IETF Logo Mail Archive

[Ntp] Antwort: NTS for PTP feedback

martin.langer@ptb.de Fri, 02 February 2024 14:39 UTC

Return-Path: <martin.langer@ptb.de>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8892EC14F71D for <ntp@ietfa.amsl.com>; Fri, 2 Feb 2024 06:39:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.628
X-Spam-Level:
X-Spam-Status: No, score=-1.628 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTML_MIME_NO_HTML_TAG=0.377, MIME_HTML_ONLY=0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ptb.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OjgenM-D2GIe for <ntp@ietfa.amsl.com>; Fri, 2 Feb 2024 06:39:20 -0800 (PST)
Received: from mx1.bs.ptb.de (mx1.bs.ptb.de [192.53.103.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BD80FC14F70D for <ntp@ietf.org>; Fri, 2 Feb 2024 06:39:18 -0800 (PST)
Received: from s23397.bs.ptb.de ([172.21.101.132]) by mx1.bs.ptb.de with ESMTP id 412EdFem014371-412EdFeo014371 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 2 Feb 2024 15:39:15 +0100
MIME-Version: 1.0
Sensitivity:
In-Reply-To: <CAPz_-SU32+rUfBiOgkJJVSEfdVdCmv1dN9sHxYKm2+cDj9WTRQ@mail.gmail.com>
References: <CAPz_-SU32+rUfBiOgkJJVSEfdVdCmv1dN9sHxYKm2+cDj9WTRQ@mail.gmail.com>
From: martin.langer@ptb.de
To: David Venhoek <david@venhoek.nl>
Cc: NTP WG <ntp@ietf.org>, "R. Bermbach" <r.bermbach@ostfalia.de>
Message-ID: <OFDDD205A6.C8EADE14-ONC1258AB7.004FE971-C1258AB7.00507F6F@ptb.de>
X-Priority: 3 (Normal)
Importance: Normal
Date: Fri, 02 Feb 2024 15:39:15 +0100
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-FEAS-Client-IP: 172.21.101.132
X-FE-Policy-ID: 5:5:5:SYSTEM
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; d=ptb.de; s=s1-ptbde; c=relaxed/relaxed; h=mime-version:references:subject:from:to:cc:message-id:date:content-type; bh=zJiH1VEcHuAJbJmgKK5kAKKcs5mVblGrtUaP8nGcZXY=; b=XdO+FD4ikUTmXLMKrdurRuOwhAs0e2fljqfDJKaBeykVqB+tIibUDSmFfrwpRcI34jc/Mp/KNZSO ryrQuecrprcYVSUFX2/YOmtFU1qomw0d+IH0mt7KcgIXZnyyfOXdttrj6tUFAQUiUrRFT9kKS60F hgwhMQUBAa16i9gbPlYV7XDdhgR/lHp8YTDgBEN8dzOmDMw7rWytvbw+e2iuR0NMGzY2iBtz54wJ wsic5hkGjTX+OuAMs2M1/VpMickPS/gFk+JwWwH0Cc1tTLTQDRdkQ6D/a5ueAFuo7LP2DqOIG8Gz +ZmhXUsrbnwV8TK6Au/WSRp0b1PPqbhY9hVv5A==
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/_98Wm4E5Dm9sLW98G51ZlwXX2N0>
Subject: [Ntp] Antwort: NTS for PTP feedback
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Feb 2024 14:39:24 -0000

Hi David,

Thanks for your interest and feedback. It's great to hear that another
implementation is coming. The current draft version-06 will be updated
in 2 weeks at the latest. Many small changes or corrections have been
made. However, there are still some issues that are not yet included or
specified in the draft.


Major issues
---------------
In section 2.1, the draft states: "THEN the server requests the
client's X.509 certificate (via TLS Certificate Request)" (emphasis
added), after data is already exchanged over the TLS session. Since
TLS 1.3 there is no longer any support for a renegotiation during a
TLS session, hence this seems to not be possible within the TLS spec.
Do you mean that before honoring the request the server should check
that the client authenticated with a valid certificate during the
initial handshake?

Yes, this sentence is incorrect and will be corrected. However, the procedure
is basically correct. When an NTS-KE server receives a request for the NTS-KE
protocol, it only sees after parsing the NTS message whether the request should
be for NTS-secured NTP (RFC8915) or NTS-secured PTP. No client authentication
is required for NTP, but it is required for PTP. Originally, post-handshake
authentication (PHA) was intended for this in TLSv1.3, which was designed for
just such a case. However, this makes the protocol process a bit more complex,
and OpenSSL still showed some bugs here.

The current solution is simpler: When an NTP/PTP client makes a request to the
NTS-KE server, the NTS-KE server requests a certificate. The TLS server simply
sends a CertificateRequest to the client during the TLS handshake. However, the
client is free to send a certificate, so there is no conflict with RFC8915. After
evaluating the NTS request, it is then possible to check whether the client has
been successfully authenticated or not.



Section 2.1.1 refers to "The group number", but this is neither
defined in the PTP specification, nor earlier in this document. What
is it? it seems to be very similar to the SPP defined in
IEEE1588-2019, why do we need it?

I have noted this. It will be emphasized in future draft versions.

The group number is a concatenation of PTP domain, SdoId, and an optional
user-defined value. This ensures that separate keys are used in a physical network
with multiple logical PTP networks. A logical PTP network thus represents a "group".
The group number ensures that PTP devices can only check/verify the PTP messages
of their own group. ...the term "group number" is not defined in IEEE 1588, only in my draft.

The 'optional user-defined value' allows to create further subgroups in a PTP network
(PTP domain + SdoId). If you only want to use the multicast approach, but still need
some PTP unicast connections that should be secured with a separate key, then this
is possible. This can also be used with transparent clocks to keep using correction fields).

The SPP in the PTP Authentication TLV does not really work because the field is way too
small. Almost all fields in the Authentication TLV have problems. These will have to be
discussed with IEEE 1588 or I will have to define my own PTP TLV.



The fields in section 3.2.11 are not aligned. This can be problematic
when implementing on platforms like ARM.

Yes, this is correct. I've thought about it a few times and decided against it so far
because I didn't see any significant drawback. Of course, I could use memory alignment
to align all values to DWORD length (4 octets). So a processor would read the values
faster at the expense of memory. However, we are talking about very few CPU clock cycles
here, which is not really significant from a performance point of view in this NTS phase.
I know that NTS has some fields aligned to 4 octets and that PTP and TLS do not. I also
don't see any difficulties from a byte order perspective (big endian/little endian).

What specific problems would there be with ARM?


Per 16.14.2 of IEEE1588-2019, the key management mechanism should
provide a sequenceID window, but the specification doesn't state how
this is provided.

This is correct. The draft does not yet include a section on replay protection. There are
several reasons for this. First, PTP messages have their own sequence number. However,
this is not under the control of NTS, and secondly, this sequence number is too small. At
a maximum message rate of 128 PTP messages per second, the PTP field would overflow
after 8m 32s. According to the PTP standard, the free field in the Authentication TLV must
not be used. We are still considering whether to adapt the PTP standard or use a separate
NTS TLV.

Sequence numbers are used for replay protection, although a decision has not yet been
made. You could implement it as in IPSec (RFC 6479) and use a SeqNoWindow, or you
could simplify it and reduce it to ascending numbers. The first approach makes the protocol
more complex again, but allows PTP messages to arrive in the incorrect order
(within the window) if they have not already been received. The second approach is much
simpler and does not require a window. You just have to make sure that there is no overflow.
Here we reset the SeqNo. after a key update.

From my point of view, it is not critical if NTS discards the PTP packets that arrive in the
wrong order, because PTP would also do this and this is extremely rare.

Exceptions are request/response messages where random numbers are used in the request
messages and returned in the response messages (as in NTS-for-NTP with the UID).

...This part will be added in future draft versions.


General remarks
-------------------------
Draft allocates concrete numbers in ranges not reserved for
experimental or private use, rather than waiting for IANA assignment.
I would suggest removing the concrete values for now, suggesting
experimental use numbers for draft implementations.

Yes, this will follow at the latest when the document becomes an official WG document.


Draft repeats the same subject multiple times and is in general quite
all over the place.

Some text needs to be updated and some shortened. This is due to the growth of
the document. I understand that the draft is still too complex, especially for first-time
readers. This will be further improved in subsequent releases.


General language use around the "messages" is unclear. What is a
message, what is a record structure in this context?

It is actually not easy to separate this language, as there are "NTS messages for the
PTP protocol" and "NTS-secured PTP messages". An NTS message is not a single data
structure with fixed fields, but a combination of records. Records are similar to TLVs
(type-length-value) and can appear in any order in the message (...except for the
'End of Message' record).


There also seems a lot of repetition of structures and information
already standardised in other specifications. I would suggest mostly
removing this and refering to the relevant specifications. In
particular, I would avoid including full tables of identifiers defined
accross multiple standards.

Some of the text parts in chapter 3 have already been shortened, and of course they
need to be optimized continuously. I assume that the repetitions refer to NTS-for-NTP.
This is not easy. Many structures are derived from this RFC, since my draft is intended
to add the PTP protocol to the existing NTS. In many structures and contents some
rules are different between NTP and PTP, and of course I have to emphasize them.
But I will see which parts of the text can be excluded in future versions. In the
upcoming version I will not be able to take this into account yet.


thank you very much and have a nice weekend.

kind regards,
Martin

__________________________________________
Dr.-Ing. Martin Langer
Physikalisch-Technische Bundesanstalt (PTB)
Working Group 4.42 "Dissemination of Time"
Bundesallee 100,
38116 Braunschweig (Germany)
Tel.: +49 531 592-4470
E-Mail: martin.langer@ptb.de
__________________________________________

-----"ntp" <ntp-bounces@ietf.org> schrieb: -----


>An: "NTP WG" <ntp@ietf.org>
>Von: "David Venhoek" <david@venhoek.nl>
>Gesendet von: "ntp" <ntp-bounces@ietf.org>
>Datum: 01.02.2024 15:46
>Betreff: [Ntp] NTS for PTP feedback
>
>Hi All,
>
>I've worked through the nts for ptp draft today in preparation for
>also making a proof of concept implementation in statime. Below a
>number of comments on the current draft. Note that my focus currently
>was on multicast only, so I haven't looked in detail yet at the
>unicast-specific parts.
>
>Kind regards,
>David Venhoek
>
>Major issues
>---------------
>In section 2.1, the draft states: "THEN the server requests the
>client's X.509 certificate (via TLS Certificate Request)" (emphasis
>added), after data is already exchanged over the TLS session. Since
>TLS 1.3 there is no longer any support for a renegotiation during a
>TLS session, hence this seems to not be possible within the TLS spec.
>Do you mean that before honoring the request the server should check
>that the client authenticated with a valid certificate during the
>initial handshake?
>
>Section 2.1.1 refers to "The group number", but this is neither
>defined in the PTP specification, nor earlier in this document. What
>is it? it seems to be very similar to the SPP defined in
>IEEE1588-2019, why do we need it?
>
>The fields in section 3.2.11 are not aligned. This can be problematic
>when implementing on platforms like ARM.
>
>Per 16.14.2 of IEEE1588-2019, the key management mechanism should
>provide a sequenceID window, but the specification doesn't state how
>this is provided.
>
>General remarks
>-------------------------
>Draft allocates concrete numbers in ranges not reserved for
>experimental or private use, rather than waiting for IANA assignment.
>I would suggest removing the concrete values for now, suggesting
>experimental use numbers for draft implementations.
>
>Draft repeats the same subject multiple times and is in general quite
>all over the place.
>
>General language use around the "messages" is unclear. What is a
>message, what is a record structure in this context?
>
>There also seems a lot of repetition of structures and information
>already standardised in other specifications. I would suggest mostly
>removing this and refering to the relevant specifications. In
>particular, I would avoid including full tables of identifiers
>defined
>accross multiple standards.
>
>_______________________________________________
>ntp mailing list
>ntp@ietf.org
>https://www.ietf.org/mailman/listinfo/ntp" target="_blank" rel="noopener noreferrer nofollow">https://www.ietf.org/mailman/listinfo/ntp
>

v2.23.0 | Report a Bug | By Email