Re: [Ntp] A simpler way to secure PTP

Doug Arnold <doug.arnold@meinberg-usa.com> Wed, 12 May 2021 17:19 UTC

Return-Path: <doug.arnold@meinberg-usa.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F8D53A119E for <ntp@ietfa.amsl.com>; Wed, 12 May 2021 10:19:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=meinbergfunkuhren.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DaYZFHFndsov for <ntp@ietfa.amsl.com>; Wed, 12 May 2021 10:19:10 -0700 (PDT)
Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05on2066.outbound.protection.outlook.com [40.107.21.66]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 202133A1195 for <ntp@ietf.org>; Wed, 12 May 2021 10:19:09 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=XvkGPp0Ncb4NGYzPZpUqsaczjwhnpSttrwFjJaDocZngS2YeR9lXrnr4LDJDmLdKSSICCzVq8zu2iMYltmrJ1OHTfK+kz/P9fDQKhfwrVOf+4EIPzeqsr80LzBx1Oq1pdpYWUwcLeGSZgTNAthNj3H4MmEvguGZxQckwX3bqk28JRsziJFp0vjWK9drkoZXQ1t7wcTJNDURvM9RGOWUfdRD728Bqgl0eUC2hC0g8GGlizZMShNtYEt4eqljDTeK1d+2XOeLMCWvSvBamIp/034is9RbkaSJ8lt46M2aCB+fm2MUSWxvYuorv8aDnLSC0+x0Ar4pQ8LYR9gP358oHAg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=GX1RwfMKzqR8VLveTC7BFeFi6xrUt1Ag1XcSI+BsIrY=; b=l6LxSYDqkbE36vPFeEMV64KaGE77Up2c/zQvv5SPkcdIDyWLShVDHu/ei4+lCYkDyScETgozWiTBXDGDa2ce4POMSM2MV0VAq2NcEbpzuIv7BuBNjbY10dlENBDk7JAottPKYrjbMXXThsr1/12w2XuZGdbcuwY/J7HaR34vhlzr0NmfAZn7okZkNzkEpFdCblV6yp7mFABTfQ6rjGRiEhS7RL/R4bDkiGHJ6uAY9DgvAZmqKIRx34WPDLtDETjocYqLRzJOjjIssWpphd5zGPlMsus820GDPblNzVtxp1hmxzWzI4UOzhifskWdcrxGZXq2PHykoMRUxEzCqTIeUQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=meinberg-usa.com; dmarc=pass action=none header.from=meinberg-usa.com; dkim=pass header.d=meinberg-usa.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=meinbergfunkuhren.onmicrosoft.com; s=selector1-meinbergfunkuhren-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=GX1RwfMKzqR8VLveTC7BFeFi6xrUt1Ag1XcSI+BsIrY=; b=hns/pJ9oxmiM2OyC4heQI5K3YWoCO6Ph2gpyeYo23zhr7iQPxoZVhIP07mMQm2X59XT4wZPnq7BpuXywumjD4cvE5IG6qsoiT5ZC/NftS7uyWFM9pJIRtbp25Th4t/HpJHy8xGFgvF2X7h4MlYVO56aLZik+Gx6Rsl0DrCepQi4=
Received: from AM7PR02MB5765.eurprd02.prod.outlook.com (2603:10a6:20b:102::15) by AM6PR02MB3671.eurprd02.prod.outlook.com (2603:10a6:209:37::29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4108.27; Wed, 12 May 2021 17:19:06 +0000
Received: from AM7PR02MB5765.eurprd02.prod.outlook.com ([fe80::aca9:7944:745f:78ef]) by AM7PR02MB5765.eurprd02.prod.outlook.com ([fe80::aca9:7944:745f:78ef%5]) with mapi id 15.20.4087.050; Wed, 12 May 2021 17:19:06 +0000
From: Doug Arnold <doug.arnold@meinberg-usa.com>
To: Heiko Gerstung <heiko.gerstung=40meinberg.de@dmarc.ietf.org>, Daniel Franke <dfoxfranke@gmail.com>
CC: NTP WG <ntp@ietf.org>
Thread-Topic: [Ntp] A simpler way to secure PTP
Thread-Index: AQHXREw3H/RmYyg7o0aEx8XpTG+waard4heAgADQBYCAAKDAAIAAybWn
Date: Wed, 12 May 2021 17:19:06 +0000
Message-ID: <AM7PR02MB5765E22D8048797F72E894BECF529@AM7PR02MB5765.eurprd02.prod.outlook.com>
References: <CAJm83bCpio5WwigY6nc9Y0Gt_XSdjUV=sHUz04dOQ0zELPwZxw@mail.gmail.com> <886DDD0D-AB9A-43A1-999B-FC296D680434@meinberg.de> <CAJm83bDKrecB0d=hTZDkCiS2xnFyOHJf+Apcxkg6TnvFbdB0nA@mail.gmail.com>, <54DCB402-CB39-4714-8BE6-7F491B11B0DD@meinberg.de>
In-Reply-To: <54DCB402-CB39-4714-8BE6-7F491B11B0DD@meinberg.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dmarc.ietf.org; dkim=none (message not signed) header.d=none;dmarc.ietf.org; dmarc=none action=none header.from=meinberg-usa.com;
x-originating-ip: [64.30.82.72]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: ef7e0f73-fe71-4e8b-e255-08d9156a0bf3
x-ms-traffictypediagnostic: AM6PR02MB3671:
x-microsoft-antispam-prvs: <AM6PR02MB3671304EE07E17B87BCB55F8CF529@AM6PR02MB3671.eurprd02.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: RJ//BJAZpeQ5gI0Ifbyv5D/io3iEscFY+KqcIGjaN/3+LcSZo1QVKh8a/CJknZDI0oqInOACdwqCflZlvbVyR4UWTQTCgJLtCP7KpIvl5gfaL0T/meXZiK9YIBV7LeWfA7dI8bygv9VG12+ui9CKnJjn45eeaZEWT/saaNMKim6K+xE5GsFqrs05DHjG5BcnJCcOYkhynYA4TzsZj2rY3ESOhGvuw+eew/Zp+9wozkcUn7/oPxnBO6MstoGie7hVZtGP1j52QGMLSjmAXxVU6HaRdQbbU3x+9XiOoh+uc3DlwGxLoiPxUaRh178fzfPq1GZFaWlbWjmfW3FlAKCy8oo/TVDOPW/tAucNeZrpf+XtUb6/0k+beD0Hg1kZroZFuGiS2E6kVqMM7MLEjQJUOfpl6CFn6BB7NDyL1U3GiECfB/bQcPGTex0WDQa5A+eVvyuyC1einUBvS68A/t7IcTjNJE5e41VizqSsZ2QzTTAhFwQ9ShRD9wJyTRJPTOeBkkeoU4ny7OHoh2MNZ5EqzhJjeQJXKTdwtJZ5r992B8vsEVImOD3eeUvlSM5ty3KyaI8cRu/Ma7yv3iAog8IHBHeWqScTFK8mioVCjt331ScixpL/MmVCASkcFd2Cnmj0HibF0yJ8P708yYxjdjQTZtFpEGi2YNSOAn7TznDDKYUpdkrEVvaPHvDQFib2GhnjomjE7hHRGmIGP4RJVS14s668bu0SbZ7EGjdDfYeYpgs=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM7PR02MB5765.eurprd02.prod.outlook.com; PTR:; CAT:NONE; SFS:(366004)(346002)(2906002)(26005)(44832011)(38100700002)(166002)(53546011)(66556008)(83380400001)(7696005)(66946007)(5660300002)(8676002)(55016002)(9686003)(76116006)(91956017)(6506007)(508600001)(186003)(66446008)(33656002)(4326008)(52536014)(8936002)(45080400002)(86362001)(66476007)(64756008)(110136005)(966005)(66574015)(71200400001)(122000001)(43043002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: Tzv9IOCNgdgrcGYrv5jvn1qxa3mQFpTV7I6kSaUQvznzvVfKIR8V9oqUaZs0R54aULFboUTIYyUx5HFlx/eD3Np72LG7JQRH8+aZCaA+RNommI9aS6ky+JLLhZoQP7QrW5sm3+xrxEAwkatcBZaulm9jpUQIO+wTbRm/wp0ysm5UzyAXwUFjbCzfUCEz5H/sRh4BVCZkWLOX+d+ZMeGK9oxfVXURwqXIWddgGNZckYslmmCZlAkvg8kXeEEQZ56UKTe4T83koCMzukCejzyiWVxkefik0+r1SwqOn/6kgdPe2w9YdHb0Nopk/VGgBcnvEdgV/4oYaokit7tBCITWdW2R6xyqBTaWKjCEubgQD+L3XI1TSSKEamcjTfW1qFkvXVH9zL1c0Fz2gZUceuWQ+KJ3lgHKToKNPOC+IUoVeGKFFRrspZvWCG9lSGuSotItRhdzf3S9aaUG+DNeyCA3KLTUNQ9MYUyFjb9OF7xMo1ivgsou5e+XP8n4qbFySFa41hZ3/HWgd7u2RLWzxzjSF8Z/c0VyXwTU+q+aWMNTAvxfret/lX46cSblV2VOef3+ZSOgDHUCkemfp9rpOOvYJtxKU/w+rL/viG/q6C837Y8bZoQ3Je75Kwnpamg2z3NquScCqh19u7J/+L+RCN+YF7pc9+vz/6M3QCSJ8BoMxrO3pbxQJ3YlC160bsDD62B6nFIzFuDofLBiS+25KGWe4u4qX6bGnleLkSLxs9DNvMYr8MofX/ejw92pKyBTD0vB
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_AM7PR02MB5765E22D8048797F72E894BECF529AM7PR02MB5765eurp_"
MIME-Version: 1.0
X-OriginatorOrg: meinberg-usa.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM7PR02MB5765.eurprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: ef7e0f73-fe71-4e8b-e255-08d9156a0bf3
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 May 2021 17:19:06.0397 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: d59904cd-769f-4368-8bd0-f5f435893a38
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: eY20EL9qNiBBV5fzSPTc73iOMRRt5/TDlwPfqFq0dUGjm/kWDRCHAaMk5LaBdL0PmGQSuG9JevaxwBqmeKYhzRnmWwt722zHfWFV8/q3JZw=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR02MB3671
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/bMV5_aevMTo_P6fhhUWnOsDI874>
Subject: Re: [Ntp] A simpler way to secure PTP
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 May 2021 17:19:16 -0000

Both equipment designers and network operators have asked if we can specify an automated key management mechanism that they already have rather than make them implement a new one.

Doug

From: ntp <ntp-bounces@ietf.org> on behalf of Heiko Gerstung <heiko.gerstung=40meinberg.de@dmarc.ietf.org>
Date: Wednesday, May 12, 2021 at 1:15 AM
To: Daniel Franke <dfoxfranke@gmail.com>
Cc: NTP WG <ntp@ietf.org>
Subject: Re: [Ntp] A simpler way to secure PTP
Hi Daniel,

that’s why we use the integrated security mechanism for unicast PTP and just use the NTS-KE protocol to exchange the required keys for that. Due to the fact that the two protocols NTP and PTP work in a completely different way, there is not more that can be reused. I agree we could find another way to exchange keys and it doesn’t have to be NTS. But why not using it, now that it is there?

Regards,
  Heiko



--
Heiko Gerstung
Managing Director

MEINBERG® Funkuhren GmbH & Co. KG
Lange Wand 9
D-31812 Bad Pyrmont, Germany
Phone: +49 (0)5281 9309-404
Fax: +49 (0)5281 9309-9404

Amtsgericht Hannover 17HRA 100322
Geschäftsführer/Management: Günter Meinberg, Werner Meinberg, Andre Hartmann, Heiko Gerstung

Email:
heiko.gerstung@meinberg.de<mailto:heiko.gerstung@meinberg.de>
Web:
Deutsch https://www.meinberg.de
English https://www.meinbergglobal.com

Do not miss our Time Synchronization Blog:
https://blog.meinbergglobal.com

Connect via LinkedIn:
https://www.linkedin.com/in/heikogerstung



Von: ntp <ntp-bounces@ietf.org> im Auftrag von Daniel Franke <dfoxfranke@gmail.com>
Datum: Dienstag, 11. Mai 2021 um 21:40
An: Heiko Gerstung <heiko.gerstung@meinberg.de>
Cc: NTP WG <ntp@ietf.org>
Betreff: Re: [Ntp] A simpler way to secure PTP

On Tue, May 11, 2021 at 3:14 AM Heiko Gerstung <heiko.gerstung@meinberg.de<mailto:heiko.gerstung@meinberg.de>> wrote:
However, especially unicast PTP is a great traffic amplification tool, maybe one of the biggest traffic amplification machines of all times. And I also believe that it would be great to (re)use the general concepts of NTS to secure the other popular time transfer protocol out there.

Amplification is definitely worth fixing, but ISTM this should be orthogonal to the NTS effort. You don't need message authentication for that, you just need the client to prove (and maybe occasionally re-prove) that it's able to receive packets at a particular IP address. There may be some crypto involved in doing so (a la TCP SYN cookies), but it doesn't have to be related to NTS crypto, and servers shouldn't have to require all their clients to support NTS just to prevent themselves from being exploited for amplification.
_______________________________________________ ntp mailing list ntp@ietf.org https://www.ietf.org/mailman/listinfo/ntp