Re: [Ntp] Comments on draft-langer-ntp-nts-for-ptp
Heiko Gerstung <heiko.gerstung@meinberg.de> Mon, 08 March 2021 18:11 UTC
Return-Path: <heiko.gerstung@meinberg.de>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D92FE3A13F1 for <ntp@ietfa.amsl.com>; Mon, 8 Mar 2021 10:11:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=meinberg.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DpvMbn4HB833 for <ntp@ietfa.amsl.com>; Mon, 8 Mar 2021 10:11:40 -0800 (PST)
Received: from server1a.meinberg.de (server1a.meinberg.de [176.9.44.212]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0E74D3A13DE for <ntp@ietf.org>; Mon, 8 Mar 2021 10:11:39 -0800 (PST)
Received: from seppmail.py.meinberg.de (unknown [193.158.22.2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by server1a.meinberg.de (Postfix) with ESMTPSA id 862F571C05A0; Mon, 8 Mar 2021 19:11:36 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=meinberg.de; s=dkim; t=1615227096; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=6jHZ+39InLMOnozmFUv0rA+LjiIiLryEych1R9IRqss=; b=C93Pm3hBQ80qGlXY5C5rPRV21/nPz9ebf7a4Ii2EHiWTaRTcAajI7eLKcwjU9u5rQxe5Gd 6Zcpuvtj7hUXiLt21z9CH67lls9tDY3GWRqBND0uCX2z0RvMJua4mJReufU/q0MGrwsYiP 8ezc60s6gogUUmu17+9cd5axZNY403HRuRSeifdymL56/kRydrsEJg6s+Wo4OI6RDWNl4v QL647aB7blVRNfWgOedvLlbtIKK5cw2JRrFf+IXU6TYa1ptI8/Ckq9PSz5Sd7mFxLURLbr Pwq1Q8Mx+7rLsQRBnAJjju2obkrfMQBPqdgBEL5i4d9yooHHFaBuZgcDgaFkIg==
Received: from srv-kerioconnect.py.meinberg.de (srv-kerioconnect.py.meinberg.de [172.16.3.65]) (using TLSv1.3 with cipher AEAD-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by seppmail.py.meinberg.de (Postfix) with ESMTPS; Mon, 8 Mar 2021 19:11:35 +0100 (CET)
X-Footer: bWVpbmJlcmcuZGU=
Received: from localhost ([127.0.0.1]) by srv-kerioconnect.py.meinberg.de with ESMTPSA; Mon, 8 Mar 2021 19:11:33 +0100
Date: Mon, 08 Mar 2021 19:11:33 +0100
Message-Id: <EEFAEC87-C1CD-426B-A948-E0AC5C8E7085@meinberg.de>
References: <cf069a4c93b349889290b8b382e53ce7@ostfalia.de>
Cc: NTP WG <ntp@ietf.org>
In-Reply-To: <cf069a4c93b349889290b8b382e53ce7@ostfalia.de>
To: "Langer, Martin" <mart.langer@ostfalia.de>
From: Heiko Gerstung <heiko.gerstung@meinberg.de>
X-SM-outgoing: yes
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="----5B67CC229B480087191AF94D17474C6D"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/lVNJNz6hFQkFB0eYd3SyW6lUxKA>
Subject: Re: [Ntp] Comments on draft-langer-ntp-nts-for-ptp
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Mar 2021 18:11:44 -0000
Martin, if the term cookie implies outsourcing state information for you, that’s fine. As I wrote earlier, there is no state information required in the cookie in the proposed approach, just like with NTS4NTP it only contains the keys, a nonce and the algorithm. The state is stored (‚outsourced‘ to) in the unicast GM. Regards, Heiko — Heiko Gerstung Managing Director MEINBERG® Funkuhren GmbH & Co. KG Lange Wand 9 D-31812 Bad Pyrmont, Germany Phone: +49 (0)5281 9309-404 Fax: +49 (0)5281 9309-9404 Amtsgericht Hannover 17HRA 100322 Geschäftsführer/Management: Günter Meinberg, Werner Meinberg, Andre Hartmann, Heiko Gerstung Email: heiko.gerstung@meinberg.de Web: Deutsch https://www.meinberg.de English https://www.meinbergglobal.com Do not miss our Time Synchronization Blog: https://blog.meinbergglobal.com Connect via LinkedIn: https://www.linkedin.com/in/heikogerstung > Am 08.03.2021 um 18:05 schrieb Langer, Martin <mart.langer@ostfalia.de>: > > > Of course, I am also in favor of a solution that is as simple as possible. > Especially since our NTS4PTP design is already quite complex. But we > cannot jeopardize the security. > > Whether 'ticket' or 'cookie' is a question of context and requirements. The > term cookie implies state outsourcing for me. And ticket is to me a data > set to get access to a resource. Much more interesting is the question of > what data needs to be exchanged and why. > > I am currently under stress and thus I can only respond with some delay. > We should deal with everything objectively and contrast solutions if necessary. > I am thinking if Etherpad would be a possibility to present something like this > in a better way. > > > > -martin- > > > ------------------- > Martin Langer, M.Eng. > Ostfalia Hochschule für angewandte Wissenschaften > - Hochschule Braunschweig/Wolfenbüttel > University of Applied Sciences > > Labor Datentechnik, Labor Design Digitaler Systeme > Fakultät Elektrotechnik > Salzdahlumer Straße 46/48 > 38302 Wolfenbüttel > Germany > > Tel.: +49 5331 939 43370 > Web: https://www.ostfalia.de/cms/de/pws/bermbach/mitarbeiter/martin-langer > > > > Von: Doug Arnold <doug.arnold@meinberg-usa.com> > Gesendet: Montag, 8. März 2021 17:38 > An: Heiko Gerstung; Dieter Sibold; Miroslav Lichvar > Cc: Watson Ladd; NTP WG; Langer, Martin > Betreff: Re: [Ntp] Comments on draft-langer-ntp-nts-for-ptp > > Most PTP Grandmasters are also NTP servers. So we should think about how to efficiently implement such time servers, not PTP Grandmasters and NTP servers separately. > > Doug > > From: ntp <ntp-bounces@ietf.org> on behalf of Heiko Gerstung <heiko.gerstung=40meinberg.de@dmarc.ietf.org> > Date: Monday, March 8, 2021 at 11:32 AM > To: Dieter Sibold <dsibold.ietf@gmail.com>, Miroslav Lichvar <mlichvar@redhat.com> > Cc: Watson Ladd <watsonbladd@gmail.com>, NTP WG <ntp@ietf.org>, Langer, Martin <mart.langer@ostfalia.de> > Subject: Re: [Ntp] Comments on draft-langer-ntp-nts-for-ptp > Am 08.03.21, 13:13 schrieb "Dieter Sibold" <dsibold.ietf@gmail.com>: > > > > > On 8 Mar 2021, at 12:14, Miroslav Lichvar wrote: > > > > > On Mon, Mar 08, 2021 at 11:43:29AM +0100, Heiko Gerstung wrote: > > >> As far as I can see, up until this point the mechanism can be very > > >> similar to NTS4NTP. We most probably need a different cookie format, > > >> but the rest should be OK. Once we did 1 + 2, the unicast master will > > >> start the PTP packet transmission to the authenticated (via the > > >> cookie) PTP client. The client will also start sending Delay Req > > >> packets and requires the GM to respond with unicast delay responses. > > >> > > >> During this packet transmission phase I propose to use the S2C to > > >> secure the packets from the GM to the client (ANNOUNCE, SYNC, > > >> DELAY_RESP) and the C2S key to secure the packets from the NTS/PTP > > >> client to the GM (i.e. DELAY_REQ). > > > > > > I don't think it makes sense to use NTS cookies in PTP, even if you > > > limit the NTS support to the unicast mode. The main point of the > > > cookies is to avoid having client-specific state on the server. That's > > > not possible in PTP as announce and sync messages are not responses to > > > requests. They are sent at their own interval, which can be different > > > from the delay request interval. > > > > > > In PTP there has to be some client-specific state and the clients need > > > to be authenticated. Very different from NTS-for-NTP. > > > I agree with Miroslav. There is already state information defined in the > > IEEE 1588-2019 version in the context of the Authentication TLV. It > > should be possible to use them also for this purpose. This would make > > things easier compared to offload state information via cookies to the > > slaves and would minimize computational for the master. > > A PTP unicast master can respond to 128 delay req/s and send 128 sync packets per second to each slave, we are talking quite powerful machines here and I do not think we have to store state information in the cookie. > > A client - just like with NTS4NTP - uses the cookies it gets from the NTS-KE server to authenticate itself vs the unicast GM. The cookies basically provide proof that the client successfully communicated with the NTS-KE and correctly ran phase 1. We would need a little bit of extra state information that needs to be stored on the unicast GM (which already stores state information for every client that successfully requested a unicast transmission). > > My biggest point here is this: yes, it would be possible to design a more lean and more efficient protocol for PTP because PTP already requires some state information being stored on the server. But I believe that this would only save an insignificant number of bytes and CPU cycles on the GM and also on the unicast PTP client. As a benefit, we would get something that is close to how NTS4NTP works, allowing simpler implementation (the NTS-KE part is almost identical and an NTS-KE server would only require some minor modifications to work with unicast PTP clients) and a much faster adoption by the PTP hardware vendors. > > Regards, > Heiko > > > > > > > > > -- > > > Miroslav Lichvar > > > > > > _______________________________________________ > > > ntp mailing list > > > ntp@ietf.org > > > https://www.ietf.org/mailman/listinfo/ntp > > > -- > Heiko Gerstung > Managing Director > > MEINBERG® Funkuhren GmbH & Co. KG > Lange Wand 9 > D-31812 Bad Pyrmont, Germany > Phone: +49 (0)5281 9309-404 > Fax: +49 (0)5281 9309-9404 > > Amtsgericht Hannover 17HRA 100322 > Geschäftsführer/Management: Günter Meinberg, Werner Meinberg, Andre Hartmann, Heiko Gerstung > > Email: > heiko.gerstung@meinberg.de > Web: > Deutsch https://www.meinberg.de > English https://www.meinbergglobal.com > > Do not miss our Time Synchronization Blog: > https://blog.meinbergglobal.com > > Connect via LinkedIn: > https://www.linkedin.com/in/heikogerstung > > > > > _______________________________________________ > ntp mailing list > ntp@ietf.org > https://www.ietf.org/mailman/listinfo/ntp
- [Ntp] Comments on draft-langer-ntp-nts-for-ptp Watson Ladd
- Re: [Ntp] Comments on draft-langer-ntp-nts-for-ptp Langer, Martin
- Re: [Ntp] Comments on draft-langer-ntp-nts-for-ptp Miroslav Lichvar
- Re: [Ntp] Comments on draft-langer-ntp-nts-for-ptp Heiko Gerstung
- Re: [Ntp] Comments on draft-langer-ntp-nts-for-ptp Langer, Martin
- Re: [Ntp] Comments on draft-langer-ntp-nts-for-ptp Miroslav Lichvar
- Re: [Ntp] Comments on draft-langer-ntp-nts-for-ptp Miroslav Lichvar
- Re: [Ntp] Comments on draft-langer-ntp-nts-for-ptp Langer, Martin
- Re: [Ntp] Comments on draft-langer-ntp-nts-for-ptp Langer, Martin
- Re: [Ntp] Comments on draft-langer-ntp-nts-for-ptp Hal Murray
- Re: [Ntp] Comments on draft-langer-ntp-nts-for-ptp Dieter Sibold
- Re: [Ntp] Comments on draft-langer-ntp-nts-for-ptp Langer, Martin
- Re: [Ntp] Comments on draft-langer-ntp-nts-for-ptp Heiko Gerstung
- Re: [Ntp] Comments on draft-langer-ntp-nts-for-ptp Miroslav Lichvar
- Re: [Ntp] Comments on draft-langer-ntp-nts-for-ptp Heiko Gerstung
- Re: [Ntp] Comments on draft-langer-ntp-nts-for-ptp Miroslav Lichvar
- Re: [Ntp] Comments on draft-langer-ntp-nts-for-ptp Heiko Gerstung
- Re: [Ntp] Comments on draft-langer-ntp-nts-for-ptp Heiko Gerstung
- Re: [Ntp] Comments on draft-langer-ntp-nts-for-ptp Doug Arnold
- Re: [Ntp] Comments on draft-langer-ntp-nts-for-ptp Langer, Martin
- Re: [Ntp] Comments on draft-langer-ntp-nts-for-ptp Heiko Gerstung