[ntpwg] Antwort: Re: NTS: DTLS and symmetric mode
dieter.sibold@ptb.de Tue, 01 August 2017 15:04 UTC
Return-Path: <ntpwg-bounces+ntp-archives-ahfae6za=lists.ietf.org@lists.ntp.org>
X-Original-To: ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com
Delivered-To: ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F1AFB132197 for <ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com>; Tue, 1 Aug 2017 08:04:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0sm_ecZ4J4i3 for <ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com>; Tue, 1 Aug 2017 08:04:56 -0700 (PDT)
Received: from lists.ntp.org (psp3.ntp.org [185.140.48.241]) by ietfa.amsl.com (Postfix) with ESMTP id 682571321A6 for <ntp-archives-ahFae6za@lists.ietf.org>; Tue, 1 Aug 2017 08:04:55 -0700 (PDT)
Received: from lists.ntp.org (unknown [127.0.0.235]) by lists.ntp.org (Postfix) with ESMTP id C73E986DB62 for <ntp-archives-ahFae6za@lists.ietf.org>; Tue, 1 Aug 2017 15:04:54 +0000 (UTC)
X-Original-To: ntpwg@lists.ntp.org
Delivered-To: ntpwg@lists.ntp.org
Received: from mail1.ntp.org (fortinet.ntp.org [10.224.90.254]) by lists.ntp.org (Postfix) with ESMTP id 0832986DAB4; Tue, 1 Aug 2017 15:04:47 +0000 (UTC)
Received: from mx1.bs.ptb.de ([192.53.103.120]) by mail1.ntp.org with esmtps (TLSv1:AES256-SHA:256) (Exim 4.77 (FreeBSD)) (envelope-from <dieter.sibold@ptb.de>) id 1dcYir-000DO3-Nx; Tue, 01 Aug 2017 15:04:47 +0000
Received: from smtp-hub.bs.ptb.de (smtpint01.bs.ptb.de [141.25.87.32]) by mx1.bs.ptb.de with ESMTP id v71F4ZOt002389-v71F4ZOv002389 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=FAIL); Tue, 1 Aug 2017 17:04:35 +0200
Received: from rose.bs.ptb.de (rose.bs.ptb.de [141.25.85.201]) by smtp-hub.bs.ptb.de (Postfix) with ESMTPS id 18F0252508E; Tue, 1 Aug 2017 17:04:34 +0200 (CEST)
In-Reply-To: <20170801073854.GB2346@localhost>
References: <707deca2-9037-c9fc-69bc-71ee80cb4c97@nwtime.org> <CAJm83bBjUU_PHhOcH4Sa7LdE2JEN3wojmXTWv_F_nnnRQz61Rw@mail.gmail.com> <c251d5c2-ae87-7c66-7b08-f3bc68680be8@nwtime.org> <CAJm83bA+vJjq74pKBJKRHbqG2W9rJi3HRU48go=cws92gx6DBw@mail.gmail.com> <20170801073854.GB2346@localhost>
To: Miroslav Lichvar <mlichvar@redhat.com>
MIME-Version: 1.0
Message-ID: <OF0EDC79E2.6AA3BA5D-ONC125816F.004FDACC-C125816F.0052D03C@ptb.de>
From: dieter.sibold@ptb.de
Date: Tue, 01 Aug 2017 17:04:32 +0200
X-SA-Exim-Connect-IP: 192.53.103.120
X-SA-Exim-Rcpt-To: ntpwg@lists.ntp.org, ntpwg-bounces+dieter.sibold=ptb.de@lists.ntp.org
X-SA-Exim-Mail-From: dieter.sibold@ptb.de
X-SA-Exim-Version: 4.2
X-SA-Exim-Scanned: Yes (on mail1.ntp.org)
Subject: [ntpwg] Antwort: Re: NTS: DTLS and symmetric mode
X-BeenThere: ntpwg@lists.ntp.org
X-Mailman-Version: 2.1.24
Precedence: list
List-Id: IETF Working Group for Network Time Protocol <ntpwg.lists.ntp.org>
List-Unsubscribe: <http://lists.ntp.org/options/ntpwg>, <mailto:ntpwg-request@lists.ntp.org?subject=unsubscribe>
List-Archive: <http://lists.ntp.org/pipermail/ntpwg/>
List-Post: <mailto:ntpwg@lists.ntp.org>
List-Help: <mailto:ntpwg-request@lists.ntp.org?subject=help>
List-Subscribe: <http://lists.ntp.org/listinfo/ntpwg>, <mailto:ntpwg-request@lists.ntp.org?subject=subscribe>
Cc: ntpwg <ntpwg@lists.ntp.org>, ntpwg <ntpwg-bounces+dieter.sibold=ptb.de@lists.ntp.org>
Content-Type: multipart/mixed; boundary="===============5248941860103280414=="
Errors-To: ntpwg-bounces+ntp-archives-ahfae6za=lists.ietf.org@lists.ntp.org
Sender: ntpwg <ntpwg-bounces+ntp-archives-ahfae6za=lists.ietf.org@lists.ntp.org>
Hi Miroslav, see my comments below. "ntpwg" <ntpwg-bounces+dieter.sibold=ptb.de@lists.ntp.org> schrieb am 01.08.2017 09:38:54: > Von: Miroslav Lichvar <mlichvar@redhat.com> > An: Daniel Franke <dfoxfranke@gmail.com> > Kopie: ntpwg <ntpwg@lists.ntp.org> > Datum: 01.08.2017 09:39 > Betreff: Re: [ntpwg] NTS: DTLS and symmetric mode > Gesendet von: "ntpwg" <ntpwg-bounces+dieter.sibold=ptb.de@lists.ntp.org> > > On Mon, Jul 31, 2017 at 02:59:30PM -0400, Daniel Franke wrote: > > On 7/31/17, Harlan Stenn <stenn@nwtime.org> wrote: > > > Is DTLS well-suited for symmetric associations, which require mutual > > > authentication? > > > > Yes. DTLS supports mutual authentication through the use of client > > certificates or pre-shared keys. > > That will work nicely for an active-passive association, but I'm still > not sure about active-active associations. You said the source port of > a DTLS client is supposed to be random. How will an active peer know > that an incoming connection corresponds to a peer it has already > connected to or it's trying to connect to? With symmetric keys/autokey > it was possible to have multiple associations with the same IP address > (e.g. multiple machines behind NAT). > > I think a bigger problem with NTP over DTLS might be that timing > messages are sent on a different port than 123 and are encrypted. This > makes it incompatible with existing HW/configuration and future NTP > extensions. > > Here is the list of issues I posted previously (with no response) [1]: > > - no stateless passive mode > - problematic pairing of DTLS sessions Daniel considered this question. He provided a discussion in Sec. 4 of the current NTS draft (version -09). > - requires timestamping of messages on a new port I don't understand the issue of this. > - won't work with HW which can timestamp only packets on port 123 > (or 319) Yes, but the vast majority of NTP servers and clients don't use HW based time stamping. Also note, that HW based time stamping is going to be difficult for mode 3 and 4 packets also. This packets are protected by NTS extension fields and HW time stamping NICs are not able to calculate the NTS AEAD information (at least currently). > - will require changes in QoS classification on routers/switches Yes, this is true. > - won't work with future NTP extensions for delay corrections in > routers/switches That is probably true. But I don't see the use case for this. Typically you apply symmetric mode in a closed environment. If you require the additional accuracy of delay corrections in router/switches you would apply PTP which already provide these features. > > [1] http://lists.ntp.org/pipermail/ntpwg/2017-June/003307.html > > -- > Miroslav Lichvar > _______________________________________________ > ntpwg mailing list > ntpwg@lists.ntp.org > http://lists.ntp.org/listinfo/ntpwg
_______________________________________________ ntpwg mailing list ntpwg@lists.ntp.org http://lists.ntp.org/listinfo/ntpwg
- [ntpwg] NTS: DTLS and symmetric mode Harlan Stenn
- Re: [ntpwg] NTS: DTLS and symmetric mode Daniel Franke
- Re: [ntpwg] NTS: DTLS and symmetric mode Harlan Stenn
- Re: [ntpwg] NTS: DTLS and symmetric mode Job Snijders
- Re: [ntpwg] NTS: DTLS and symmetric mode Aanchal Malhotra
- Re: [ntpwg] NTS: DTLS and symmetric mode Daniel Franke
- Re: [ntpwg] NTS: DTLS and symmetric mode Miroslav Lichvar
- [ntpwg] Antwort: Re: NTS: DTLS and symmetric mode dieter.sibold
- Re: [ntpwg] Antwort: Re: NTS: DTLS and symmetric … Miroslav Lichvar