Re: [Ntp] NTPv5: big picture

[Magnus Danielson <magnus@rubidium.se>]

Philip,

On 2021-01-02 01:55, Philip Prindeville wrote:
> Replies…
>
>
>
>> On Dec 31, 2020, at 8:35 PM, Magnus Danielson <magnus@rubidium.se> wrote:
>>
>> Hal,
>>
>> On 2021-01-01 03:54, Hal Murray wrote:
>>> Do we have a unifying theme?  Can you describe why we are working on NTPv5 in 
>>> one sentence?
>>>
>>> I'd like to propose that we get rid of leap seconds in the basic protocol.
>> Define "get rid off". Do you meant you want the basic protocol to use a
>> monotonically increasing timescale such as a shifted TAI? If so, I think
>> it would make a lot of sense.
>>
>> If it is about dropping leap second knowledge, it does not make sense.
>
> I think “handle separately” makes sense here.  It shouldn’t be a blocking problem and how we handle it, assuming me handle it correctly, is orthogonal to everything else.  Or should be.  See “assuming we handle it correctly”.
I think the core time should have a very well known property, and then
we can provide mappings of that and provide mapping parameters so that
it can be done correctly.
>
>
>>> Unfortunately, we have a huge installed base that works in Unix time and/or 
>>> smeared time.  Can we push supporting that to extensions?  Maybe even a 
>>> separate document.
>> Mapping of NTPv5 time-scale into (and from!) NTP classic, TAI, UTC,
>> UNIX/POSIX, LINUX, PTP, GPS time-scales is probably best treated
>> separately, but needs to be part of the standard suite.
>
> I think TAI makes sense, assuming I fully understand the other options.
Do notice, the actual TAI-timescale is not very useful for us. We should
have a binary set of gears that has it's epoch at some known TAI time.
One such may for instance be 2021-01-01T00:00:00 (TAI). As one can
convert between the NTPv5 timescale and the TAI-timescale we can then
use the other mappings from TAI to other timescales, assuming we have
definitions and other parameters at hand. One such parameter is the
TAI-UTC (and upcoming change).
>
> If NTP v5 sticks around as long as NTP v4 has to date, I think we can’t underestimate the implications in both autonomous flight (the unpiloted taxis that are being certified right now come to mind), as well as the proliferation of commercial space flight… space flight has been commoditized (in part) by the use of commercial-off-the-shelf technologies such as metal 3D printing for generating bulkheads and structural panels.
>
> Why shouldn’t the time standard/format used for space flight also be COTS?
>
> It seems increasingly probably over the next 20 years that interplanetary flight will become common.
Things can be installed in places where we just don't have access to
normal network.
>
> Further, assuming we start colonizing the moon and Mars… stay with me here… will the length of a terrestrial day still even be relevant?  Or will we want a standard based not on the arbitrary rotation of a single planet, but based on some truly invariant measure, such as a number of wavelengths of a stable semiconductor oscillator at STP?
You can setup additional time-scales and supply parameters to convert
for them. If you need a Mars time, that can be arranged. JPL did that
because they could.
>
>
>
>>> --------
>>>
>>> Part of the motivation for this is to enable and encourage OSes to convert to 
>>> non-leaping time in the kernels.  Are there any subtle details in this area 
>>> that we should be aware of?  Who should we coordinate with?  ...
>> I think that would be far to ambitious to rock that boat.
>
> Divide and conquer.
>
> I think POSIX clock_* attempted this by presenting mission requirements-based API’s.
That was only part of the full interface.
>
> The next step is to have consumers of time migrate… perhaps starting with logging subsystems, since unambiguous time is a requirement for meaningful forensics.
They will do what the requirements tell them. Many have hard
requirements for UTC.
>> Kernels already operate with a double vision and have ways to handle
>> both non-leaping time and leapsecond in parallel.
>
> "Double vision" is perhaps an understatement.
It is, can be expected from me.
>
> Another good example is SNMP using “uptime” as 100Hz ticks since booting… since oftentimes a good external source of time can’t be established until well into the boot process.
>
> As I recall, this is one of the CLOCK_ types in POSIX.
It is.
>
>
>>> ---------
>>>
>>> I think this would bring out another important area: How does a client 
>>> discover if a server supports an option and/or discover servers that do 
>>> support it?
>> The solution that works for other protocols is that you ask for
>> capabilities (or you get them served as part of basic handshake). This
>> is typically a text-string of well defined capability names. Set of
>> constants or set of bits have also been seen.
>
> Or ASN.1 OIDs or… 
Sure. There is gazillion ways of doing it, I grabbed a few that seems
popular. ASN.1 isn't popular, just what people is forced to used.
>
>
>>> I'd like the answer to be authenticated.  It seems ugly to go through NTS-KE 
>>> if the answer is no.
>> Do not assume you have it, prefer the authenticated answer when you can
>> get it. I am not sure we should invent another authentication scheme more.
>>
>> Let's not make the autokey-mistake and let some information be available
>> only through an authentication scheme that ended up being used by very
>> few. You want to have high orthogonality as you do not know what lies ahead.
>>
>> So, we want to be able to poll the server of capabilities. Remember that
>> this capability list may not look the same on un-authenticated poll as
>> for authenticated poll. It may provide authentication methods, hopefully
>> one framework fits them all, but we don't know. As you ask again you can
>> get more capabilities available under that authentication view. Another
>> configuration or implementation may provide the exact same capabilities
>> regardless of authentication.
>>
>>>  Maybe we should distribute the info via DNS where we can 
>>> use DNSSEC.
>> Do no assume you have DNS access, the service cannot rely on that. It
>> can however be one supplementary service. NTP is used in some crazy
>> places. Similarly with DNSSEC, use and enjoy it when there, but do not
>> depend on its existence.
>
> Good point.
>
> As someone who works in security, I’ve seen a fair share of exploits that arise when protocols make tacit assumptions about the presence and correctness of other capabilities and then these turn out not to be valid under certain critical circumstances.
>
> Doing X.509 when you don’t have Internet connectivity for CRL’s or OCSP is a good example.
I've seen many networks where normal rules of internet applies, yet they
are critical, need it's time and fairly well protected.
>
>
>> When DNS is available, what additional values can be put there to aid
>> validation and service?
>
> Uh… Available “where”?  The internet is relativistic.  What the server sees and what the client sees can be wildly different, even from moment to moment.
I didn't say it was on Internet at all times. I can see things like a
point-to-point wire, I can see a heavily fortified network air-gapped
from Internet, I can see networks heavily fortified with very indirect
access to Internet. I can see things with a NAT or just a simple
firewall to the Internet. For some of these scenarios DNS will be
available, for some not. They all use the same "Internet technology"
because that is COTS. So, designing and internet technology also entails
to design for these other scenarios. A succsessful design also
understand and respect the problems of the more isolated scenarios.
>
>
>>> Again, that can be a separate document.
>> Sure. I think the final word on slicing and dicing of documents becomes
>> an issue once the parts are done. I think one should not focus too much
>> on it, as it will become apparent later in the process what will make
>> most sense.
>
> I would argue the opposite: let’s keep them as decoupled as possible, and only cede to inter-dependency when we can’t otherwise avoid it.

It's really not being the opposite, rather that is needed to get a
decent structure, because all you argue for is that we please please do
not make the specification a spagetti-coded one. Nobody wants that. How
the pieces is fit into a document or several is a complete orthogonal
property in that case. I was reacting on the over-focus on document here
and document there.

Cheers,
Magnus