Re: [Ntp] NTS Pools
David Venhoek <david@venhoek.nl> Wed, 28 February 2024 13:40 UTC
Return-Path: <david@venhoek.nl>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED8F7C14F61C for <ntp@ietfa.amsl.com>; Wed, 28 Feb 2024 05:40:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.909
X-Spam-Level:
X-Spam-Status: No, score=-6.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=venhoek-nl.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lIavKGmbwqVG for <ntp@ietfa.amsl.com>; Wed, 28 Feb 2024 05:40:18 -0800 (PST)
Received: from mail-ej1-x635.google.com (mail-ej1-x635.google.com [IPv6:2a00:1450:4864:20::635]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 75EBFC14F60D for <ntp@ietf.org>; Wed, 28 Feb 2024 05:40:17 -0800 (PST)
Received: by mail-ej1-x635.google.com with SMTP id a640c23a62f3a-a43fc42e697so74670966b.1 for <ntp@ietf.org>; Wed, 28 Feb 2024 05:40:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=venhoek-nl.20230601.gappssmtp.com; s=20230601; t=1709127615; x=1709732415; darn=ietf.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=uqDvBAgIvADr54Pfj1KE9wS25vids2WXOkMt6tkSOsU=; b=IRzUgtEn0nwrtUpsOuqbdbtPO9vTOvmfUETIcwvxXuWnWuP5ZLdkWme4EiPnOBwGix occhJ6HuBdarxXU1CpPVRgpErX2CCU9GbhVx8luR6NiZ/5O3QCW41pNHvvJUm8HVyq8m a57aa+3Nq31S+9flcj0yI0sB9mYVWZlRbKDm88iK46YTmCD9qbBSuCr3ZaTTK4QVdUnv qANlMevjLh7GYNDjeQNpj1P6uDyabLkANGHXfOMRx5TkskwJKMyy+hIm4t+sf/wlxHq3 BflUaIdhHOZWy01sxAMZmThLTQhhhyzhZTQdtD+WbjcsyE4iuLUMYNrdpGCpOmxPL7Au CF3w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709127615; x=1709732415; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=uqDvBAgIvADr54Pfj1KE9wS25vids2WXOkMt6tkSOsU=; b=tHMxRilHzY0EkK2enLGfDuI5mnCoIvz05RynLS/3KMUcFlNM96ogUMHAk0Hxn61MBm ssxpwo4HYS0OcJanwiGYPG/BQsqD3mmkBrU5M4rNNLepzo9cgHNtvZ3kqUmtji/EcQCD 17RUUUgvtMT2dOFUzuP0qxyfk25be9RN+ov+FQgoA0JzxpAuSb9sdqgBpaCRnmxjYRkV 6vclCkLbeIlHbJSSmhyO4ZlBonSkVT+Wd6YS3e33pt1rcUXWj9pdELOA7TewmwzkgmPf vt44lpdaNwefNc78FeDLZ54HbE66V8EH5F2ed/NyD7foByucMhLuxmt2t0LRj9o70Poa zGww==
X-Forwarded-Encrypted: i=1; AJvYcCVNiOdMtUyRM/578jRUymEZbrxJ1d9hhEAzWL1AK9HNeTXqg0wNWjfFd2+hRN9u7Wtl2lGfamsQ6Lg+JA0=
X-Gm-Message-State: AOJu0YzO31AhMNYwPa8+XDRILzZgzhheXFDXSr9i8gauCvyRAfVHxgce ZwJR+J3HqWlLclaV+OCr16CEEmBqDwAYx5Gj6xEb/dH3O80tUruQNbkfLyH9OVi1dDB8zTPZjL1 CdejoRVd9Hs1wA0jSiVfihk+eOkP6ALRgdh+HDw==
X-Google-Smtp-Source: AGHT+IGLtbjHEcR0hmCSNIFX+q1qxb6mUwcg4iS5DnNdBMtcmjsi1/Xto7pWuOC9Aw8RSitww3NhQPtH6zT6L0ld4bI=
X-Received: by 2002:a17:906:64c:b0:a3f:effa:2134 with SMTP id t12-20020a170906064c00b00a3feffa2134mr7863732ejb.18.1709127615069; Wed, 28 Feb 2024 05:40:15 -0800 (PST)
MIME-Version: 1.0
References: <OF2E6B0FFD.229AD710-ONC1258ACB.004EFEAA-C1258ACB.0050896E@ptb.de> <Zdx0Nst2_w1mEMKG@localhost> <CAPz_-SUSEDaFgfwvnm_FQ5M9jjAAp2Df3A7RTuYY2KPmSq5FkQ@mail.gmail.com> <Zd8MAtzsmXGGBtvq@localhost>
In-Reply-To: <Zd8MAtzsmXGGBtvq@localhost>
From: David Venhoek <david@venhoek.nl>
Date: Wed, 28 Feb 2024 14:40:03 +0100
Message-ID: <CAPz_-SUfREp9_t=Fsm82bfq_+MFfdW0gXJmnLhFFs9+_eHKoHQ@mail.gmail.com>
To: Miroslav Lichvar <mlichvar@redhat.com>
Cc: martin.langer=40ptb.de@dmarc.ietf.org, NTP WG <ntp@ietf.org>, Dieter.Sibold@ptb.de, Kristof.Teichel@ptb.de, Rainer Bermbach <r.bermbach@ostfalia.de>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/iB4vhi-9DnHGCptK6PexHlsdcyk>
Subject: Re: [Ntp] NTS Pools
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Feb 2024 13:40:20 -0000
Dear Miroslav, I have added the row with computational cost, and for reference also included a few other interesting computational cost parameters. As to regard to your new proposal, I was wondering how that would work with the key derivation? I don't see a way to get the key derivation on the TLS session with the backend to result in exactly the same key as that coming from the session with the client (in fact, if it could I'm wondering whether that would be a security issue for TLS). It is exactly this trouble that leads to the server changes in the NTS-KE load balancer case. Kind regards, David Venhoek On Wed, Feb 28, 2024 at 11:33 AM Miroslav Lichvar <mlichvar@redhat.com> wrote: > > On Wed, Feb 28, 2024 at 09:29:47AM +0100, David Venhoek wrote: > > Hi All, > > > > I have made a spreadsheet showing a short overview of the implications > > of the various options, see > > https://docs.google.com/spreadsheets/d/1rxEArrbN5OKgsFI9KUzmOzI1twDztQc6aEUZr5WelVU/edit?usp=sharing > > This is great. Thanks! > > Can you please add a row comparing computational cost of TLS wrt > number of clients for the pool provider (e.g. 0, 1, N, 2N)? > > I have another proposal to consider. The pool provider could simply > terminate TLS and forward NTS-KE communication between clients and > individual NTS-KE servers run by the NTP providers. No modifications > required on clients or servers. The NTS-KE servers would just need to > be configured to provide their IP address in the server negotiation > record, so the client doesn't send requests to the pool's TLS host. > The TLS cost for the pool provider would be 2N. > > -- > Miroslav Lichvar >
- Re: [Ntp] NTS Pools Luke Valenta
- [Ntp] NTS Pools martin.langer
- Re: [Ntp] NTS Pools "Dr. Dieter Sibold"
- Re: [Ntp] NTS Pools martin.langer
- Re: [Ntp] NTS Pools Miroslav Lichvar
- Re: [Ntp] NTS Pools David Venhoek
- Re: [Ntp] NTS Pools Miroslav Lichvar
- Re: [Ntp] NTS Pools David Venhoek
- Re: [Ntp] NTS Pools Miroslav Lichvar
- Re: [Ntp] NTS Pools David Venhoek
- Re: [Ntp] NTS Pools Miroslav Lichvar
- Re: [Ntp] NTS Pools Windl, Ulrich
- Re: [Ntp] NTS Pools David Venhoek
- [Ntp] Antwort: Re: NTS Pools martin.langer
- Re: [Ntp] NTS Pools David Venhoek
- Re: [Ntp] NTS Pools Salz, Rich
- Re: [Ntp] NTS Pools Watson Ladd
- Re: [Ntp] NTS Pools Salz, Rich