Re: [Ntp] NTS4UPTP Rev 03 - Formal request for WG adoption

Heiko Gerstung <> Tue, 01 June 2021 14:18 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 40EA23A19AC for <>; Tue, 1 Jun 2021 07:18:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id KNk6JJz6dktn for <>; Tue, 1 Jun 2021 07:18:15 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A42943A19A7 for <>; Tue, 1 Jun 2021 07:18:15 -0700 (PDT)
Received: from (unknown []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id 0B2F671C01C1; Tue, 1 Jun 2021 16:18:13 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=dkim; t=1622557093; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=6MU0zGP64k8FwTeYYPGVUcqBTkRKo0DIHrV8To0ZxHc=; b=PalocafEUaF1n2J2as2Crf3CepNcEpKPsoelZivDb9QsA30svoiTclMjGJ2w6Nq87DwTnK LzriteEAQoEWBhWasufr3EBQ1UIZwovmeD5Y402GBg2tgMrfMENNXG/yeYZesmFC4twdRD 9UweGlfVpeetfljKth3aS7k0YDh7JrNCu1VaNPEY/AARyoBKKoHBc2R5C2o09RbEU3UxHG HlFJPqlvo8ZmByvA4wMizTCrnoaehtvWeEcnVrOCW8PtJNinCtnbIQ5rDRtGdUbQ7XiGyU WSbQDxtYwkzXGgyQN99rx7KWCr3Yruj8EmqIa844+QanWkI8g3IGuRaWhYJx0w==
Received: from ( []) (using TLSv1.3 with cipher AEAD-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS; Tue, 1 Jun 2021 16:18:12 +0200 (CEST)
X-Footer: bWVpbmJlcmcuZGU=
User-Agent: Microsoft-MacOutlook/16.49.21050901
Date: Tue, 1 Jun 2021 16:18:09 +0200
Message-ID: <>
Thread-Topic: [Ntp] NTS4UPTP Rev 03 - Formal request for WG adoption
References: <> <YLYCLIEA4/unB6/5@localhost> <> <YLYheZYTSflAdlrF@localhost> <> <YLY3f2/5k1Hjebf7@localhost>
In-Reply-To: <YLY3f2/5k1Hjebf7@localhost>
Importance: Normal
X-Priority: 3
Thread-Index: AZ2x3tU+MTY2Mzc3M2Q1NjU3YjNiNw==
From: Heiko Gerstung <>
To: Miroslav Lichvar <>
Cc: "" <>
X-SM-outgoing: yes
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="----85C5EB9B54F578F2597848EE1C1A1440"
Archived-At: <>
Subject: Re: [Ntp] NTS4UPTP Rev 03 - Formal request for WG adoption
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 01 Jun 2021 14:18:21 -0000

> Am 01.06.21, 15:35 schrieb "Miroslav Lichvar" <>om>:
> On Tue, Jun 01, 2021 at 02:48:32PM +0200, Heiko Gerstung wrote:
>> > Am 01.06.21, 14:01 schrieb "Miroslav Lichvar" <>om>:
>> > Can you please elaborate? My (limited) understanding of DTLS is that
>> > it would address the attacks. It has a 48-bit sequence number to
>> > protect against replays and client authentication comes from TLS.
>> I understood that you want to use DTLS to exchange the symmetric keys used
>> to calculate the ICV of the unencrypted event messages. This unfortunately does
>> not address the replay/amplification vulnerability of the unicast negotiation p
>> rotocol itself, it just protects against replaying the DTLS messages.
> The idea is that DTLS protects everything except the sync and delay
> request messages. The unicast negotiation would be protected, of
> course.

OK, that is something you have to describe in detail. 

>> I most probably know much less about DTLS than you, Miroslav. For example,
>> I do not know whether this requires asymmetric cryptography in every message or
>> just at the beginning in the handshake. However, I am pretty sure that DTLS can
>> be used to securely exchange the symmetric keys instead of using TLS in the NTS
>> -KE phase.
> DTLS is just a datagram-based version of TLS. Asymmetric crypto is
> needed only on start. Performance would certainly not be an issue. I
> suspect you are already reinventing some of its wheels, like the
> replay protection.

OK, thanks for the explanation, I expected this to be the case but was not sure. And yes, we had to come up with solutions for replay protection etc. which most probably have been describe in a similar format. 

>> As I tried to explain earlier, our intention with this draft was to stay c
>> lose to NTS4NTP to enable implementors to re-use code and allow users to combine
>> the required infrastructure for NTS4NTP and NTS4UPTP. I fully agree that other
>> protocols and security mechanisms would do the trick as well, but I believe that
>> the name "Network Time Security" indicates that it has a good chance of being a
>> better fit for securing a network time sync protocol. And, according to our res
>> earch and our experience regarding network time synchronization, we came to the
>> conclusion that this is the case for unicast PTP.
> Ok, if you need as much of NTS4NTP as possible and at the same time
> keep accuracy provided by hardware timestamping as is supported in
> current hardware, I think the solution is simple: NTS4NTP over PTP.

> You can wrap NTP messages in a PTP event message to get hardware
> timestamps and keep all the benefits of NTS4NTP. It seems your plan is
> to provide NTS4NTP in any case. Do you see any disadvantages?

Yes, because unicast PTP does not work in the same way as NTP. NTP is based on a request/response exchange while unicast PTP is not. I would certainly be possible to put NTP4NTS messages into PTP, but that would have the same drawback that I see with Daniel's proposal to use NTP4NTS to secure the time error of PTP: you need to setup an NTS4NTP infrastructure and basically run two sync protocols plus one security/key exchange protocol in parallel. NTS4UPTP only requires you to run one sync protocol and a key exchange protocol. 

I would also not be happy with the efficiency, because an NTS4NTP packet probably has some redundant or unnecessary information in it that is not required when I run unicast PTP. And, the other way around, adding a full "dummy" PTP packet header to enable using the hw timestamping engine to hardware timestamp my NTS4NTP packets is a waste of bandwidth and CPU cycles. 

Such a NTS4NTP protocol also does not address the other advantage that unicast PTP has over NTP: higher packet rates. You can change that too, of course. In the end you created a third time sync protocol which to me looks more like a Frankenstein monster version of NTP/PTP and is a completely different beast. It will be neither compliant to NTP, nor PTP. It may work and add more accuracy to NTP4NTS, but has nothing to do with PTP. And yes, you can argue that nobody needs PTP anymore in that case, but I am not sure it will be a pleasant discussion.

> This would be a very short draft and it would be useful even for
> plain NTP without NTS. I think I'll give it a shot.

Why not. But again, this is not solving the problem of securing unicast PTP and therefore can be a nice addition to NTP/NTS4NTP, but addresses a different topic than what we proposed. 


Heiko Gerstung 
Managing Director 
MEINBERG® Funkuhren GmbH & Co. KG 
Lange Wand 9 
D-31812 Bad Pyrmont, Germany 
Phone: +49 (0)5281 9309-404 
Fax: +49 (0)5281 9309-9404 
Amtsgericht Hannover 17HRA 100322 
Geschäftsführer/Management: Günter Meinberg, Werner Meinberg, Andre Hartmann, Heiko Gerstung 
Do not miss our Time Synchronization Blog:
Connect via LinkedIn: