IETF Logo Mail Archive

Re: [Ntp] ntpv5 requirements

Harlan Stenn <stenn@nwtime.org> Thu, 16 February 2023 10:22 UTC

Return-Path: <stenn@nwtime.org>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F827C14CE2B for <ntp@ietfa.amsl.com>; Thu, 16 Feb 2023 02:22:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.898
X-Spam-Level:
X-Spam-Status: No, score=-6.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cqDlp2svjfBK for <ntp@ietfa.amsl.com>; Thu, 16 Feb 2023 02:22:46 -0800 (PST)
Received: from chessie.everett.org (chessie.fmt1.pfcs.com [66.220.13.234]) by ietfa.amsl.com (Postfix) with ESMTP id 966F4C14CEF9 for <ntp@ietf.org>; Thu, 16 Feb 2023 02:22:46 -0800 (PST)
Received: from [10.208.75.149] (075-139-201-040.res.spectrum.com [75.139.201.40]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by chessie.everett.org (Postfix) with ESMTPSA id 4PHWGp1rljzMQ2y; Thu, 16 Feb 2023 10:22:42 +0000 (UTC)
Message-ID: <5f2d5232-2d65-ebba-a882-c17a2d45ff6b@nwtime.org>
Date: Thu, 16 Feb 2023 02:22:40 -0800
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.6.1
Content-Language: en-US
To: kristof.teichel@ptb.de, ntp@ietf.org
References: <DB8PR02MB5772E45732B25646F7CAE211CFD99@DB8PR02MB5772.eurprd02.prod.outlook.com> <Y+pgBgc/5dJ9wtAP@localhost> <2bbcdc7b-a47c-8421-0278-0ac364faaeea@nwtime.org> <OF7B624B98.C1ECCBBE-ONC1258956.00440F55-C1258956.00448C93@ptb.de> <8bfc7ac6-7696-1ac8-c2a3-62aa0084e07f@nwtime.org> <OFC32EACE8.630A7650-ONC1258957.002BE096-C1258957.0030593F@ptb.de>
From: Harlan Stenn <stenn@nwtime.org>
In-Reply-To: <OFC32EACE8.630A7650-ONC1258957.002BE096-C1258957.0030593F@ptb.de>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/cSArdvW8fw40T3qgcCqZUeTROEs>
Subject: Re: [Ntp] ntpv5 requirements
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Feb 2023 10:22:50 -0000

On 2/15/2023 12:48 AM, kristof.teichel@ptb.de wrote:
> In-line...
> 
> 
> Besten Gruß / Kind regards,
> Kristof Teichel
> 
> __________________________________________
> 
> Dr.-Ing. Kurt Kristof Teichel
> Physikalisch-Technische Bundesanstalt (PTB)
> Arbeitsgruppe 4.42 "Zeitübertragung"
> Bundesallee 100
> 38116 Braunschweig (Germany)
> Tel.:    +49 (531) 592-4471
> E-Mail: kristof.teichel@ptb.de
> __________________________________________
> 
> "ntp" <ntp-bounces@ietf.org> schrieb am 15.02.2023 04:10:32:
> 
>> Von: "Harlan Stenn" <stenn@nwtime.org>
>> An: kristof.teichel@ptb.de,  ntp@ietf.org
>> Datum: 15.02.2023 04:16
>> Betreff: Re: [Ntp] ntpv5 requirements
>> Gesendet von: "ntp"  <ntp-bounces@ietf.org>
>> 
>> I don't see that you are disagreeing with me regarding the "priority"  of
>> performance.
> 
> Let's leave the goalpost were they were: the original question/statement 
> was whether/that NTS was specifically designed to scale well with large 
> number of clients.
> Which it was (I can elaborate if anyone would like, but I feel like 
> we've been through this).
> I'm disagreeing with your implicit statement that your perceived 
> priority of goals is in any way an argument against this.

Whatever.

The point remains that there are clearly environments out there where 
NTS does not currently sufficiently scale.

> You also appear to get scaling properties mixed up with performance, 
> though they are clearly stated as separate goals and each explained in 
> the RFC.

Maybe, but I don't see how this is significant.  The bottom line is that 
NTS does not currently appear to be usable at high traffic volumes.

> That said, even when confounding them I don't see the argument:
> NTS was also specifically designed to affect performance "not 
> significantly" (we can go there if need be), and I would argue it simply 
> affects performance *as little as possible* (possible while reaching the 
> stated security goals).
 >
>> And blindly following "amplification goal-stated as zero"  has some
>> pretty onerous consequences.
> 
> The above is already a pretty hard detour from NTPv5 requirements 
> discussions.

I was merely responding to something you said on the thread.

> But this is so far beside the point, let's either open up a separate 
> thread for it or drop it.

I have no preference.

H
--
>> H
>> 
>> On 2/14/2023 4:28 AM, kristof.teichel@ptb.de wrote:
>> > The reason that scalability and performance have traditionally  been
>> > listed last in NTS documents is less that they are in any way  secondary
>> > -- and more that they follow a pattern of "...and it needs  to do all of
>> > the above in such a way that it retains scalability and performance  as
>> > far as possible".
>> > (And perhaps a bit of them being quantitative goals rather than
>> > absolute/qualitative; performance is gonna get worse with crypto  rather
>> > than without, the goal is to keep it reasonable/best possible  -- whereas
>> > e.g. amplification can be cleanly goal-stated as zero.)
>> > 
>> > 
>> > Besten Gruß / Kind regards,
>> > Kristof Teichel
>> > 
>> > __________________________________________
>> > 
>> > Dr.-Ing. Kurt Kristof Teichel
>> > Physikalisch-Technische Bundesanstalt (PTB)
>> > Arbeitsgruppe 4.42 "Zeitübertragung"
>> > Bundesallee 100
>> > 38116 Braunschweig (Germany)
>> > Tel.:    +49 (531) 592-4471
>> > E-Mail: kristof.teichel@ptb.de
>> > __________________________________________
>> > 
>> > 
>> > 
>> > Von: "Harlan Stenn" <stenn@nwtime.org>
>> > An: ntp@ietf.org
>> > Datum: 13.02.2023 23:29
>> > Betreff: Re: [Ntp] ntpv5 requirements
>> > Gesendet von: "ntp" <ntp-bounces@ietf.org>
>> > ------------------------------------------------------------------------
>> > 
>> > 
>> > 
>> > On 2/13/2023 8:06 AM, Miroslav Lichvar wrote:
>> >> On Thu, Feb 09, 2023 at 05:18:20PM +0000, Doug Arnold wrote:
>> >>> For example: Judah Levine at NIST recently told me that  he
>> cannot  implement NTS with his current server resources and the  number of
>> > clients NIST supports.  However, when I told him about TESLA  he thought
>> > a scheme based on that would be doable, as long as the keys didn’t  have
>> > to change too often.
>> >> 
>> >> That is interesting as NTS was specifically designed to scale  well  to
>> >> very large numbers of clients.
>> > 
>> > I don't recall performance in NTS as being a primary goal of  the design.
>> > 
>> > Sure, it was listed as *a* goal, but the primary goals were around
>> > "security".
>> > 
>> >> Is their concern about decryption
>> >> and encryption of NTS-protected NTP packets, or rather TLS  in NTS-KE?
>> >  >
>> >> In 2016 they reported they had about 200k requests per second  across
>> >> all their servers [1]. Even if it was 100x more today and  all clients
>> >> were using NTS, that could still be handled by a dozen of  servers  with
>> >> multi-core CPUs and AES acceleration. In my tests I get about  200k/s
>> >> per core.
>> > 
>> >  From what I've heard, NTS key operations take 5-10x the  amount of
>> > compute power beyond what NTP needs.
>> > 
>> >> NTS-KE traffic is more difficult to predict as it depends  on the
>> >> client implementations. I would be curious to see what NTS-NTP  to
>> >> NTS-KE request ratio do the well-known NTS providers like  Cloudflare
>> >> and Netnod have.
>> >> 
>> >> [1] https://nvlpubs.nist.gov/nistpubs/jres/121/jres.121.003.pdf 
> <https://nvlpubs.nist.gov/nistpubs/jres/121/jres.121.003.pdf>
>> > <https://nvlpubs.nist.gov/nistpubs/jres/121/jres.121.003.pdf 
> <https://nvlpubs.nist.gov/nistpubs/jres/121/jres.121.003.pdf>>
>> >> 
>> > 
>> > -- 
>> > Harlan Stenn <stenn@nwtime.org>
>> > http://networktimefoundation.org 
> <http://networktimefoundation.org/><http://networktimefoundation.org/ 
> <http://networktimefoundation.org/>>- be
>> > a member!
>> > 
>> > _______________________________________________
>> > ntp mailing list
>> > ntp@ietf.org
>> > https://www.ietf.org/mailman/listinfo/ntp 
> <https://www.ietf.org/mailman/listinfo/ntp>
>> > <https://www.ietf.org/mailman/listinfo/ntp 
> <https://www.ietf.org/mailman/listinfo/ntp>>
>> > 
>> > 
>> 
>> -- 
>> Harlan Stenn <stenn@nwtime.org>
>> http://networktimefoundation.org <http://networktimefoundation.org/>- be 
> a member!
>> 
>> _______________________________________________
>> ntp mailing list
>> ntp@ietf.org
>> https://www.ietf.org/mailman/listinfo/ntp 
> <https://www.ietf.org/mailman/listinfo/ntp>

-- 
Harlan Stenn <stenn@nwtime.org>
http://networktimefoundation.org - be a member!

v2.23.0 | Report a Bug | By Email