS capable NTP server defined. Especially in large 
local networks, a central NTS-KE server could be set up which, similar to 
the NTP pool, assigns the known NTP servers to the requesting clients. 
This way an admin can connect any number of NTP servers to the NTS-KE 
server without having to reconfigure any NTP client.
> However, I would NOT want to change public NTP pools, as this is not 
absolutely necessary to provide NTS-secured NTP. Depending on the 
implementation approach, there are different advantages/disadvantages and 
challenges (see below).
> Use Case and Security Considerations
> --------------------------------------------------------------------
> The biggest question is who wants to use NTS-secured NTP pools and what 
security promises should be fulfilled. If someone wants "secure time or 
secure time synchronization", then NTS-secured NTP pools do not provide 
it. Although NTS secures the communication between the NTP client and NTP 
server, it does not provide any indication as to whether the time server 
itself is trustworthy. So it makes a difference whether I intentionally 
add 1, 2 or 3 NTS-capable time servers in the NTP configuration, or 
whether I hand over control and let some be assigned to me at random. should at least always keep this in mind.
>From my point of view we carefully should differentiate between secured 
time synchronisation and trustworthy time sources. So my claim would be: 
Usage of NTS for NTP pools would indeed increase security of time 
exchanges. However, the question of trust in the member of the NTP pools 
remains unsolved. I don?t think that this can be solved by enhancing NTS. 
I would suppose that the question of trust is to be solved independently 
from NTS. In many respects that?s similar to HTTPS, where you need TLS to 
secure exchange of information and a PKI to establish trust in the Web 

> NTS pool solution approach 1: The simplest variant: nothing.
> You could simply provide the NTP pools with NTS-capable NTP servers. 
When a client receives different IP addresses for NTP servers, it can 
simply check via TCP port 4460 if an NTS-KE server is present. If so, it 
will perform the key establishment protocol for the corresponding NTP 
server. This is also more secure, since no central NTS-KE server is 
involved in the key negotiation. ...NTP pools could possibly be modified 
to signal which NTP servers are capable of NTS, or a client could 
explicitly ask for NTS capable NTP servers. The only disadvantage is that 
the client has to perform several TLS handshakes... but this should be 
> NTS pool solution approach 2: central NTS-KE server
> --------------------------------------------------------------------
> This method gives the NTS-KE server the ability to assign NTP servers 
and also to implement other services such as load control. NTS for NTP 
already provides mechanisms for port and IP negotiation. However, there 
are a number of challenges to be addressed.
> 1: Time server registration
> ------------------------------------------------------
> The communication between the NTS-KE server and the NTP server has to be 
defined. Since the NTS-KE protocol does not include message type 
detection, another NTS subprotocol is required. I have done this in 
NTS4PTP, which can also be easily extended for NTP.
> 2: Authorization
> ---------------------------------
> In short, the question of who can register with a central NTS-KE server 
and who issues the certificates. If this is not a question, then of course 
anyone can provide an NTS-secured NTP server. ...this goes back to the 
question of trust in the time server.
> 3. cookie format
> ---------------------------------
> If the NTS-KE server generates cookies, the cookie format has to be 
defined. The cookie format described in RFC8915 is currently recommended. 
Deviations are therefore allowed. Although all known NTS implementations 
follow this format, they all differ in field length and byte order and are 
therefore not compatible!
> 4. nonce collisions / key recovery
> ---------------------------------------------------
> If the NTS-KE server and the NTP server are separated, it must be 
ensured that both sides do not accidentally use the same key with the same 
nonce, otherwise a key recovery is possible. Either the nonce generation 
has to be regulated or we need 2 master keys.
> 5. miscellaneous
> --------------------------------------------
> Then there are many more questions:
> - Keeping the TLS channel open for multiple requests (you solved this 
with the keep-alive record; I solved it without a record based on timeouts 
and 'close_notify')
> - Heartbeat messages for NTP servers
> - Registration revocation mechanisms for NTP servers
> - possibly data synchronization between NTS-KE servers (for resilience)
> - ...
> just my thoughts
> have a nice day.
> kind regards,
> Martin
> PS: there is an error in my thesis (chapter 4.2.5): we have no Source 
PortIdentity in NTP ignore it ;)
> __________________________________________
> Dr.-Ing. Martin Langer
> Physikalisch-Technische Bundesanstalt (PTB)
> Working Group 4.42 "Dissemination of Time"
> Bundesallee 100,
> 38116 Braunschweig (Germany)
> Tel.: +49 531 592-4470
> E-Mail:
> __________________________________________

> _______________________________________________
> ntp mailing list