IETF Logo Mail Archive

Re: [Ntp] ntpv5 requirements

kristof.teichel@ptb.de Wed, 15 February 2023 09:14 UTC

Return-Path: <kristof.teichel@ptb.de>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D9403C16952E for <ntp@ietfa.amsl.com>; Wed, 15 Feb 2023 01:14:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.096
X-Spam-Level:
X-Spam-Status: No, score=-7.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ptb.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y6cslFRVUcS0 for <ntp@ietfa.amsl.com>; Wed, 15 Feb 2023 01:14:21 -0800 (PST)
Received: from mx1.bs.ptb.de (mx1.bs.ptb.de [192.53.103.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A2FECC151546 for <ntp@ietf.org>; Wed, 15 Feb 2023 01:14:21 -0800 (PST)
Received: from smtp-hub.bs.ptb.de (smtpint01.bs.ptb.de [141.25.87.32]) by mx1.bs.ptb.de with ESMTP id 31F9EIVc004893-31F9EIVe004893 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for <ntp@ietf.org>; Wed, 15 Feb 2023 10:14:18 +0100
In-Reply-To: <B5BBCED7-23AB-435E-A512-1661A8E108BE@gmail.com>
References: <DB8PR02MB5772E45732B25646F7CAE211CFD99@DB8PR02MB5772.eurprd02.prod.outlook.com> <Y+pgBgc/5dJ9wtAP@localhost> <2bbcdc7b-a47c-8421-0278-0ac364faaeea@nwtime.org> <OF7B624B98.C1ECCBBE-ONC1258956.00440F55-C1258956.00448C93@ptb.de> <8bfc7ac6-7696-1ac8-c2a3-62aa0084e07f@nwtime.org> <B5BBCED7-23AB-435E-A512-1661A8E108BE@gmail.com>
To: Dieter Sibold <dsibold.ietf@gmail.com>
Cc: ntp@ietf.org
MIME-Version: 1.0
X-KeepSent: CCDCD44D:8E1AE7FB-C1258957:003077B0; type=4; name=$KeepSent
From: kristof.teichel@ptb.de
Message-ID: <OFCCDCD44D.8E1AE7FB-ONC1258957.003077B0-C1258957.0032BF12@ptb.de>
Date: Wed, 15 Feb 2023 10:14:17 +0100
X-MIMETrack: Serialize by Router on MAILGW01/PTB at 02/15/2023 10:14:18 AM, Serialize complete at 02/15/2023 10:14:18 AM
Content-Type: multipart/alternative; boundary="=_alternative 0032BF12C1258957_="
X-FE-Last-Public-Client-IP: 141.25.87.32
X-FE-Policy-ID: 5:5:5:SYSTEM
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; d=ptb.de; s=s1-ptbde; c=relaxed/relaxed; h=references:to:cc:mime-version:subject:from:message-id:date:content-type; bh=mex+4p40zPEUHGNoYdZ+sVaVOHdtcl1ucjr8HnfuEmY=; b=ItN4Js8oiVNISlKtx/hKv4UWkBy5/WCkvX11xCKyAM0uoNQ9UhPG8EDs+SL2aZwNCuA6L4ePXUh7 XCdrJsgXMwe2iZDal/u08xwjxeyevXtt2zlkFdrxmoTGXbaPVtXLcaVQ7o4JYSa44pa33cPOzPWr 5QGHqBi0wRRNp0v5nY347J9Ha3oWainwlZ5pqycnrgcW25fEH8zrzsWMMx18f07PFWdd71IZM/ER Ut+5ehNtr664hBZmFmRYmlUzeyxEZflAJS0fZRtM4NJTj0VZHIHGhD2jfdYfIfQ15hrkaPSPP+nf T4DQIYy0sAB2IY5IL/C0wJBjWID6RNX3mxSatw==
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/klZxtR-pLRXkLcog2ybzSj2cIx4>
Subject: Re: [Ntp] ntpv5 requirements
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Feb 2023 09:14:27 -0000

> Von: "Dieter Sibold" <dsibold.ietf@gmail.com>
> Betreff: Re: [Ntp] ntpv5 requirements
> 
> RFC 4082 describes TESLA in the context of multicast/broadcast only.
> Hence, I?m not sure that the security guarantees of the TESLA 
> approach are valid for the client-server mode. Before thinking about
> some TESLA like approach only for the sake of performance we would 
> need to clarify this question. Preferentially, this should be done 
> by a security analyst.

I think we know enough about TESLA to answer this.
- Yes, it is explicitly meant and designed for broadcast purposes, using 
it for client-server is not even close to its intended use-case
- It requires/assumes rough synchronicity in the first place; and if we 
allow unsecured synchronisation during initialisation, we kind of defeat 
ourselves
- Related: It has a documented weakness when used for securing time 
transfer messages (i.e., delay attacks affect it *much* worse than they 
affect other security schemes, because they can affect that assumed rough 
synchronicity) 
- It won't allow instant authentication, you have to wait out the key 
disclosure time; you can either wait longer before processing your time 
transfer message, or keep those times short and compound your security 
problem with the required synchronicity
- It also (someone already noted this) requires initial setup exchanges 
with expensive crypto; and of course less-expensive symmetric crypto for 
time transfer messages... so what performance would we even be saving?

I feel like we went to buy something to help us drive nails into a wall, 
don't like the hammer that's on sale, and are now wondering aloud about 
buying that two-man crosscut saw.
 
> PTB enhanced all its public facing NTP servers with NTS. We observe 
> that NTS traffic is increasing but slowly. In case of PTB the amount
> is smaller than 1% of the total traffic. Hence it should be safe for
> the NIST to enable NTS also. Beside, if the amount of traffic is 
> going to be a problem the NTP and NTS service can also be provided 
> by FPGA; see for example Netnod?s NTS service.

I agree completely. 
Between the option for separate NTS key servers and the FPGA 
implementation, scaling should not actually be a problem.
It is just additional hardware, not something really prohibitive like a 
giant list of keys that needs to be managed manually; I'm just guessing 
around here, but maybe Judah was still thinking of that (from 
symmetric-key NTP security days) for some reason?
 
> Dieter
> 
> > Am 15.02.2023 um 04:10 schrieb Harlan Stenn <stenn@nwtime.org>:
> > 
> > I don't see that you are disagreeing with me regarding the 
> "priority" of performance.
> > 
> > And blindly following "amplification goal-stated as zero" has some
> pretty onerous consequences.
> > 
> > H
> > 
> > On 2/14/2023 4:28 AM, kristof.teichel@ptb.de wrote:
> >> The reason that scalability and performance have traditionally 
> been listed last in NTS documents is less that they are in any way 
> secondary -- and more that they follow a pattern of "...and it needs
> to do all of the above in such a way that it retains scalability and
> performance as far as possible".
> >> (And perhaps a bit of them being quantitative goals rather than 
> absolute/qualitative; performance is gonna get worse with crypto 
> rather than without, the goal is to keep it reasonable/best possible
> -- whereas e.g. amplification can be cleanly goal-stated as zero.)
> >> Besten Gruß / Kind regards,
> >> Kristof Teichel
> >> __________________________________________
> >> Dr.-Ing. Kurt Kristof Teichel
> >> Physikalisch-Technische Bundesanstalt (PTB)
> >> Arbeitsgruppe 4.42 "Zeitübertragung"
> >> Bundesallee 100
> >> 38116 Braunschweig (Germany)
> >> Tel.:    +49 (531) 592-4471
> >> E-Mail: kristof.teichel@ptb.de
> >> __________________________________________
> >> Von: "Harlan Stenn" <stenn@nwtime.org>
> >> An: ntp@ietf.org
> >> Datum: 13.02.2023 23:29
> >> Betreff: Re: [Ntp] ntpv5 requirements
> >> Gesendet von: "ntp" <ntp-bounces@ietf.org>
> >> 
------------------------------------------------------------------------
> >> On 2/13/2023 8:06 AM, Miroslav Lichvar wrote:
> >>> On Thu, Feb 09, 2023 at 05:18:20PM +0000, Doug Arnold wrote:
> >>>> For example: Judah Levine at NIST recently told me that he 
> cannot  implement NTS with his current server resources and the number 
of
> >> clients NIST supports.  However, when I told him about TESLA he 
> thought a scheme based on that would be doable, as long as the keys 
> didn?t have to change too often.
> >>> That is interesting as NTS was specifically designed to scale well 
to
> >>> very large numbers of clients.
> >> I don't recall performance in NTS as being a primary goal of the 
design.
> >> Sure, it was listed as *a* goal, but the primary goals were around
> >> "security".
> >>> Is their concern about decryption
> >>> and encryption of NTS-protected NTP packets, or rather TLS in 
NTS-KE?
> >> >
> >>> In 2016 they reported they had about 200k requests per second across
> >>> all their servers [1]. Even if it was 100x more today and all 
clients
> >>> were using NTS, that could still be handled by a dozen of servers 
with
> >>> multi-core CPUs and AES acceleration. In my tests I get about 200k/s
> >>> per core.
> >> From what I've heard, NTS key operations take 5-10x the amount of
> >> compute power beyond what NTP needs.
> >>> NTS-KE traffic is more difficult to predict as it depends on the
> >>> client implementations. I would be curious to see what NTS-NTP to
> >>> NTS-KE request ratio do the well-known NTS providers like Cloudflare
> >>> and Netnod have.
> >>> [1] https://nvlpubs.nist.gov/nistpubs/jres/121/jres.121.003.pdf
> >> <https://nvlpubs.nist.gov/nistpubs/jres/121/jres.121.003.pdf>
> >> --
> >> Harlan Stenn <stenn@nwtime.org>
> >> http://networktimefoundation.org <http://networktimefoundation.org/
> >- be a member!
> >> _______________________________________________
> >> ntp mailing list
> >> ntp@ietf.org
> >> https://www.ietf.org/mailman/listinfo/ntp <https://www.ietf.org/
> mailman/listinfo/ntp>
> > 
> > --
> > Harlan Stenn <stenn@nwtime.org>
> > http://networktimefoundation.org - be a member!
> > 
> > _______________________________________________
> > ntp mailing list
> > ntp@ietf.org
> > https://www.ietf.org/mailman/listinfo/ntp
> 
> [Anhang "signature.asc" gelöscht von Kristof Teichel/PTB] 
> _______________________________________________
> ntp mailing list
> ntp@ietf.org
> https://www.ietf.org/mailman/listinfo/ntp

v2.23.0 | Report a Bug | By Email