Re: [Ntp] ntpv5 requirements
kristof.teichel@ptb.de Wed, 15 February 2023 09:14 UTC
Return-Path: <kristof.teichel@ptb.de>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D9403C16952E for <ntp@ietfa.amsl.com>; Wed, 15 Feb 2023 01:14:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.096
X-Spam-Level:
X-Spam-Status: No, score=-7.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ptb.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y6cslFRVUcS0 for <ntp@ietfa.amsl.com>; Wed, 15 Feb 2023 01:14:21 -0800 (PST)
Received: from mx1.bs.ptb.de (mx1.bs.ptb.de [192.53.103.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A2FECC151546 for <ntp@ietf.org>; Wed, 15 Feb 2023 01:14:21 -0800 (PST)
Received: from smtp-hub.bs.ptb.de (smtpint01.bs.ptb.de [141.25.87.32]) by mx1.bs.ptb.de with ESMTP id 31F9EIVc004893-31F9EIVe004893 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for <ntp@ietf.org>; Wed, 15 Feb 2023 10:14:18 +0100
In-Reply-To: <B5BBCED7-23AB-435E-A512-1661A8E108BE@gmail.com>
References: <DB8PR02MB5772E45732B25646F7CAE211CFD99@DB8PR02MB5772.eurprd02.prod.outlook.com> <Y+pgBgc/5dJ9wtAP@localhost> <2bbcdc7b-a47c-8421-0278-0ac364faaeea@nwtime.org> <OF7B624B98.C1ECCBBE-ONC1258956.00440F55-C1258956.00448C93@ptb.de> <8bfc7ac6-7696-1ac8-c2a3-62aa0084e07f@nwtime.org> <B5BBCED7-23AB-435E-A512-1661A8E108BE@gmail.com>
To: Dieter Sibold <dsibold.ietf@gmail.com>
Cc: ntp@ietf.org
MIME-Version: 1.0
X-KeepSent: CCDCD44D:8E1AE7FB-C1258957:003077B0; type=4; name=$KeepSent
From: kristof.teichel@ptb.de
Message-ID: <OFCCDCD44D.8E1AE7FB-ONC1258957.003077B0-C1258957.0032BF12@ptb.de>
Date: Wed, 15 Feb 2023 10:14:17 +0100
X-MIMETrack: Serialize by Router on MAILGW01/PTB at 02/15/2023 10:14:18 AM, Serialize complete at 02/15/2023 10:14:18 AM
Content-Type: multipart/alternative; boundary="=_alternative 0032BF12C1258957_="
X-FE-Last-Public-Client-IP: 141.25.87.32
X-FE-Policy-ID: 5:5:5:SYSTEM
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; d=ptb.de; s=s1-ptbde; c=relaxed/relaxed; h=references:to:cc:mime-version:subject:from:message-id:date:content-type; bh=mex+4p40zPEUHGNoYdZ+sVaVOHdtcl1ucjr8HnfuEmY=; b=ItN4Js8oiVNISlKtx/hKv4UWkBy5/WCkvX11xCKyAM0uoNQ9UhPG8EDs+SL2aZwNCuA6L4ePXUh7 XCdrJsgXMwe2iZDal/u08xwjxeyevXtt2zlkFdrxmoTGXbaPVtXLcaVQ7o4JYSa44pa33cPOzPWr 5QGHqBi0wRRNp0v5nY347J9Ha3oWainwlZ5pqycnrgcW25fEH8zrzsWMMx18f07PFWdd71IZM/ER Ut+5ehNtr664hBZmFmRYmlUzeyxEZflAJS0fZRtM4NJTj0VZHIHGhD2jfdYfIfQ15hrkaPSPP+nf T4DQIYy0sAB2IY5IL/C0wJBjWID6RNX3mxSatw==
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/klZxtR-pLRXkLcog2ybzSj2cIx4>
Subject: Re: [Ntp] ntpv5 requirements
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Feb 2023 09:14:27 -0000
> Von: "Dieter Sibold" <dsibold.ietf@gmail.com> > Betreff: Re: [Ntp] ntpv5 requirements > > RFC 4082 describes TESLA in the context of multicast/broadcast only. > Hence, I?m not sure that the security guarantees of the TESLA > approach are valid for the client-server mode. Before thinking about > some TESLA like approach only for the sake of performance we would > need to clarify this question. Preferentially, this should be done > by a security analyst. I think we know enough about TESLA to answer this. - Yes, it is explicitly meant and designed for broadcast purposes, using it for client-server is not even close to its intended use-case - It requires/assumes rough synchronicity in the first place; and if we allow unsecured synchronisation during initialisation, we kind of defeat ourselves - Related: It has a documented weakness when used for securing time transfer messages (i.e., delay attacks affect it *much* worse than they affect other security schemes, because they can affect that assumed rough synchronicity) - It won't allow instant authentication, you have to wait out the key disclosure time; you can either wait longer before processing your time transfer message, or keep those times short and compound your security problem with the required synchronicity - It also (someone already noted this) requires initial setup exchanges with expensive crypto; and of course less-expensive symmetric crypto for time transfer messages... so what performance would we even be saving? I feel like we went to buy something to help us drive nails into a wall, don't like the hammer that's on sale, and are now wondering aloud about buying that two-man crosscut saw. > PTB enhanced all its public facing NTP servers with NTS. We observe > that NTS traffic is increasing but slowly. In case of PTB the amount > is smaller than 1% of the total traffic. Hence it should be safe for > the NIST to enable NTS also. Beside, if the amount of traffic is > going to be a problem the NTP and NTS service can also be provided > by FPGA; see for example Netnod?s NTS service. I agree completely. Between the option for separate NTS key servers and the FPGA implementation, scaling should not actually be a problem. It is just additional hardware, not something really prohibitive like a giant list of keys that needs to be managed manually; I'm just guessing around here, but maybe Judah was still thinking of that (from symmetric-key NTP security days) for some reason? > Dieter > > > Am 15.02.2023 um 04:10 schrieb Harlan Stenn <stenn@nwtime.org>: > > > > I don't see that you are disagreeing with me regarding the > "priority" of performance. > > > > And blindly following "amplification goal-stated as zero" has some > pretty onerous consequences. > > > > H > > > > On 2/14/2023 4:28 AM, kristof.teichel@ptb.de wrote: > >> The reason that scalability and performance have traditionally > been listed last in NTS documents is less that they are in any way > secondary -- and more that they follow a pattern of "...and it needs > to do all of the above in such a way that it retains scalability and > performance as far as possible". > >> (And perhaps a bit of them being quantitative goals rather than > absolute/qualitative; performance is gonna get worse with crypto > rather than without, the goal is to keep it reasonable/best possible > -- whereas e.g. amplification can be cleanly goal-stated as zero.) > >> Besten Gruß / Kind regards, > >> Kristof Teichel > >> __________________________________________ > >> Dr.-Ing. Kurt Kristof Teichel > >> Physikalisch-Technische Bundesanstalt (PTB) > >> Arbeitsgruppe 4.42 "Zeitübertragung" > >> Bundesallee 100 > >> 38116 Braunschweig (Germany) > >> Tel.: +49 (531) 592-4471 > >> E-Mail: kristof.teichel@ptb.de > >> __________________________________________ > >> Von: "Harlan Stenn" <stenn@nwtime.org> > >> An: ntp@ietf.org > >> Datum: 13.02.2023 23:29 > >> Betreff: Re: [Ntp] ntpv5 requirements > >> Gesendet von: "ntp" <ntp-bounces@ietf.org> > >> ------------------------------------------------------------------------ > >> On 2/13/2023 8:06 AM, Miroslav Lichvar wrote: > >>> On Thu, Feb 09, 2023 at 05:18:20PM +0000, Doug Arnold wrote: > >>>> For example: Judah Levine at NIST recently told me that he > cannot implement NTS with his current server resources and the number of > >> clients NIST supports. However, when I told him about TESLA he > thought a scheme based on that would be doable, as long as the keys > didn?t have to change too often. > >>> That is interesting as NTS was specifically designed to scale well to > >>> very large numbers of clients. > >> I don't recall performance in NTS as being a primary goal of the design. > >> Sure, it was listed as *a* goal, but the primary goals were around > >> "security". > >>> Is their concern about decryption > >>> and encryption of NTS-protected NTP packets, or rather TLS in NTS-KE? > >> > > >>> In 2016 they reported they had about 200k requests per second across > >>> all their servers [1]. Even if it was 100x more today and all clients > >>> were using NTS, that could still be handled by a dozen of servers with > >>> multi-core CPUs and AES acceleration. In my tests I get about 200k/s > >>> per core. > >> From what I've heard, NTS key operations take 5-10x the amount of > >> compute power beyond what NTP needs. > >>> NTS-KE traffic is more difficult to predict as it depends on the > >>> client implementations. I would be curious to see what NTS-NTP to > >>> NTS-KE request ratio do the well-known NTS providers like Cloudflare > >>> and Netnod have. > >>> [1] https://nvlpubs.nist.gov/nistpubs/jres/121/jres.121.003.pdf > >> <https://nvlpubs.nist.gov/nistpubs/jres/121/jres.121.003.pdf> > >> -- > >> Harlan Stenn <stenn@nwtime.org> > >> http://networktimefoundation.org <http://networktimefoundation.org/ > >- be a member! > >> _______________________________________________ > >> ntp mailing list > >> ntp@ietf.org > >> https://www.ietf.org/mailman/listinfo/ntp <https://www.ietf.org/ > mailman/listinfo/ntp> > > > > -- > > Harlan Stenn <stenn@nwtime.org> > > http://networktimefoundation.org - be a member! > > > > _______________________________________________ > > ntp mailing list > > ntp@ietf.org > > https://www.ietf.org/mailman/listinfo/ntp > > [Anhang "signature.asc" gelöscht von Kristof Teichel/PTB] > _______________________________________________ > ntp mailing list > ntp@ietf.org > https://www.ietf.org/mailman/listinfo/ntp
- [Ntp] ntpv5 requirements Doug Arnold
- Re: [Ntp] ntpv5 requirements James
- Re: [Ntp] ntpv5 requirements Dieter Sibold
- Re: [Ntp] ntpv5 requirements Miroslav Lichvar
- Re: [Ntp] ntpv5 requirements Doug Arnold
- Re: [Ntp] ntpv5 requirements Harlan Stenn
- Re: [Ntp] ntpv5 requirements Hal Murray
- Re: [Ntp] ntpv5 requirements Miroslav Lichvar
- Re: [Ntp] ntpv5 requirements kristof.teichel
- Re: [Ntp] ntpv5 requirements Doug Arnold
- Re: [Ntp] ntpv5 requirements Miroslav Lichvar
- Re: [Ntp] ntpv5 requirements Harlan Stenn
- Re: [Ntp] ntpv5 requirements Dieter Sibold
- Re: [Ntp] ntpv5 requirements kristof.teichel
- Re: [Ntp] ntpv5 requirements kristof.teichel
- Re: [Ntp] ntpv5 requirements Miroslav Lichvar
- [Ntp] Costs of running NTP servers Hal Murray
- Re: [Ntp] ntpv5 requirements Dieter Sibold
- [Ntp] Antw: [EXT] Re: ntpv5 requirements Ulrich Windl
- Re: [Ntp] Costs of running NTP servers Miroslav Lichvar
- Re: [Ntp] ntpv5 requirements Harlan Stenn
- Re: [Ntp] ntpv5 requirements kristof.teichel