IETF Logo Mail Archive

Re: [Ntp] ntpv5 requirements

Harlan Stenn <stenn@nwtime.org> Mon, 13 February 2023 22:29 UTC

Return-Path: <stenn@nwtime.org>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E51DC14CF0C for <ntp@ietfa.amsl.com>; Mon, 13 Feb 2023 14:29:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.898
X-Spam-Level:
X-Spam-Status: No, score=-6.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rsZ7_B8uI9NH for <ntp@ietfa.amsl.com>; Mon, 13 Feb 2023 14:29:23 -0800 (PST)
Received: from chessie.everett.org (chessie.fmt1.pfcs.com [66.220.13.234]) by ietfa.amsl.com (Postfix) with ESMTP id C08DAC14F739 for <ntp@ietf.org>; Mon, 13 Feb 2023 14:29:23 -0800 (PST)
Received: from [10.208.75.149] (075-139-201-040.res.spectrum.com [75.139.201.40]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by chessie.everett.org (Postfix) with ESMTPSA id 4PFzXf6lyvzMQ2R; Mon, 13 Feb 2023 22:29:22 +0000 (UTC)
Message-ID: <2bbcdc7b-a47c-8421-0278-0ac364faaeea@nwtime.org>
Date: Mon, 13 Feb 2023 14:29:22 -0800
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.6.1
Content-Language: en-US
To: ntp@ietf.org
References: <DB8PR02MB5772E45732B25646F7CAE211CFD99@DB8PR02MB5772.eurprd02.prod.outlook.com> <Y+pgBgc/5dJ9wtAP@localhost>
From: Harlan Stenn <stenn@nwtime.org>
In-Reply-To: <Y+pgBgc/5dJ9wtAP@localhost>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/qE8lEw1PiRbmWRNAOJhBBHHZZMo>
Subject: Re: [Ntp] ntpv5 requirements
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Feb 2023 22:29:28 -0000

On 2/13/2023 8:06 AM, Miroslav Lichvar wrote:
> On Thu, Feb 09, 2023 at 05:18:20PM +0000, Doug Arnold wrote:
>> For example: Judah Levine at NIST recently told me that he cannot implement NTS with his current server resources and the number of clients NIST supports.  However, when I told him about TESLA he thought a scheme based on that would be doable, as long as the keys didn’t have to change too often.
> 
> That is interesting as NTS was specifically designed to scale well to
> very large numbers of clients.

I don't recall performance in NTS as being a primary goal of the design.

Sure, it was listed as *a* goal, but the primary goals were around 
"security".

> Is their concern about decryption
> and encryption of NTS-protected NTP packets, or rather TLS in NTS-KE?
 >
> In 2016 they reported they had about 200k requests per second across
> all their servers [1]. Even if it was 100x more today and all clients
> were using NTS, that could still be handled by a dozen of servers with
> multi-core CPUs and AES acceleration. In my tests I get about 200k/s
> per core.

 From what I've heard, NTS key operations take 5-10x the amount of 
compute power beyond what NTP needs.

> NTS-KE traffic is more difficult to predict as it depends on the
> client implementations. I would be curious to see what NTS-NTP to
> NTS-KE request ratio do the well-known NTS providers like Cloudflare
> and Netnod have.
> 
> [1] https://nvlpubs.nist.gov/nistpubs/jres/121/jres.121.003.pdf
> 

-- 
Harlan Stenn <stenn@nwtime.org>
http://networktimefoundation.org - be a member!

v2.23.0 | Report a Bug | By Email