Re: [Ntp] WGLC - draft-ietf-ntp-ntpv5-requirements

kristof.teichel@ptb.de Tue, 12 December 2023 13:28 UTC

Return-Path: <kristof.teichel@ptb.de>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D95DC48CAEB for <ntp@ietfa.amsl.com>; Tue, 12 Dec 2023 05:28:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.404
X-Spam-Level:
X-Spam-Status: No, score=-4.404 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ptb.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cgefWOS1XnrU for <ntp@ietfa.amsl.com>; Tue, 12 Dec 2023 05:28:02 -0800 (PST)
Received: from mx1.bs.ptb.de (mx1.bs.ptb.de [192.53.103.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3E01AC05DDD3 for <ntp@ietf.org>; Tue, 12 Dec 2023 05:28:01 -0800 (PST)
Received: from s23397.bs.ptb.de ([172.21.101.132]) by mx1.bs.ptb.de with ESMTP id 3BCDRwjI004020-3BCDRwjK004020 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 12 Dec 2023 14:27:58 +0100
In-Reply-To: <CA+mgmiMFLDRggrBUzdJyjhgbM6q0m8nY8PUoU5oxbR2HtZh51A@mail.gmail.com>
References: <CA+mgmiMFLDRggrBUzdJyjhgbM6q0m8nY8PUoU5oxbR2HtZh51A@mail.gmail.com>
To: ntp@ietf.org
Cc: james.ietf@gmail.com, Karen ODonoghue <kodonog@pobox.com>, dieter.sibold@ptb.de
MIME-Version: 1.0
From: kristof.teichel@ptb.de
Message-ID: <OF33DB0AFF.1649DFBE-ONC1258A83.002F27E4-C1258A83.0049F82B@ptb.de>
Date: Tue, 12 Dec 2023 14:27:56 +0100
Content-Type: multipart/alternative; boundary="=_alternative 0049F82BC1258A83_="
X-FEAS-Client-IP: 172.21.101.132
X-FE-Policy-ID: 5:5:5:SYSTEM
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; d=ptb.de; s=s1-ptbde; c=relaxed/relaxed; h=references:to:cc:mime-version:subject:from:message-id:date:content-type; bh=4fBL4TVaZq+ivlydHCvKg2blPJN2lxPPxpq1ausqrfU=; b=nrTe2H663ccMf280lFgIFs+cwuk6hpr9Q3XS7PW8ATOnMr84E8riHxdFK4PoM/MORppOWYEMSK9s BFgRp8inTDttxfLVr4Q4kKMSV/1zVQphWNwhXaA091IxRvJg1N0RzL18uwC3PwEIOlV6bSeEdQaG hXkC36fcvHw+vSYnD7CcHgD6rHJhLSjnT3sFFZNCxUudjW8ZaUxVdK6HD+QMwig8VrS7Rw5CF/7E 9AvMWHkTZ1pK9Yd0gLECYBKh3o5AOe+BtOy+i1dKJohgHdc8IquXO01NUcONLfpIluLPNmBYvA0L lyQok7UDDlL8aVdavG0geI2nZOsbW78DogkcGA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/gERbnJ1GZzHafRsItxfnFDeAn6s>
Subject: Re: [Ntp] WGLC - draft-ietf-ntp-ntpv5-requirements
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Dec 2023 13:28:07 -0000

Dear James, dear all,

Martin and I have a number of comments on the NTPv5 Requirements draft.
We appreciate the effort that has gone into developing this draft. 
As always, our intention in providing this feedback is to contribute 
constructively to the ongoing work, and to help ensure that the final 
document is as helpful as possible in the development of NTPv5.


General comments:
- It often seems unclear what this document is regulating (what its MUST, 
SHOULD, etc. applies to).
        * Sometimes, it explicitly states that it applies to "the 
[upcoming NTPv5] specification"; this is at least clear and verifiable and 
seems helpful. We give a soft recommendation to change to this wherever 
possible.
        * Sometimes, it alludes to "the WG should be doing X"; we are 
unsure if this is proper for an RFC.
        * Sometimes, the context implies that the requirements apply to a 
(to each?) protocol implementation; we are unsure about this.
        * Most often, requirements are stated to apply to "the protocol"; 
this seems very abstract, non-verifiable, and overall confusing.
- There are lots of instances of non-capitalized "should" (and possibly 
others?); these need to be checked and either eliminated or capitalized. 
Related, there is at least one SHALL NOT between more MUST NOTs; overall, 
consistency needs to be improved for normative clauses.
- The overwhelming majority of normative terms are "SHOULD"; it seems more 
helpful to have more "MUST" - if we're going to regulate things, we should 
avoid so much use of a term that basically means "we would like you to do 
this, but in the end do whatever you want".
- We think the document should state the scope of its requirements 
(on-wire protovol only vs. including processing algorithms vs. everything, 
including clock disciplining).

2 Use Cases and Existing Deployments of NTP
- We are missing the overall description of NTP being used to sync large 
numbers of computer clocks via open (internet-like) networks; we are 
unsure how helpful the specific example use cases (data centers, NTP 
pool?) are
- The whole implied context of "NTP is what you use when PTP isn't 
available" gives a confusing impression; perhaps add (or replace with) a 
mention of the large numbers (billions of users, probably tens of billions 
of devices) that NTP has; 
- It feels like half the text in this section is about possible issues 
and/or PTP - without any transition to us wanting to solve the issues, or 
why NTP might ever be preferable. This should be improved (Martin and I 
could help with appropriate text on this).

3 Threat Analysis and Modeling
- We almost feel like it would be best just to refer to Tal's document 
RFC7384 rather than reproducing and summarizing it here. If the WG feels 
we need a section like this, Martin and I would be ready to supply a 
reworked text.

4 Requirements
- "It should be able to provide enough information for both basic time 
information and synchronisation." We don't quite understand the 
implication with 'basic time information' - can you explain?

4.1 Resource Management
- We feel this whole section runs counter to the subsequent one (Data 
Minimization); we feel that the requirements to support resource 
management (really, mostly rate limiting, some loop avoidance) are overly 
strong; we also feel like most of these features are prone to misuse/abuse 
and pose security risks. In conclusion, we would like to suggest 
lowering/rethinking the requirement levels.
- Couldn't servers simply drop packets when over capacity, clients simply 
look for another server if theirs doesn't respond, or reduce their request 
rate? The logic would be much simpler, the security clearer.

4.2 Data Minimisation
- The term "optional data" needs to be clearly defined (and in my opinion 
discussed again).
- While we agree with the point made about data minimization, we feel that 
it runs counter to many other features/aspects (timescale, resource 
management, leap seconds, security).

4.3 Algorithms
- The headline is confusing; the context with algorithm agility while not 
discussing crypto algorithms seems prone to misunderstandings. Perhaps 
change to "Time Processing Algorithms"?
- The formulation "SHOULD be obvious" seems confusing.
- The second paragraph seems to hint at specification-side modularity 
(on-wire protovol vs. processing algorithms vs. clock disciplining); while 
I like the idea, I believe it is controversial; I'm also unsure I'm even 
understanding the text correctly.

4.4 Timescales
- It seems we should make explicit that "a linear, monotonic timescale" 
cannot be UTC itself.

4.5 Leap Seconds
- The 24 hour explanation seems clunky. How about "ideally 24 hours in 
advance, otherwise as soon as possible"?
- We don't agree with the statement that leap smearing "SHOULD be 
supported [and MUST be dealt with]" in the specification and the 
implementations and "the protocol". 
This (specifally the hard requirement for clients to completely deal with 
all aspects of server side smearing) seems to require a great amount of 
work and effort by specification editors and all future implementors for 
supporting a hack that will be opbsolete in a few years. At the very 
least, this seems like a controversial point that needs more discussion... 
We would probably suggest relegating this to a separate document (and then 
more along the lines of 'if you're going to smear, do it like X').

4.6 Backwards Compatibility with NTS and NTPv4
- We feel that it might be problematic (e.g. security-wise) if an instance 
is running as an NTPv5 server but gets its time via NTPv4/v3.
- Structure: there shouldn't be a 4.6.1 if there isn't also a 4.6.2. (We 
are also unsure if the 4.6.1 'Dependent Specifications' text is needed at 
all.)

4.7 Extensibility
- "Unknown extensions received from a lower stratum server SHALL NOT be 
re-transmitted towards higher stratum servers." ... Should anything ever 
be? Also, isn't this part of "ignoring unknown extensions"?

4.8 Security
- If we shy away from naming a security option (e.g. NTS) as required for 
everyone, we leave the door open for a situation where two implementations 
can only do unsecured communication (because they support different, 
mutually exclusive security options).
- We don't have a strong opinion on what's best, but if we require 
security to be supported, we must specify a minimal supported set. 
- "Downgrading attacks that could lead to an adversary disabling or 
removing encryption or authentication MUST NOT be possible in the design 
of the protocol." is a difficult requirement. Under the problem outlined 
above, it might be simply unfulfillable. Also, it leaves unclear what is 
forbidden (only downgrading to zero security, or any downgrading at all)

5 Non-requirements
- This seems prone to misunderstanding: these are points that we as a WG 
have discussed and consented on not pursuing further; but it might sound 
like optional requirements?

5.1 Server Malfeasance Detection
- I find it problematic to cite a draft (!) and claim that it "already 
provides this capability"; Roughtime is IMO not mature enough to do this

7 Security Considerations
- We are not sure that this is still correct; we do think this document 
opens new considerations (e.g. by requiring authentication and integrity 
to be supported)


To be clear: we want an adapted document to advance and to be submitted to 
the IESG (not to hold up the process or anything).
Thanks for your understanding, and we look forward to your response, 
James; in any case where you might need help with concrete text, we are 
ready to work on it with you.


Besten Gruß / Kind regards,
Kristof Teichel (and Martin Langer)

__________________________________________

Dr.-Ing. Kurt Kristof Teichel
Physikalisch-Technische Bundesanstalt (PTB) 
Arbeitsgruppe 4.42 "Zeitübertragung"
Bundesallee 100
38116 Braunschweig (Germany)
Tel.:        +49 (531) 592-4471
E-Mail:   kristof.teichel@ptb.de
__________________________________________



Von:    "Karen ODonoghue" <kodonog@pobox.com>
An:     ntp@ietf.org
Datum:  30.11.2023 22:29
Betreff:        [Ntp] WGLC - draft-ietf-ntp-ntpv5-requirements
Gesendet von:   "ntp" <ntp-bounces@ietf.org>



NTP WG members,

This email initiates the NTP working group last call for the NTPv5 
requirements document. 
https://datatracker.ietf.org/doc/draft-ietf-ntp-ntpv5-requirements/03/

Please review this document and respond with an email on the following two 
questions: 
1) Please review the document closely and provide comments. It is only 
eleven pages in total so it is a quick read. 
2) Please state whether or not you think this document is ready to be 
submitted to the IESG for publication (pending resolution of any comments 
you have made). Remember that this document will be used to 
drive decisions in the NTPv5 work that is already underway. 

Given the brevity of the document, this WGLC will conclude on Wednesday 13 
November. 

Regards,
Karen and Dieter_______________________________________________
ntp mailing list
ntp@ietf.org
https://www.ietf.org/mailman/listinfo/ntp