IETF Logo Mail Archive

Re: [Ntp] The trick to timestamp with authentication

Dieter Sibold <dsibold.ietf@gmail.com> Fri, 04 December 2020 16:46 UTC

Return-Path: <dsibold.ietf@gmail.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C1D863A0DF9 for <ntp@ietfa.amsl.com>; Fri, 4 Dec 2020 08:46:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V2MWDh8pkecV for <ntp@ietfa.amsl.com>; Fri, 4 Dec 2020 08:46:52 -0800 (PST)
Received: from mail-wr1-x42c.google.com (mail-wr1-x42c.google.com [IPv6:2a00:1450:4864:20::42c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B1C773A0DEB for <ntp@ietf.org>; Fri, 4 Dec 2020 08:46:52 -0800 (PST)
Received: by mail-wr1-x42c.google.com with SMTP id u12so5987930wrt.0 for <ntp@ietf.org>; Fri, 04 Dec 2020 08:46:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=I4M5XYMcUE0/PVRwTi2zeNM+t8stdcveRrutHIUOd0E=; b=PdVTda8F2OOv/zLq45lg3q36kTs+VUkuGc8qvXmOYa2IaEMWTGDyP+hmlblOBMJRgo eLe+ddkm5Z5Z5yZF3akrMX4PDTI9vlAaSjEu1GiOUWuXQKI6R3JvPHKsoJCksdgeZyJt Gm6ivZhv4Nm+em/a44AKGnLyJV4rXpA9oV3zfapG65fdIW4DTqPYIliiWML2HmpXA5Ua A0HxuGl313+G5/hAN2/8rnGW6dP59hMwYA5fb5V9JHoaUSSQ/35kkvFyA3tcFGa1g3+Y 90QdIZefiJrKcm7L4ESvSbDYNpiViXIS5zdX2jD40KTro7hF6+OVteMC7l2QibRImClL 48iA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=I4M5XYMcUE0/PVRwTi2zeNM+t8stdcveRrutHIUOd0E=; b=gJMQvi7UqT+DQOBUcnA249Ck0nzzTrISmae8k0nZLGg2XZOLuibkV0Xibv672f6Zw1 JOxK6DUqJjltY2dqdaY2Svz+2H4HCa5PdGEusfC8tttO5V+0nQGrpEi2iIFVS9fyi2Qd GDnnEPGYKjCjhS8jJlXQPqoPLQSSh76Cxr8X8rI334CqmuFNSwAxKrwW+kOWIMCN74xg bsCE9/Flmaf9EmEaQ8JIvxxQr8ImI1HgUiazXd6xntWyVQiizVRrwZD/UsaOiiOmZQLZ Daknywez+0Qyu0wgaO3lyLS6jRAVkVpPQ8kXA/gLDVwTbPmxTdBhj6mW1em1m0hDQSRH LloQ==
X-Gm-Message-State: AOAM530CWuZ1GJDwHzx6RxzAYtUxlcvg1QswGnrngYM+nNKHiiWuTmgA SeEe6xqF570XNxYHxU83eEM=
X-Google-Smtp-Source: ABdhPJxGryRUtj9d08iZyb1uhK0F7Yskqve8b3wa9spYlnOTKpdoYwP5VaPWFC8+QNrcEg1G/ImWCA==
X-Received: by 2002:a5d:6cad:: with SMTP id a13mr2791592wra.275.1607100410822; Fri, 04 Dec 2020 08:46:50 -0800 (PST)
Received: from [192.168.111.41] (p200300d17f0edc008d6ec10c17b45cd6.dip0.t-ipconnect.de. [2003:d1:7f0e:dc00:8d6e:c10c:17b4:5cd6]) by smtp.gmail.com with ESMTPSA id d9sm4364827wrs.26.2020.12.04.08.46.49 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 04 Dec 2020 08:46:49 -0800 (PST)
From: Dieter Sibold <dsibold.ietf@gmail.com>
To: James <james.ietf@gmail.com>
Cc: Doug Arnold <doug.arnold@meinberg-usa.com>, NTP WG <ntp@ietf.org>
Date: Fri, 04 Dec 2020 17:46:48 +0100
X-Mailer: MailMate (1.13.2r5673)
Message-ID: <210613A0-CDFB-4F79-B453-1095881409F9@gmail.com>
In-Reply-To: <f4170b63-4e5e-9136-7414-8588dbfce2aa@gmail.com>
References: <doug.arnold@meinberg-usa.com> <BEF7C4D9-81CD-42AD-BA06-433D45C0DCD1@meinberg-usa.com> <20201203233634.15F7940605C@ip-64-139-1-69.sjc.megapath.net> <12C6B0FF-8C20-4363-AF41-FDF98B2D8072@meinberg-usa.com> <f4170b63-4e5e-9136-7414-8588dbfce2aa@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/bDJS_UkIfKnPBuomYM_8mZmvurw>
Subject: Re: [Ntp] The trick to timestamp with authentication
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Dec 2020 16:46:55 -0000


On 4 Dec 2020, at 10:11, James wrote:

> Speaking as someone in broadcast, whilst the industry has standardised 
> on the use of PTP in a few places (AES67, SMPTE 2110, etc) there are 
> use cases where NTP is used instead, particularly where PTP is either 
> not feasible or simply overkill for the application. Many of those 
> operate on less-trusted networks or public internet and thus would 
> greatly benefit from NTPv5 having greater security.
>
> I don't believe on-path corrections and security are completely 
> exclusive capabilities, but there's a spectrum between having on-path 
> connection with either limited or more complicated security, or 
> greater security with limitations on what corrections can be applied. 
> As part of the requirements for NTPv5 I think the working group should 
> decide where in the metaphorical spectrum we should focus on.
>
> - J
>

I agree. There seems to me that different people have different ideas on 
how NTPv5 should develop. I cannot remember that we had any real 
discussion on NTPv5’s objective in the WG. It seems to me that this is 
urgently needed.

Dieter

> On 04-12-2020 01:03, Doug Arnold wrote:
>> I think that the enterprise networks of financial institutions, 
>> broadcast companies and power grids all want security and on path 
>> support.  Maybe large data centers as well. Broadcast and power have 
>> already adopted ptp and will probably stick with that, but my 
>> interactions with people in finance and data centers suggest that 
>> some of them would prefer a more precise version of ntp.  Some 
>> companies in finance are already doing nonstandard sub microsecond 
>> "ntp."  That is hardware timestamped ntp packets, but with higher 
>> than normal message rates and different client algorithms.
>>
>> The ntp working group could decide ntpv5 can support on path 
>> corrections or security, but not both.  However, I suspect a lot of 
>> people would be disappointed.
>>
>> Doug
>>
>> On 12/3/20, 6:36 PM, "Hal Murray" <hmurray@megapathdsl.net> wrote:
>>
>>
>>      doug.arnold@meinberg-usa.com said:
>>      > This could be handled using a symmetric group key that 
>> authorized nodes get
>>      > periodically from a key exchange server.  See, for example 
>> GDOI.  I believe
>>      > that NTS could be adapted to group key operation as well.
>>
>>      The whole idea of patching an authenticated packet seems wrong.
>>
>>      How much effort has gone into investigating alternatives?
>>
>>
>>      > I see you were paying attention. Accuracy and security are a 
>> trade-off.  If
>>      > you want on path timing support and security, then you either 
>> have to have a
>>      > lot of secrets or a secret that a lot of nodes are in on.  
>> Either way it is
>>      > less secure than just NTS between a client and a server.  
>> However, in a
>>      > private network where someone wants microsecond level time 
>> transfer accuracy
>>      > that might be a sensible trade-off.
>>
>>      That seems like a narrow market.  It's a private network.  They 
>> want
>>      authentication so they don't trust their network yet they do 
>> trust it enough
>>      to patch their authenticated packets.
>>
>>
>>      --
>>      These are my opinions.  I hate spam.
>>
>>
>>
>>
>> _______________________________________________
>> ntp mailing list
>> ntp@ietf.org
>> https://www.ietf.org/mailman/listinfo/ntp
>
> _______________________________________________
> ntp mailing list
> ntp@ietf.org
> https://www.ietf.org/mailman/listinfo/ntp

v2.23.0 | Report a Bug | By Email