IETF Logo Mail Archive

Re: [Ntp] Draft extension NTS for pools

David Venhoek <david@venhoek.nl> Wed, 10 January 2024 11:26 UTC

Return-Path: <david@venhoek.nl>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD53FC090360 for <ntp@ietfa.amsl.com>; Wed, 10 Jan 2024 03:26:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.906
X-Spam-Level:
X-Spam-Status: No, score=-1.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=venhoek-nl.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l33Av0zxvT9f for <ntp@ietfa.amsl.com>; Wed, 10 Jan 2024 03:26:32 -0800 (PST)
Received: from mail-ej1-x62d.google.com (mail-ej1-x62d.google.com [IPv6:2a00:1450:4864:20::62d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CDBF0C151990 for <ntp@ietf.org>; Wed, 10 Jan 2024 03:26:31 -0800 (PST)
Received: by mail-ej1-x62d.google.com with SMTP id a640c23a62f3a-a28ee72913aso871053966b.1 for <ntp@ietf.org>; Wed, 10 Jan 2024 03:26:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=venhoek-nl.20230601.gappssmtp.com; s=20230601; t=1704885989; x=1705490789; darn=ietf.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=1J1WdnoqTxIC3bVGxN1hKeIIvV8VMZzUl+nV3QAbsXc=; b=YKA/JgfoBPeef7UwVCYj32hPCjQkD7wJkvJiog7C0h8tZbDr6ZmUi0oW0YLzBqPTnG dWKcDCUx5pRkvZcM5PL/S2IqfsI4/eVIu2fLXAlRxNEM8Y1x/xHc5OLQdxKFaYI98qAB K8RLAMWdV/I/DxUz3hbVkMzLAXC0ltBjKSe/VRcHErBaB5Q+qlYuTFhHtKZ8IxamliEi lUCRdvdw2tVyE/dfqp+hJIBXEMZ1wJ9xVfB2eD7eBYp/oxvLFF5pBIC+/5F6e2A0psWE xIiqagcEnTqhydw0fL7uLf2VN6/pUlHVbwoHEvkENt/EHWGit8YZVC8t2+DLsmXO97Tj MZvw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1704885989; x=1705490789; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=1J1WdnoqTxIC3bVGxN1hKeIIvV8VMZzUl+nV3QAbsXc=; b=wx5d3+fxuWm22F07vV0zV/I2MUwiBhe25Fif4qfICJAHA0j+Bkvt+PqIhPnhq90jtu 4zSGajCkBQ5BbJ+rnFL8l0PnKrid8Oks+/2mVqfDEXo6ptY02eS60S9ShV+7Aey8Inn3 uurPjcryx7ViHbXaVL67wJwxppJkrFTFekZT/B1SiVj9csW4k6hV96wlakTlz/uUULQ7 LFnVL3NSc7GrGEmlrYGJqDeEYocK9H3/0u9XGRFdO6wa3hqjYKUZmYrGAeSdVGXn6SGP lcm/TxZdV8jVNLUYY5MdLyAVereEhwRx0I2GHAroTzzTmy1nEfjn6If2tMg/+Ggkc+t5 Zymw==
X-Gm-Message-State: AOJu0YzKEkc4xkbHNIH5e12PFopVmmvnaA8Fl5VaE5isHBfNKnawS/u1 7RPmk3xQIWj0UzvhUqzvNkzxSZyHqRdVGmPeNTyo3XKDF/eJXvbVHQzhZ5JO
X-Google-Smtp-Source: AGHT+IGk1dP6UQO7TmSXxluEJTHWPM9gdpmscerF14La4ZN1fyN8SQpPov1X/0+6nFnb3YVvVORH1tc29XRFCBOD9rQ=
X-Received: by 2002:a17:906:7d56:b0:a28:e980:8984 with SMTP id l22-20020a1709067d5600b00a28e9808984mr1051602ejp.18.1704885989664; Wed, 10 Jan 2024 03:26:29 -0800 (PST)
MIME-Version: 1.0
References: <CAPz_-SWidPW1bACgt_dN7saGfjPYbXtZLbqFpTGhPj5OOK4xYg@mail.gmail.com> <ZZUIG_6jxqtb0e5T@localhost>
In-Reply-To: <ZZUIG_6jxqtb0e5T@localhost>
From: David Venhoek <david@venhoek.nl>
Date: Wed, 10 Jan 2024 12:26:18 +0100
Message-ID: <CAPz_-SVpt_oz2GxO7Tn=0=tXxYdMnFWvtmFyAG4HgFipvku29g@mail.gmail.com>
To: Miroslav Lichvar <mlichvar@redhat.com>
Cc: NTP WG <ntp@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/ZvLZYRbcFfnNBg28qlRD93jjj7k>
Subject: Re: [Ntp] Draft extension NTS for pools
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Jan 2024 11:26:36 -0000

We have thought about similar approaches (in particular the suggestion
from Christer Weinigel at the hackaton in London to do this with dns
SRV records), but we in particular decided very early on to focus on
an approach which doesn't require any modifications to the client.

We made this decision because we feel that this drop-in compatibility
is one of the key factors also behind the success of the original ntp
pool. Requiring modifications to clients would slow adoption and will
likely result in clients (at least in the short and medium term) that,
although they do support nts, will not work together with such a pool.

On Wed, Jan 3, 2024 at 8:09 AM Miroslav Lichvar <mlichvar@redhat.com> wrote:
>
> On Fri, Dec 22, 2023 at 11:27:38AM +0100, David Venhoek wrote:
> > As promised during the last interrim, a few colleagues and I have
> > worked to put into a draft the approach we have taken in our
> > experiments to get a prototype NTS pool working. The draft is at
> > https://datatracker.ietf.org/doc/draft-venhoek-nts-pool/00/, if you
>
> Have you considered a different approach, where the server instead of
> acting as a proxy simply provides a list of hostnames and NTS-KE as
> the next protocol?
>
> I think that would have some advantages:
>
> - less work for the server (>=50% of TLS sessions are offloaded to the
>   client)
> - server doesn't have to keep the TLS session open while it talks to
>   the other server, or doesn't have to prefetch and cache the data
> - keys don't have to be sent over network
> - client doesn't have to talk to the main server when it needs to
>   refresh keys/cookies
> - the selection of servers is kept on the client side
>
> --
> Miroslav Lichvar
>

v2.23.0 | Report a Bug | By Email