[Ntp] Antwort: Re: Antwort: Re: Antwort: Re: A simpler way to secure PTP

kristof.teichel@ptb.de Tue, 11 May 2021 11:24 UTC

Return-Path: <kristof.teichel@ptb.de>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 118453A1178 for <ntp@ietfa.amsl.com>; Tue, 11 May 2021 04:24:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.281
X-Spam-Level: *
X-Spam-Status: No, score=1.281 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, GB_SUMOF=5, HTML_MESSAGE=0.001, HTML_MIME_NO_HTML_TAG=0.377, MIME_HTML_ONLY=0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 35mdv5OPqeY9 for <ntp@ietfa.amsl.com>; Tue, 11 May 2021 04:24:30 -0700 (PDT)
Received: from mx1.bs.ptb.de (mx1.bs.ptb.de [192.53.103.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 011793A1174 for <ntp@ietf.org>; Tue, 11 May 2021 04:24:24 -0700 (PDT)
Received: from smtp-hub.bs.ptb.de (smtpint01.bs.ptb.de [141.25.87.32]) by mx1.bs.ptb.de with ESMTP id 14BBOIX2011071-14BBOIX4011071 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 11 May 2021 13:24:18 +0200
Received: from lotus.bs.ptb.de (lotus.bs.ptb.de [141.25.85.200]) by smtp-hub.bs.ptb.de (Postfix) with ESMTPS id 971A7B56A08; Tue, 11 May 2021 13:24:17 +0200 (CEST)
MIME-Version: 1.0
Sensitivity:
Importance: Normal
X-Priority: 3 (Normal)
In-Reply-To: <80b7c3d3-31eb-1d10-3fe3-2e0728a3660f@tuwien.ac.at>
References: <80b7c3d3-31eb-1d10-3fe3-2e0728a3660f@tuwien.ac.at>, <3b5d7881-2cbb-02f4-30d4-4b9627a6a18b@tuwien.ac.at> <AM7PR02MB576597311CBC1EC81F961FB4CF549@AM7PR02MB5765.eurprd02.prod.outlook.com> <CAJm83bCpio5WwigY6nc9Y0Gt_XSdjUV=sHUz04dOQ0zELPwZxw@mail.gmail.com> <YJkrFjnRPJJHz9da@localhost> <AM7PR02MB57657C935D0E94D223B1D703CF549@AM7PR02MB5765.eurprd02.prod.outlook.com> <CAJm83bCRMJr4V59m97CUtOnF8Dbsg=pGPTD=n359imxUByJhVg@mail.gmail.com> <OFED5B2865.344FE7AB-ONC12586D1.005DE2E1-C12586D1.005DE2E2@ptb.de> <OF805D3048.BCF1DDFB-ONC12586D2.002EA312-C12586D2.00306891@ptb.de>
From: kristof.teichel@ptb.de
To: "Joachim Fabini" <Joachim.Fabini@tuwien.ac.at>
Cc: "Doug Arnold" <doug.arnold=40meinberg-usa.com@dmarc.ietf.org>, "Miroslav Lichvar" <mlichvar@redhat.com>, "NTP WG" <ntp@ietf.org>, "Daniel Franke" <dfoxfranke@gmail.com>
Date: Tue, 11 May 2021 13:24:15 +0200
Message-ID: <OFDC4D3624.A231C201-ONC12586D2.003EA549-C12586D2.003EA54C@ptb.de>
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/pM9cUyG6YyVwuoiNa-nS91XMeLI>
Subject: [Ntp] Antwort: Re: Antwort: Re: Antwort: Re: A simpler way to secure PTP
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 May 2021 11:24:35 -0000

Yeah, your point about max error versus (un)certainty interval makes total sense.
Thanks for clearing it up.
 

-----"Joachim Fabini" <Joachim.Fabini@tuwien.ac.at> schrieb: -----
An: <kristof.teichel@ptb.de>
Von: "Joachim Fabini" <Joachim.Fabini@tuwien.ac.at>
Datum: 11.05.2021 12:56
Kopie: "Doug Arnold" <doug.arnold=40meinberg-usa.com@dmarc.ietf.org>, "Miroslav Lichvar" <mlichvar@redhat.com>, "NTP WG" <ntp@ietf.org>, "Daniel Franke" <dfoxfranke@gmail.com>
Betreff: Re: Antwort: Re: [Ntp] Antwort: Re: A simpler way to secure PTP

On 5/11/21 10:48 AM, kristof.teichel@ptb.de wrote:
> I don't think I expressed this clearly enough:
> Your 100%* guarantee (the 100% kinda still needs an asterisk there) with
> a two-way exchange is going to be that the measurement you make of your
> time offset is wrong by at most half of your RTT (where RTT = the sum of
> the two messages' flight times).
> It's about an upper bound to the error you make in your calculation.
> The maximum of half of RTT would be taken if one message was delivered
> instantaneously and the other accounted for all of your RTT, so in
> reality, you at least know that it's really less than that (and, as
> Daniel said, you can do a few things more if you account for not
> exceeding lightspeed and a known lower bound to your physical distance).

My earlier posting to the ntp group (reply to Kurt's email) seems to be
delayed. It's about how we define "error" (I read the discussion after
having a discussion on uncertainty intervals, so was to some extent
biased...)
If it is about "the maximum deviation of my guessed offset from a
reference clock" then I'm with you, it's (+-)1/2 RTT. If it is about the
uncertainty interval it's a RTT. Apologies for the confusion.

Btw, perhaps it's worth to include a dedicated definition of error or
define an alternative unique name in one of the future docs. I briefly
skimmed over NTPv4 and NTS and error is used (in the meaning used by
you) but (imo - did not do an exhaustive search) not defined.
> With a one-way exchange, the issue is that your possible error is
> unbounded in one direction (basically because you have no way of
> asserting that the message is fresh).

Full agree.

best regards
Joachim

> See also https://ieeexplore.ieee.org/document/8357814" rel="nofollow">https://ieeexplore.ieee.org/document/8357814,
> <https://ieeexplore.ieee.org/document/8357814" rel="nofollow">https://ieeexplore.ieee.org/document/8357814,> or my dissertation.
>
>
> Best regards!
>
> * The asterisk would account for frequency differences in addition to
> time offsets.
>
>
> -----"ntp" <ntp-bounces@ietf.org <mailto:ntp-bounces@ietf.org>> schrieb:
> -----
> An: <kristof.teichel@ptb.de <mailto:kristof.teichel@ptb.de>>, "Doug
> Arnold" <doug.arnold=40meinberg-usa.com@dmarc.ietf.org
> <mailto:doug.arnold=40meinberg-usa.com@dmarc.ietf.org>>
> Von: "Joachim Fabini"
> Gesendet von: "ntp"
> Datum: 11.05.2021 09:59
> Kopie: "Miroslav Lichvar" <mlichvar@redhat.com
> <mailto:mlichvar@redhat.com>>, "NTP WG" <ntp@ietf.org
> <mailto:ntp@ietf.org>>, "Daniel Franke" <dfoxfranke@gmail.com
> <mailto:dfoxfranke@gmail.com>>
> Betreff: Re: [Ntp] Antwort: Re: A simpler way to secure PTP
>
> On 5/10/21 7:05 PM, kristof.teichel@ptb.de
> <mailto:kristof.teichel@ptb.de> wrote:
>  > @Doug: Daniel is correct; you can apply all kinds of magic, but
>  > ultimately, your hard, 100% certain guarantees are going to be at best
>  > "half of RTT" for two-way time transfer and "none at all" for one-way
>  > transfer.
>
> "At best" is too little. 100% certain guarantees (for two-way time sync)
> apply for *RTT* - and definitely *not* for half of RTT. The link
> symmetry assumption is one of the weakest point of today's network time
> synchronization protocols that malicious actors can exploit.
>
> By knowing physical link properties (delay, capacity) one can restrict
> the RTT bound and decrease the limits. However, attackers could - in
> theory and practice - exploit this assumption, too (for instance by
> inserting new (faster-than)-light-speed paths).
>
> If anyone is interested: theoretical aspects (and practical
> consequences) of securing time sync protocols against malicious actors
> can be found in an older paper (https://arxiv.org/pdf/1705.10669.pdf" rel="nofollow">https://arxiv.org/pdf/1705.10669.pdf 
> <https://arxiv.org/pdf/1705.10669.pdf" rel="nofollow">https://arxiv.org/pdf/1705.10669.pdf>)
> and in parts of the subsequent PhD thesis
> (https://www.annessi.net/data/2019-Annessi_thesis.pdf" rel="nofollow">https://www.annessi.net/data/2019-Annessi_thesis.pdf 
> <https://www.annessi.net/data/2019-Annessi_thesis.pdf" rel="nofollow">https://www.annessi.net/data/2019-Annessi_thesis.pdf>).
>
> regards
> Joachim
>
>
>  >
>  > -----"ntp" <ntp-bounces@ietf.org <mailto:ntp-bounces@ietf.org>
> <mailto:ntp-bounces@ietf.org <mailto:ntp-bounces@ietf.org>>> schrieb:
>  > -----
>  > An: "Daniel Franke" <dfoxfranke@gmail.com
> <mailto:dfoxfranke@gmail.com> <mailto:dfoxfranke@gmail.com 
> <mailto:dfoxfranke@gmail.com>>>
>  > Von: "Doug Arnold"
>  > Gesendet von: "ntp"
>  > Datum: 10.05.2021 18:19
>  > Kopie: "Miroslav Lichvar" <mlichvar@redhat.com
> <mailto:mlichvar@redhat.com>
>  > <mailto:mlichvar@redhat.com <mailto:mlichvar@redhat.com>>>, "NTP WG"
> <ntp@ietf.org <mailto:ntp@ietf.org> <mailto:ntp@ietf.org 
> <mailto:ntp@ietf.org>>>
>  > Betreff: Re: [Ntp] A simpler way to secure PTP
>  >
>  > Many of the applications of PTP I know of require time transfer accuracy
>  > better than half the RTT.  This is achieved using a variety of
>  > mechanisms, including:
>  >
>  >   * On-path support
>  >
>  >   * High message rates + lucky packet filters
>  >
>  >   * Synchronous Ethernet
>  >
>  >   * Networks with lightly loaded switches
>  >
>  >   * Preemptive switches
>  >
>  >   * Asymmetry calibration
>  >
>  >   * Multiple PTP domains with different paths to devices needing time
>  >
>  >   * Multiple sources of time, that is PTP, plus other non-PTP time
>  >     transfer mechanisms in a redundant system
>  >
>  > A switch in the middle could mount a delay attack, which is of course
>  > immune to cryptography, but the risk could be reduced by
>  > non-cryptographic defenses such as time source, or network path
> redundancy.
>  >
>  > NTS4PTP could help against malicious agents which have gained access to
>  > the network and start sending bogus PTP messages, for example
>  > impersonating the Grandmaster.
>  >
>  > Doug
>  >
>  > *From: *Daniel Franke <dfoxfranke@gmail.com
> <mailto:dfoxfranke@gmail.com> <mailto:dfoxfranke@gmail.com 
> <mailto:dfoxfranke@gmail.com>>>
>  > *Date: *Monday, May 10, 2021 at 11:21 AM
>  > *To: *Doug Arnold <doug.arnold@meinberg-usa.com
> <mailto:doug.arnold@meinberg-usa.com>
>  > <mailto:doug.arnold@meinberg-usa.com 
> <mailto:doug.arnold@meinberg-usa.com>>>
>  > *Cc: *Miroslav Lichvar <mlichvar@redhat.com <mailto:mlichvar@redhat.com>
>  > <mailto:mlichvar@redhat.com <mailto:mlichvar@redhat.com>>>, NTP WG
> <ntp@ietf.org <mailto:ntp@ietf.org> <mailto:ntp@ietf.org 
> <mailto:ntp@ietf.org>>>
>  > *Subject: *Re: [Ntp] A simpler way to secure PTP
>  >
>  > On Mon, May 10, 2021 at 10:43 AM Doug Arnold
>  > <doug.arnold@meinberg-usa.com <mailto:doug.arnold@meinberg-usa.com>
> <mailto:doug.arnold@meinberg-usa.com 
> <mailto:doug.arnold@meinberg-usa.com>>> wrote:
>  >
>  >     I have heard of people actually doing this in the field as a sanity
>  >     check.
>  >
>  >     However, some applications that use PTP can be broken by introducing
>  >     timing errors that are less than the expected difference between PTP
>  >     and NTP.
>  >
>  > You cannot solve this with cryptography. An adversarial network is, by
>  > definition, one where you can't rely on statistical behavior and can't
>  > neglect the probability of worst-case outcomes. The worst-case outcome
>  > for any unicast protocol is going to be at least half the measured RTT,
>  > and for a broadcast protocol the worst case is unbounded. As I've
>  > mentioned before, you can improve this a little bit if you know a lower
>  > bound on the physical distance `d` between the client and server, in
>  > which case you can shrink each of your bounds by `d/c` where `c` is the
>  > speed of light, but this still won't get you anywhere near the kind of
>  > precision you have in mind. If worst-case, let alone typical-case,
>  > NTS4NTP behavior is going to break your application in critical ways,
>  > then you MUST have a physically-secure link to your time source. If you
>  > have an adversary on your communication path, you're just screwed and
>  > cryptography can't save you.
>  >
>  > _______________________________________________
>  > ntp mailing list
>  > ntp@ietf.org <mailto:ntp@ietf.org> <mailto:ntp@ietf.org 
> <mailto:ntp@ietf.org>>
>  > https://www.ietf.org/mailman/listinfo/ntp" rel="nofollow">https://www.ietf.org/mailman/listinfo/ntp 
> <https://www.ietf.org/mailman/listinfo/ntp" rel="nofollow">https://www.ietf.org/mailman/listinfo/ntp>
>  > <https://www.ietf.org/mailman/listinfo/ntp" rel="nofollow">https://www.ietf.org/mailman/listinfo/ntp 
> <https://www.ietf.org/mailman/listinfo/ntp" rel="nofollow">https://www.ietf.org/mailman/listinfo/ntp>>
>  >
>  > _______________________________________________
>  > ntp mailing list
>  > ntp@ietf.org <mailto:ntp@ietf.org>
>  > https://www.ietf.org/mailman/listinfo/ntp" rel="nofollow">https://www.ietf.org/mailman/listinfo/ntp 
> <https://www.ietf.org/mailman/listinfo/ntp" rel="nofollow">https://www.ietf.org/mailman/listinfo/ntp>
>  >
>
> --
> ---------------------------------------
> Dr. Joachim Fabini
> Senior Scientist
> Institute of Telecommunications
> TU Wien
> Gusshausstrasse 25/E389
> A-1040 Vienna, Austria
> Tel: +43 1 58801-38813
> mailto: Joachim.Fabini@tuwien.ac.at <mailto:Joachim.Fabini@tuwien.ac.at>
> ---------------------------------------
>
> _______________________________________________
> ntp mailing list
> ntp@ietf.org <mailto:ntp@ietf.org>
> https://www.ietf.org/mailman/listinfo/ntp" rel="nofollow">https://www.ietf.org/mailman/listinfo/ntp 
> <https://www.ietf.org/mailman/listinfo/ntp" rel="nofollow">https://www.ietf.org/mailman/listinfo/ntp>

--
---------------------------------------
Dr. Joachim Fabini
Senior Scientist
Institute of Telecommunications
TU Wien
Gusshausstrasse 25/E389
A-1040 Vienna, Austria
Tel: +43 1 58801-38813
mailto: Joachim.Fabini@tuwien.ac.at
---------------------------------------