IETF Logo Mail Archive

Re: [Ntp] NTPv5 draft

Miroslav Lichvar <mlichvar@redhat.com> Tue, 01 December 2020 10:03 UTC

Return-Path: <mlichvar@redhat.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 259BD3A1016 for <ntp@ietfa.amsl.com>; Tue, 1 Dec 2020 02:03:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.121
X-Spam-Level:
X-Spam-Status: No, score=-2.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhat.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lrx03KgQ2SzP for <ntp@ietfa.amsl.com>; Tue, 1 Dec 2020 02:03:12 -0800 (PST)
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [63.128.21.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5CC4D3A101A for <ntp@ietf.org>; Tue, 1 Dec 2020 02:03:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1606816991; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=qYGZtwNITuPNxqZTcpkhV7WzI2iKhOfzfPSuDehA7ZU=; b=LL0x2zCh+r/1+/5TfgiaMh0tYj98BGyFePJUFyqrXErJkIObWI6/o0R10Z9njCiR5suWvT d0mCJyODWRbF4mBr/qGIkUKYQcBiUnKLflXZoT/o4gAuW+JpkOSM9ilkpstTjmsR0iqo6f 5z7SmKcxiDE3tDUp3VH+fP5Z0Gj/rwY=
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-482-6YMbIkCBOyme5JM0H-lVCw-1; Tue, 01 Dec 2020 05:03:09 -0500
X-MC-Unique: 6YMbIkCBOyme5JM0H-lVCw-1
Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 25AAA190B2B6; Tue, 1 Dec 2020 10:03:08 +0000 (UTC)
Received: from localhost (holly.tpb.lab.eng.brq.redhat.com [10.43.134.11]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 774225C1A3; Tue, 1 Dec 2020 10:03:07 +0000 (UTC)
Date: Tue, 01 Dec 2020 11:03:05 +0100
From: Miroslav Lichvar <mlichvar@redhat.com>
To: Dieter Sibold <dsibold.ietf@gmail.com>
Cc: ntp@ietf.org
Message-ID: <20201201100305.GK1900232@localhost>
References: <20201111161947.GG1559650@localhost> <AA848C67-CFB7-43FC-B190-FD3911360373@gmail.com> <20201201081203.GB1900232@localhost> <2B8C7410-DFA7-4A87-A33E-F50FFA96D0F9@gmail.com>
MIME-Version: 1.0
In-Reply-To: <2B8C7410-DFA7-4A87-A33E-F50FFA96D0F9@gmail.com>
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16
Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=mlichvar@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/ochPMVaWdJfntGcKSR-U0M4SAqM>
Subject: Re: [Ntp] NTPv5 draft
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Dec 2020 10:03:14 -0000

On Tue, Dec 01, 2020 at 10:51:22AM +0100, Dieter Sibold wrote:
> On 1 Dec 2020, at 9:12, Miroslav Lichvar wrote:
> > You mean to require all NTP packets to be authenticated? I don't like
> > that idea. The improvements in NTPv5 are orthogonal to authentication.
> > NTPv5 is not supposed to be more secure. An NTP client that doesn't
> > want to implement the complexity of NTS shouldn't be restricted to
> > NTPv4.
> > 
> 
> Yes, I would propose that by default each NTP packet has to be
> authenticated. Not using security should be an active decision! I don’t
> think that security and increased time sync performance have to be
> orthogonal. The 2-step approach could provide better time sync performance
> and security.

Ok, so if the draft said something like "NTP clients SHOULD use
authentication", would that work for you? Ultimately, it would be up
to the client's default configuration whether authentication is
enabled or not.

> > Isn't that the NTP root delay and dispersion? Together they provide an
> > estimate of the maximum error in the receive and transmit timestamp.
> 
> Uncertainty and maximum error are different. The uncertainty interval will
> always be smaller or equal to the max. error.

Can you describe an example how would the server determine the
uncertainty?

-- 
Miroslav Lichvar

v2.23.0 | Report a Bug | By Email