[Ntp] Late-stage feedback on Roughtime draft - Clarification and potential revisions needed
kristof.teichel@ptb.de Mon, 19 June 2023 09:36 UTC
Return-Path: <kristof.teichel@ptb.de>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 35B83C1522C8 for <ntp@ietfa.amsl.com>; Mon, 19 Jun 2023 02:36:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ptb.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id prGaR-EMqk5A for <ntp@ietfa.amsl.com>; Mon, 19 Jun 2023 02:36:21 -0700 (PDT)
Received: from mx1.bs.ptb.de (mx1.bs.ptb.de [192.53.103.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A125DC1522CB for <ntp@ietf.org>; Mon, 19 Jun 2023 02:36:20 -0700 (PDT)
Received: from smtp-hub.bs.ptb.de (smtpint01.bs.ptb.de [141.25.87.32]) by mx1.bs.ptb.de with ESMTP id 35J9aDPq019330-35J9aDPs019330 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for <agl@imperialviolet.org>; Mon, 19 Jun 2023 11:36:13 +0200
To: NTP WG <ntp@ietf.org>
Cc: Aanchal Malhotra <aanchal4@bu.edu>, Watson Ladd <watsonbladd@gmail.com>, Marcus Dansarie <marcus@dansarie.se>, agl@imperialviolet.org, martin.langer@ptb.de
MIME-Version: 1.0
From: kristof.teichel@ptb.de
Message-ID: <OFCDF36FF2.AF3233C1-ONC12589D3.00320AFE-C12589D3.0034C099@ptb.de>
Date: Mon, 19 Jun 2023 11:36:11 +0200
Content-Type: multipart/alternative; boundary="=_alternative 0034C097C12589D3_="
X-FE-Last-Public-Client-IP: 141.25.87.32
X-FE-Policy-ID: 5:5:5:SYSTEM
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; d=ptb.de; s=s1-ptbde; c=relaxed/relaxed; h=to:cc:mime-version:subject:from:message-id:date:content-type; bh=53MpWLqKtd531YL6mcuczgYOzGDdC5kjHNCg2LBZlwI=; b=txxc24rxktW19gQlRbNpPP1ZEX+X+AVVKUDs8l3ce1nnk2u2c9ntIrnVYxmUAM3InAhxJgonUzcG 20y9JWRE5QHe9/SqyVeymNcNl5mSpibDl0pQTpn6x6wgex1fd0xErru4DL0XdQ/GKAvVwKCqdiMX OdOw5Ooz/CRmtYUV9b29/6RL9FlPdN/izYjUWTrM1TGhfrAaNwdAQ6KesNUgOdPf14RcUhH6BYhL WrXD5LNFCd0be0wXkoSsdjEpWaapsBhABuR2NF+DwKb20iteiVJhOzw9h3fUcEnWNWgRKAdn0Gwd D2qCqTHPnggtTDaUuDBeLMX8y+qHyUPtb2lcew==
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/gTjtLGzspmJ2s3MDdLsYNGV7gxc>
Subject: [Ntp] Late-stage feedback on Roughtime draft - Clarification and potential revisions needed
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Jun 2023 09:36:26 -0000
Dear Aanchal, Adam, Watson, and Marcus, dear NTP WG members, we hope you're all well. We apologize in advance for bringing this to your attention at such a late stage in the process, but there are a few points about the Roughtime draft that my colleague and I felt compelled to share. These thoughts were triggered by a recent paper [1] we read, which conveyed certain implications about Roughtime's capabilities that we found puzzling, such as "cold start" synchronization. This paper is not the only source where we noticed these tendencies and implications, but demonstrates them pretty clearly. [1] Marco Spanghero and Panos Papadimitratos Detecting GNSS misbehavior leveraging secure heterogeneous time sources ( https://www.researchgate.net/publication/370594116_Detecting_GNSS_misbehavior_leveraging_secure_heterogeneous_time_sources ) Intrigued by the paper's assertions, we delved into the draft to better understand the protocol's functionalities and potential advantages. However, the more we studied, the more we found ourselves questioning some elements of the draft, which appeared to diverge from the descriptions we had previously encountered in various talks, blog posts, and indeed, the aforementioned paper. Before going into specifics, I want to stress that we appreciate the tremendous effort that has gone into developing Roughtime and writing this draft. We understand that creating a protocol and its accompanying documentation is a complex and time-consuming task. Our intention in providing this feedback is to contribute constructively to the ongoing work, and to help ensure that the final draft accurately reflects Roughtime's features, capabilities, and potential applications. We have noted four main areas where we believe the draft (as of https://datatracker.ietf.org/doc/html/draft-ietf-ntp-roughtime-07) could benefit from further clarification and/or revision. 1. Lack of Clarity on the Meaning of "Rough" and its Implications: The Roughtime draft lacks clarity regarding the meaning of "rough" and its implications, failing to specify the degree of accuracy or imprecision it aims to achieve, and not highlighting potential use cases for this level of time synchronization. The document may inadvertently misrepresent the trade-offs involved, potentially leading to misconceptions about the level of precision and security offered by Roughtime compared to other protocols. Additionally, it gives the misleading impression that Roughtime could effectively handle a "cold start" synchronization, fostering incorrect expectations about its capability to solve the inherent chicken-and-egg problem in reliable time synchronization. 2. Lack of Description of Reporting Mechanism and its Impact: The Roughtime draft inadequately explains its unique feature, the client-side cryptographic proof of server misbehavior, leaving questions about how this proof is generated, verified, reported, and handled. The draft fails to clarify how this reporting system, which seems more focused on accountability than accuracy, directly benefits time clients who are primarily interested in obtaining accurate time. Furthermore, the draft fails to address details such as potential abuse by malicious clients, who could intentionally skew their local clocks to falsely implicate servers, leading to potential distrust or blacklisting. 3. Lack of Explanation of Security Model: Roughtime's security model, relying on a majority of servers to provide accurate times, lacks sufficient explanation and could be vulnerable to coordinated attacks. The protocol doesn't adequately address potential threats related to the Byzantine Generals Problem, such as botnet attacks, undermining its overall security integrity. 4. Insufficient Explanation of Protocol's Security Measures: Roughtime's security measures are not clearly explained, with clients' time verification relying on possibly unreliable local clocks, and the protocol failing to prevent smaller time manipulations by servers. Furthermore, the accuracy of the protocol is contingent on precise radius estimation by servers, creating potential for errors in accepting or rejecting responses. We understand that addressing this feedback may require significant effort, and we apologize for the late timing of these comments. We hope that our insights will be helpful as you continue to refine the draft, and we would be happy to discuss these points further if it would be beneficial. Thanks for your understanding, and we look forward to your response. (We will both be business travelling in the upcoming week, responses might take longer then) Besten Gruß / Kind regards, Kristof Teichel and Martin Langer APPENDIX (below) More detailed version of our feedback for the four areas. 1. Lack of Clarity on the Meaning of "Rough" and its Implications: 1.1 Lack of Clarity on the Meaning and Use Cases: The draft fails to clearly define what the "rough" in Roughtime means. Without this information, it's difficult to assess the appropriateness of Roughtime for different use cases. The term "rough" suggests a level of precision that may be less than what protocols like NTP/NTS offer, but the exact scale (seconds, tens of seconds, more) is not specified. Additionally, the draft does not highlight the potential use cases that would require this "rough" level of synchronization. This leaves it unclear who the intended users are, and whether the protocol is even suitable for those use cases.The draft should clear both of those points up. 1.2 Potential Misrepresentation of Trade-Offs: The draft may inadvertently give the impression that the "rough" nature of Roughtime is either a feature or a trade-off for a feature, such as enhanced security. This could lead to misconceptions, such as "NTS is less precise than GNSS, but more secure. Therefore, Roughtime, being even less precise, must be even more secure". However, this is not necessarily the case. The draft should clearly explain the trade-offs involved in using Roughtime, and how its level of precision and security compares to other time synchronization protocols. 1.3 Misleading Implication Regarding Cold Start Synchronization: The draft, along with other materials like blog posts and talks about Roughtime, gives the impression that Roughtime could be effectively used for a "cold start" synchronization of a device. This implies that Roughtime could help solve the chicken-and-egg problem inherent in reliable time synchronization: needing secure time to authenticate certificates and keys, but also needing those keys and certificates to secure time synchronization. However, Roughtime, like all other known protocols, cannot truly solve this fundamental issue. Allowing the implication that it can is misleading. It's essential for the draft to clarify this point and ensure that the protocol's limitations, as well as its capabilities, are accurately presented. 2. Reporting Mechanism and its Impact: 2.1 Inadequate Explanation of the Protocol's Unique Feature: The primary unique feature of Roughtime, as highlighted in the draft, is the client-side cryptographic proof of server malfeasance. However, the draft does not provide sufficient detail on how this proof is generated, verified, reported, or handled. As this is a critical aspect of the protocol (as the draft?s Section 12 ?Security Considerations? also states) and its main differentiator from other time synchronization protocols, the lack of detail leaves the utility and effectiveness of Roughtime uncertain. The draft should provide a comprehensive explanation of this feature and how it contributes to secure and reliable time synchronization. 2.2 Disconnect between Feature and Client Interests: Even with a functioning reporting system, it remains unclear how this system would directly benefit a time client. Clients are primarily interested in obtaining accurate time, not necessarily in being able to report servers that provide inaccurate time. While a reporting system could potentially deter servers from providing inaccurate time due to fear of being reported, this is a rather indirect and uncertain way of ensuring accurate time synchronization. The draft should bridge this logical gap by clearly demonstrating how the reporting feature directly contributes to the goal of accurate time synchronization. 2.3 Potential for Slanderous Reports: The Roughtime protocol provides clients the ability to generate reports that demonstrate a server gave an inaccurate time. However, this could potentially be abused by a malicious client. A client could intentionally skew its local clock to make a server's accurate time appear incorrect, and then generate a report claiming that the server is providing inaccurate time. This report, which includes a signed response from the server, could falsely implicate the server. Given that these reports could be used as a basis for distrusting or even blacklisting servers, this could be a serious vulnerability in the protocol. But it remains unclear, since the reporting system is not specified at all - the draft needs to address this. 3. Insufficient Explanation of Security Model: 3.1 Reliance on Multiple Servers: To mitigate the risk of accepting incorrect times, a client can compare responses from multiple Roughtime servers. However, this requires the client to trust that a majority of the servers it communicates with are providing accurate times. The draft should recognize and address this. 3.2 Vulnerability to Coordinated Attacks: If Roughtime's security largely depends on majority decisions, then it could be vulnerable to coordinated attacks, such as those from a botnet. A coordinated group of malicious servers could provide false time information, and a group of malicious monitoring clients could falsely report genuine servers, potentially undermining the protocol's security. This issue is related to the Byzantine Generals Problem, a situation where agreement must be reached among distributed entities that may not all be honest. The draft should discuss how Roughtime addresses this problem and what measures are in place to protect against coordinated attacks. 4. Insufficient Explanation of Protocol's Security Measures: 4.1 Non-Cryptographic Verification: While the server's response is signed, the client's verification process depends on comparing the server's response to its own view of the current time, which is not inherently reliable. The draft should address this. 4.2 Client's Time Uncertainty: The effectiveness of Roughtime's robustness against skewed server clocks relies on the client's ability to compare the received time interval with its own local clock. However, clients might have inaccurate or unreliable local clocks to begin with. In such cases, it becomes challenging for the client to effectively judge whether the received time from a server is accurate or not. This uncertainty could lead to accepting incorrect times or rejecting valid ones, undermining the robustness of the protocol. 4.3 Server Small-Scale Misbehavior: If a server is intentionally providing slightly incorrect times, Roughtime's protocol doesn't prevent this.Minor manipulations might go unnoticed. 4.4 Radius Accuracy: The effectiveness of the protocol depends on the server accurately estimating the radius. If the server's radius is too small, valid responses might be incorrectly rejected by the client, and if the radius is too large, incorrect times might be accepted. __________________________________________ Dr.-Ing. Kurt Kristof Teichel Physikalisch-Technische Bundesanstalt (PTB) Arbeitsgruppe 4.42 "Zeitübertragung" Bundesallee 100 38116 Braunschweig (Germany) Tel.: +49 (531) 592-4471 E-Mail: kristof.teichel@ptb.de __________________________________________
- [Ntp] Late-stage feedback on Roughtime draft - Cl… kristof.teichel
- Re: [Ntp] Late-stage feedback on Roughtime draft … Watson Ladd
- Re: [Ntp] [EXT] Re: Late-stage feedback on Rought… Windl, Ulrich
- Re: [Ntp] [EXT] Re: Late-stage feedback on Rought… Watson Ladd