Re: [Ntp] Draft on using NTS with the pool
Watson Ladd <watsonbladd@gmail.com> Mon, 02 March 2020 03:53 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9263D3A09F3 for <ntp@ietfa.amsl.com>; Sun, 1 Mar 2020 19:53:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NgbaFSGYUGYu for <ntp@ietfa.amsl.com>; Sun, 1 Mar 2020 19:53:14 -0800 (PST)
Received: from mail-lj1-x22c.google.com (mail-lj1-x22c.google.com [IPv6:2a00:1450:4864:20::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3CD333A09EA for <ntp@ietf.org>; Sun, 1 Mar 2020 19:53:14 -0800 (PST)
Received: by mail-lj1-x22c.google.com with SMTP id e3so10085928lja.10 for <ntp@ietf.org>; Sun, 01 Mar 2020 19:53:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=YhbGYZpQIJIcOxCdsl8+Kb/IS9jNfa0MsmtFG8OeKzc=; b=G1MMHD3PnsN1B92Hwjw7oMLXm1babd7+pG0iWb0hjv2EaH5z9cR/cRU11Tgs/1cGoZ SEwPVp7KQUB4Wz7pPncxrYuEoDdUcUXEkpctXVXIopyUnHU6mSx1grlXK5LeTg5ArRmp Gseoa+uT5Uznf6PH1moORBj3BHBJThYADMiiHwuQvRS5Lq8e3SNGB5qh4AW08n1eY76i Y73Q66CDgPhaFUbvxJCx75naYUInI9V2k96sCn4JU6T4WHrcCw45011DMeMncDKrGfnB d8g+nGqURC4YmiHpk6UZvJLwMlk7OXRAANgRZw0bmMA2aeYYiPk+lH0QSMl93slkyzU3 NucQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=YhbGYZpQIJIcOxCdsl8+Kb/IS9jNfa0MsmtFG8OeKzc=; b=cL6NldHjDXou0JGGwmtlTptlXRotOY+B9RIl6k2A/fjYtCbHp46WkSHZSUAuF3SZvA ZdCX7mWfrVZVXfIWo3JQezkdXTxQcFyDXY3GGgmI1fuX2nPMLwlruo3WT/3tg5UirUQw y45yIjxOasEStYt3kC09L1oH6vX1wHAG7X+3HfIHunPBJB+O6LbQncsAAoj5sgs8MrYc OAHKCg69PzoYCwsd9v9Taec008ETy2LxcfjlVi2v5fMZKZQElC+YWVpvTC8u87hv1ul0 9vz8BgtPwwdyKYfonv00Yz0D64EBJk7FFDZAw+yQhIpxJ9M2YF0iTuiu/IonQkCT65xc uBoQ==
X-Gm-Message-State: ANhLgQ00obMyPyLMiYzh8T6Mn6zRthSKwOvd5qA/BqiydzCcmUpHHX01 xGNsrAkhYBJVsJv0m2DpESRxzzs3Hc2XcisrnByQ57qY
X-Google-Smtp-Source: ADFU+vtzJaZ0pq2xP3Eyt54NEsK6Xo+XfiBzuRKDvHcTC/zcQwcTYZgcn+RdbJRRbx+e0bawzHUWuw6rtBq7Rj+V13M=
X-Received: by 2002:a2e:a307:: with SMTP id l7mr6076336lje.229.1583121192279; Sun, 01 Mar 2020 19:53:12 -0800 (PST)
MIME-Version: 1.0
References: <CAN2QdAHMwwY4L5ZarVR2q-ZfPuetuv9L9=G-1VBM=WJW-vyTTw@mail.gmail.com> <acb1da22-b375-10d8-829f-a6e953dff9e5@dansarie.se>
In-Reply-To: <acb1da22-b375-10d8-829f-a6e953dff9e5@dansarie.se>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Sun, 01 Mar 2020 19:53:00 -0800
Message-ID: <CACsn0c=uC6R6YWd_=r35ySSN61XCeUfWD96Xta5Pt9wXweR=aw@mail.gmail.com>
To: Marcus Dansarie <marcus@dansarie.se>
Cc: NTP WG <ntp@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/dZn6pcCI6cZpz7Z-OZC7Ska6nmk>
Subject: Re: [Ntp] Draft on using NTS with the pool
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Mar 2020 03:53:17 -0000
On Sat, Feb 29, 2020 at 3:25 AM Marcus Dansarie <marcus@dansarie.se> wrote: > > Thank you for putting this together! > > Your draft proposes a more complicated solution than the one I had > envisaged. I imagined something like the following. Thank you for explaining your ideas. I don't think your solution is as simple as it looks due to some missing peices, while my solution doesn't seem that complex to me, but I'm open to being convinced otherwise. > > 3. If the client sent a FQDN, the server will pick an NTP server from > that pool and return cookies for that server along with an appropriate > NTP Server Negotiation record. If the client sent an IP address (which > belongs to a server in the pool), the server simply returns cookies and > NTP Server Negotiation record for that address. This implies that the servers have key material shared with the pool for the cookies. That's sort of problematic, especially with key rotation: you have to all support the same ciphersuites, similar cookie formats, etc. That adds some complexity that isn't apparent from the description, and it mean another protocol that NTS implementations need to interoperate with to transmit the ticket related data to the pool. It also increases the load on the pool servers. Round-robin DNS is very cacheable and easy to serve at high speed, even with DNSSEC. TCP based protocols are a bit more heavyweight. This may not be a problem: I'd appreciate pool operators weighing in on this. > > This scheme has the advantage that a pool only needs to run one (or a > few) NTS-KE servers with certificates for a single (or a few) domain > names. Each individual server only needs a shared secret with the NTS-KE > server to support NTS. There is no need to obtain and maintain an > individual certificate for each server. With ACME this is straightforward to handle in an automated way. > > Kind regards, > Marcus > > > On 2020-02-28 21:30, Watson Ladd wrote: > > Hello, > > > > I've uploaded https://datatracker.ietf.org/doc/draft-ladd-nts-for-ntp-pool/ > > which contains a putative mechanism for using NTS with the NTP pool. > > > > I'd appreciate comments: there is a lot to think through in this, but > > it's important to get NTS adoption. Definitely the draft is in rough > > shape, but sooner seemed better than never. > > > > Sincerely, > > Watson Ladd > > > > _______________________________________________ > > ntp mailing list > > ntp@ietf.org > > https://www.ietf.org/mailman/listinfo/ntp > > > > _______________________________________________ > ntp mailing list > ntp@ietf.org > https://www.ietf.org/mailman/listinfo/ntp -- "Man is born free, but everywhere he is in chains". --Rousseau.
- [Ntp] Draft on using NTS with the pool Watson Ladd
- Re: [Ntp] Draft on using NTS with the pool Marcus Dansarie
- Re: [Ntp] Draft on using NTS with the pool Watson Ladd
- Re: [Ntp] Draft on using NTS with the pool Hal Murray
- Re: [Ntp] Draft on using NTS with the pool Miroslav Lichvar
- Re: [Ntp] Draft on using NTS with the pool Marcus Dansarie