IETF Logo Mail Archive

Re: [Ntp] NTS IANA request

" tglassey@earthlink.net " <tglassey@earthlink.net> Sun, 09 June 2019 08:50 UTC

Return-Path: <tglassey@earthlink.net>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8EB0512014E for <ntp@ietfa.amsl.com>; Sun, 9 Jun 2019 01:50:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.135
X-Spam-Level:
X-Spam-Status: No, score=-2.135 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FROM_EXCESS_BASE64=0.979, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.415, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=earthlink.net; domainkeys=pass (2048-bit key) header.from=tglassey@earthlink.net header.d=earthlink.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F_WG7-ChjE7d for <ntp@ietfa.amsl.com>; Sun, 9 Jun 2019 01:50:12 -0700 (PDT)
Received: from elasmtp-galgo.atl.sa.earthlink.net (elasmtp-galgo.atl.sa.earthlink.net [209.86.89.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9F27A120099 for <ntp@ietf.org>; Sun, 9 Jun 2019 01:50:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=earthlink.net; s=dk12062016; t=1560070212; bh=jXZDD4bS35EgmR7ogu3+loj5H6ygvVPDltKO Nzp66zM=; h=Received:To:From:Cc:Subject:Date:MIME-Version: Content-Type:Message-ID:X-ELNK-Trace:X-Originating-IP; b=kQ97fDIAR MrfCe17mL7i6tYwtuzraptmx4ydxFjFxL038OAm0hiV+LFOw6/LrYqer8MZs65GinwE VcQal2KkOuMqA2FhhuJ8TWbKwc/B70axPQMF/rVEGEI6Ycqk+/k2dCiorZOUyal7fRX paYHlag+WFwa2YYrGks3GsQZ1Sxl99AlP1/jb18mFVrYPywWOM4r0Sd7xEUBau1IGHw 1SaWNQc78nGoK+gPNs7PYLQYGmEqFHG6bcxAVeb/rYpO9t9+SWWkSm2+tV7qVXmLVBM B29CW+N6oKoUKEjJoZaJG3d35huo/wwOl3WNsFz3rQO0d8w/sNCWqG08BFWRbAFAg==
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=dk12062016; d=earthlink.net; b=N44QChaEWk52Cbvh7I/UVO2VdZNYt/pn2Un3Y9VNwlMGhF+Bz4NGzbX5oZuB5wtlhOMQ1nyHOEX2o3tBxyZLagfpM/IJ6LdMz8V5wIAaSKWRrnjA8PJdkaGQSIt32BRVhFUzT8TPjEQWeFgJQs7XdU5wkMLQoI4h7xT4XsvHhMsXWbkJdS5nNwCX0X5GYYec3rbgDRpSwWhi42NKrwl/KgobyNLp4FjztkFh+B3ci3f2+gCceA+qcAGteOSis1lws9zJpAK5bjZut3/IPFyezlNnpoqVX0OqAwN1iYnc0ypugy6dhkabHViZgBIO4Q/1o1V/CIH4Xr0Pa7rDq20PEw==; h=Received:To:From:Cc:Subject:Date:MIME-Version:Content-Type:Message-ID:X-ELNK-Trace:X-Originating-IP;
Received: from [107.92.56.110] (helo=[10.169.158.27]) by elasmtp-galgo.atl.sa.earthlink.net with esmtpa (Exim 4) (envelope-from <tglassey@earthlink.net>) id 1hZtWh-0004u3-S8; Sun, 09 Jun 2019 04:50:08 -0400
To: "kodonog@pobox.com" <kodonog@gmail.com>, Harlan Stenn <stenn@nwtime.org>
From: "tglassey@earthlink.net" <tglassey@earthlink.net>
Cc: ntp@ietf.org
Date: Sun, 09 Jun 2019 11:50:05 +0300
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_0_1560070205438"
Message-ID: <E1hZtWh-0004u3-S8@elasmtp-galgo.atl.sa.earthlink.net>
X-ELNK-Trace: 01b7a7e171bdf5911aa676d7e74259b7b3291a7d08dfec792b97e117f99b52c5887e21c5343c4942350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c
X-Originating-IP: 107.92.56.110
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/kOzCyFvcp7Fj5xSXvS9bk3mXFBE>
Subject: Re: [Ntp] NTS IANA request
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 09 Jun 2019 08:50:17 -0000

Thank you Karen. 

I want to spin thus with there are today three areas of concern. They are 

1) ultra accurate time transfer and the receipt and acknowledgement of that transfer. 

2) use policy controls for time servers and clients 

3) audit mechanisms for proving the integrity after the fact of #1's functionality. 

Not all use models will be totally compatible with #2 and #3 so we need to understand and build templates for each.  

The goal is to build a unified tool suite for as many use constructs and methods as we can, and ones that simplify proving time transfer and tracking accuracy in All (or as many as possible) methods or templates we build.

This is key for other standards to rely on NTP as part if their standards. Take PCIDSS as10.4 for example as just one critical external standard relying on NTP. 

The ideas espoused in limiting specific use models by a few here are actually dangerous to the bigger picture of building secured and reliable time transfer practicess, so in that sense I wanted to thank you for these comments.

//tsg

Sent from my HTC, so please excuse any typos.

----- Reply message -----
From: "kodonog@pobox.com" <kodonog@gmail.com>
To: "Harlan Stenn" <stenn@nwtime.org>
Cc: <ntp@ietf.org>
Subject: [Ntp] NTS IANA request
Date: Fri, Jun 7, 2019 06:23

Harlan,

As we have discussed privately, this type of email response is not helpful.
Please limit your comments on the mailing list to specific technical concerns.

Thank you!
Karen

On 6 Jun 2019, at 17:42, Harlan Stenn wrote:

> As best as I can tell, the following is total rubbish.
>
> H
>
> On 6/6/2019 11:28 AM, Daniel Franke wrote:
>> As a slight tangent, we never concluded the discussion as to what
>> we're going to do about the fact that so many ISPs are dropping
>> 123/udp traffic with payloads larger than 48 bytes. I think we got as
>> far as concluding:
>>
>> 1. We're never going to persuade enough ISPs to change their policy,
>> making 123/udp basically doomed.
>> 2. NTS-KE's port negotiation record gives us all the mechanism we >> need
>> in order to run NTP-with-NTS over an alternate port.
>>
>> But that left an unresolved question: do we allocate a fixed >> alternate
>> UDP port, or should servers ask the OS for a dynamic port and then >> use
>> NTS-KE to advertise whatever the OS assigns to them? Both choices >> have
>> firewall-related drawbacks. If we use a fixed port, we risk landing
>> ourselves right back in the same situation we're in today with 123. >> At
>> minimum, to protect ourselves from this, the NTF would have to commit
>> to adding some code to ntpd such that it will refuse to ever send >> mode
>> 6 or 7 responses over the new port no matter what configuration the
>> user gives it. (Yes, mode 6 too, because mode 6 still amplifies, just
>> not as severely as mode 7 does). If we use a dynamic port, then it
>> becomes much harder for ISPs to block us, but it also becomes harder
>> for corporate firewalls with a default-deny-all policy to let us
>> through.
>>
>> On Thu, Jun 6, 2019 at 1:06 PM Salz, Rich <rsalz@akamai.com> wrote:
>>>
>>>>    I'm strongly opposed to modifying NTS-KE to involve sending a >>>> STARTTLS
>>>     as a first step of the handshake. I don't want to make a >>> breaking
>>>     change to a protocol that's passed WGLC and has four >>> interoperating
>>>     implementations in order to accommodate a protocol that has >>> never been
>>>     implemented and whose specification consists of three vague >>> sentences
>>>     in an unadopted and expired I-D.
>>>
>>> I wasn't strongly advocating either mechanism, just trying to >>> explain how things could share a port if that's what we wanted to >>> do.
>>>
>>> For the record, since I see no definition of NTP/TLS, I am in favor >>> of assigning 123/TCP to NTS.

v2.23.0 | Report a Bug | By Email