Re: [Ntp] A simpler way to secure PTP

Can you provide examples of automated key management solutions that they 
already have so we can see how they could possibly be aligned with NTS?

Danny

On 5/12/21 1:19 PM, Doug Arnold wrote:
>
> Both equipment designers and network operators have asked if we can 
> specify an automated key management mechanism that they already have 
> rather than make them implement a new one.
>
> Doug
>
> *From: *ntp <ntp-bounces@ietf.org> on behalf of Heiko Gerstung 
> <heiko.gerstung=40meinberg.de@dmarc.ietf.org>
> *Date: *Wednesday, May 12, 2021 at 1:15 AM
> *To: *Daniel Franke <dfoxfranke@gmail.com>
> *Cc: *NTP WG <ntp@ietf.org>
> *Subject: *Re: [Ntp] A simpler way to secure PTP
>
> Hi Daniel,
>
> that’s why we use the integrated security mechanism for unicast PTP 
> and just use the NTS-KE protocol to exchange the required keys for 
> that. Due to the fact that the two protocols NTP and PTP work in a 
> completely different way, there is not more that can be reused. I 
> agree we could find another way to exchange keys and it doesn’t have 
> to be NTS. But why not using it, now that it is there?
>
> Regards,
>
>   Heiko
>
>
> -- 
>
> Heiko Gerstung
>
> Managing Director
>
> MEINBERG® Funkuhren GmbH & Co. KG
>
> Lange Wand 9
>
> D-31812 Bad Pyrmont, Germany
>
> Phone: +49 (0)5281 9309-404
>
> Fax: +49 (0)5281 9309-9404
>
> Amtsgericht Hannover 17HRA 100322
>
> Geschäftsführer/Management: Günter Meinberg, Werner Meinberg, Andre 
> Hartmann, Heiko Gerstung
>
> Email:
>
> heiko.gerstung@meinberg.de <mailto:heiko.gerstung@meinberg.de>
>
> Web:
>
> Deutsch https://www.meinberg.de <https://www.meinberg.de>
>
> English https://www.meinbergglobal.com <https://www.meinbergglobal.com>
>
> Do not miss our Time Synchronization Blog:
>
> https://blog.meinbergglobal.com <https://blog.meinbergglobal.com>
>
> Connect via LinkedIn:
>
> https://www.linkedin.com/in/heikogerstung 
> <https://www.linkedin.com/in/heikogerstung>
>
> *Von: *ntp <ntp-bounces@ietf.org> im Auftrag von Daniel Franke 
> <dfoxfranke@gmail.com>
> *Datum: *Dienstag, 11. Mai 2021 um 21:40
> *An: *Heiko Gerstung <heiko.gerstung@meinberg.de>
> *Cc: *NTP WG <ntp@ietf.org>
> *Betreff: *Re: [Ntp] A simpler way to secure PTP
>
> On Tue, May 11, 2021 at 3:14 AM Heiko Gerstung 
> <heiko.gerstung@meinberg.de <mailto:heiko.gerstung@meinberg.de>> wrote:
>
>     However, especially unicast PTP is a great traffic amplification
>     tool, maybe one of the biggest traffic amplification machines of
>     all times. And I also believe that it would be great to (re)use
>     the general concepts of NTS to secure the other popular time
>     transfer protocol out there.
>
> Amplification is definitely worth fixing, but ISTM this should be 
> orthogonal to the NTS effort. You don't need message authentication 
> for that, you just need the client to prove (and maybe occasionally 
> re-prove) that it's able to receive packets at a particular IP 
> address. There may be some crypto involved in doing so (a la TCP SYN 
> cookies), but it doesn't have to be related to NTS crypto, and servers 
> shouldn't have to require all their clients to support NTS just to 
> prevent themselves from being exploited for amplification.
>
> _______________________________________________ ntp mailing list 
> ntp@ietf.org https://www.ietf.org/mailman/listinfo/ntp
>
>
> _______________________________________________
> ntp mailing list
> ntp@ietf.org
> https://www.ietf.org/mailman/listinfo/ntp