[Ntp] Antw: [EXT] Re: Mandatory confidentiality for ntpv5
Ulrich Windl <Ulrich.Windl@rz.uni-regensburg.de> Fri, 22 October 2021 07:59 UTC
Return-Path: <Ulrich.Windl@rz.uni-regensburg.de>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 693893A0952 for <ntp@ietfa.amsl.com>; Fri, 22 Oct 2021 00:59:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CzOhxpypwwH2 for <ntp@ietfa.amsl.com>; Fri, 22 Oct 2021 00:59:24 -0700 (PDT)
Received: from mx2.uni-regensburg.de (mx2.uni-regensburg.de [194.94.157.147]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A66DB3A08CD for <ntp@ietf.org>; Fri, 22 Oct 2021 00:59:23 -0700 (PDT)
Received: from mx2.uni-regensburg.de (localhost [127.0.0.1]) by localhost (Postfix) with SMTP id E811C6000051 for <ntp@ietf.org>; Fri, 22 Oct 2021 09:59:20 +0200 (CEST)
Received: from gwsmtp.uni-regensburg.de (gwsmtp1.uni-regensburg.de [132.199.5.51]) by mx2.uni-regensburg.de (Postfix) with ESMTP id CA9A9600004E for <ntp@ietf.org>; Fri, 22 Oct 2021 09:59:20 +0200 (CEST)
Received: from uni-regensburg-smtp1-MTA by gwsmtp.uni-regensburg.de with Novell_GroupWise; Fri, 22 Oct 2021 09:59:20 +0200
Message-Id: <61726F56020000A100044BE1@gwsmtp.uni-regensburg.de>
X-Mailer: Novell GroupWise Internet Agent 18.3.1
Date: Fri, 22 Oct 2021 09:59:18 +0200
From: Ulrich Windl <Ulrich.Windl@rz.uni-regensburg.de>
To: martin.burnicki=40meinberg.de@dmarc.ietf.org, "ntp@ietf.org" <ntp@ietf.org>, halmurray+ietf@sonic.net
References: <20211021113635.6576528C157@107-137-68-211.lightspeed.sntcca.sbcglobal.net> <faea6fa2-b269-94b8-f101-f00ebe4ed584@meinberg.de>
In-Reply-To: <faea6fa2-b269-94b8-f101-f00ebe4ed584@meinberg.de>
Mime-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/Y9Gz0s2ZIiRJZ4UlopnrOepLo_0>
Subject: [Ntp] Antw: [EXT] Re: Mandatory confidentiality for ntpv5
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Oct 2021 07:59:35 -0000
>>> Martin Burnicki <martin.burnicki=40meinberg.de@dmarc.ietf.org> schrieb am 21.10.2021 um 15:33 in Nachricht <faea6fa2-b269-94b8-f101-f00ebe4ed584@meinberg.de>: > Hal Murray wrote: >> martin.burnicki@meinberg.de said: >>> How much of the packet would be encrypted? >>> If it's fully encrypted, how could a NIC find out that an incoming packet is >>> an NTP packet that may need to be timestamped (if timestamping of NTP > packets >>> is supported at all)? >> >> Why not have the NIC timestamp everything and let the driver discard the > ones >> that the client software desn't want? > > From what I've yet heard from kernel developers, collecting data in > which no one is interested would be too expensive. > > In my opinion this is similar to multicast: if a consumer is interested, > it tells in *what* it is interested, and only the requested information > is provided. > >> How does current NIC firmware decide which packets to time stamp? > > I#m not familiar with too many different NICs, but I know that some have > a hard-coded pattern e.g. for PTP packets, and others have a > configurable packet matcher, to which you can download a specific pattern. > > Anyway, as far as I know, you would have problems to detect the network > packets that are to be timestamped if the packets are fully encrypted. > > And, similar to the topic above, IMO it would be too expensive to > timestamp all packets and drop most of them in which no NTP or PTP > daemon is interested. > >> Are you using "timestamp" in the PTP sense of modify the packet? I don't > know >> how to do that with encrypted data. I was thinking of "timestamp" in the >> sense of SO_TIMESTAMP. > > See above. It would be hard to even *detect* the packets that need to be > timestamped, regardless whether you try to put the timestamp into the > encrypted packet (which isn't possible, of course) or make it available > in a different way. Hi! I think the real problem is that some layer-4 (or higher) requests time stamping, that is done at layer-2 (NIC hardware), and must be stored on layer-4 (or higher) again (if it were kept in layer-2, it would be lost at the next router). Obviously encrypting the payload (layer-4 or higher) makes things hard to impossible. Regards, Ulrich ...
- [Ntp] Mandatory confidentiality for ntpv5 Hal Murray
- Re: [Ntp] Mandatory confidentiality for ntpv5 Dieter Sibold
- Re: [Ntp] Mandatory confidentiality for ntpv5 kristof.teichel
- Re: [Ntp] Mandatory confidentiality for ntpv5 Martin Burnicki
- Re: [Ntp] Mandatory confidentiality for ntpv5 Hal Murray
- Re: [Ntp] Mandatory confidentiality for ntpv5 Martin Burnicki
- Re: [Ntp] Mandatory confidentiality for ntpv5 Miroslav Lichvar
- [Ntp] Antw: [EXT] Re: Mandatory confidentiality f… Ulrich Windl