Re: [Ntp] Objections to the current language in draft-ietf-data-minimization

[Martin Burnicki <martin.burnicki@meinberg.de>]

Harlan Stenn wrote:
> On 3/26/2019 3:26 AM, Martin Burnicki wrote:
>> Harlan Stenn wrote:
[...]
>>> For better or worse, a noticeable group of time server operators now
>>> offer leap-smeared time in response to NTP mode 3 (client) requests.
>>> Sometimes this is what the clients want, sometimes it is not.
>>
>> The question is whether it is important what the client wants.
> 
> I submit it will be important to the operator of the client, and that
> may or may not be the same organization that operates the servers.
> 
> What would happen if some of the general pool operators decided to offer
> leap smearing?

I think I've read in the advices for pool servers that they should *not
at all* use smeared time, so by definition no pool servers should
provide smeared time.

I also think the pool maintainers pretty much know that this would be
very dangerous, and will not allow for a mixed pool.

In the past it happened that some pool servers were stratum-2 servers
that synchronized to Google's smearing servers. This is clearly a
misconfiguration (intentionally or not), and I think the pool's
monitoring system should try to detect this and kick them out of the pool.

Of course the problem remains for clients which have just recently
received the IP address of affected servers from the pool's DNS system.

> Compare this to the vendors Foo, and Bar, who have separately arranged
> to offer foo.pool.ntp.org and bar.pool.ntp.org.  If Foo decides its
> clients should use correct time, they have their pool servers offer
> correct time.  If Bar decides its clients should use leap smeared time,
> they have their pool servers offer that.

No, if the pool should support leap smearing then an extra pool should
be set up with a different name. In addition, if this happened at all,
vendors Foo, and Bar would have to agree *how* their servers smear the
time: which interval, which shape, only before the LS or symmetrically, ...

Otherwise this would cause even more confusion than it does now.

[...]
>> Agreed. What should the server do if the client doesn't accept a
>> proposed poll interval? There are lots of simple, dump clients out there
>> where I doubt they can and do change the poll interval at all.
> 
> All we can do is make a good-faith offer.  This satisfies our
> responsibility *to* the client.  We are not responsible *for* the
> client's behavior.  If the client doesn't honor our poll request and
> doesn't sync well enough, then if the client doesn't care then ... they
> don't care.  If the clients *do* care they have an opportunity to make a
> different choice.

This is fine since it's optional and compatible with simple client
implementations.

[...]
>>> - Does the client want leap-smeared time?
>>
>> Is it important what the client wants?
>> Or just what the operator has decided to enforce?
> 
> It depends.  I touched on this above.  And sometimes servers will send
> client requests to monitor and track other systems.

This is again a completely different scenario since monitoring results
are normally not used to discipline the own system time.

> One of my goals here is to give the recipient of these responses the
> tools and information that will allow them to make choices that are
> right for them.
> 
>>> - Should the server respond with correct, or leap-smeared time?
>>
>> IMO, if the server has been configured to provide leap-smeared time then
>> it should do so by default, but eventually there may be exceptions. See
>> below.
> 
> :)
> 
> And what happens if a server operator changes their mind about this at
> some point in the future?

Public server shouldn't smear at all, and if the operator of a private
server decides to change this he should know which clients are affected.
It's the same if an operator decides to let his server start smearing
leap seconds.


>>> This leads to the follow-on questions:
>>>
>>> - How can the client know if it's getting correct, or leap-smeared time?
>>
>> If the server supports this (e.g. current ntpd does), the client can
>> *optionally* check the refid received from the server and see that it's
>> the special "smear REFID". This should be just informational.
> 
> Yes.
> 
>>> - How can one tell if a client is following a leap-smearing server?
>>
>> Again, if the client detects the "smear REFID" received from its system
>> peer a monitoring program like ntpq could display the appropriate
>> information.
> 
> This goes to the SUGGESTED-REFID.  Even if it's not used, I currently
> believe that if ntpd in 4.4.0 syncs to a leap-smearing source, even if
> that source does not use SUGGEST-REFID, there will be code to make sure
> that the client's published system peer is a leap-smear REFID, for the
> following reasons:
> 
> - it shows up in ntpq.
> - it allows the 2nd half of the leap smear to be applied as expected.

The question is of legacy NTP clients would put the "smear REFID" into
packets sent to the server. If they don't do so then your proposal will
cause problems.

>>> If the client sends a packet
>>> with LI=0x3, the server SHOULD also respond with correct time with an LI
>>> value of 0x0, 0x1, or 0x2.
>>
>> No, here I disagree. If the client sends leap bits 0x3 this means it is
>> currently not synchronized, and the server may be the only time source
>> the client has. If the server operator has decided to let the server
>> smear the leap second then it should really do so in this case.
> 
> I considered this case, and this is why I made the decision I wrote above.
> 
> If the client is able to handle the leap second then we should give it
> the opportunity to do so.  There's a chance the client will iburst, so
> it will likely sync after 6 of the 8 iburst polls.  In this case, the
> 7th poll will contain either LI=0, meaning it doesn't believe that a
> leap event is pending, or it will send LI=1.  As soon as it sends either
> of these, the server knows how to respond to the client.  And if the
> time is close enough or in the leap smear period, the server may well be
> telling the client to use a shorter poll interval, so even if the client
> went from LI=3 to LI=0 it will continue to use a shorter poll interval
> and shift from correct time to smeared time.

And how do you know from the beginning if a client uses iburst?

What if a simple client always just sends LI 0x03?

> I even think I have a way to help this along even better, with an update
> to the EXTENDED-INFORMATION extension field.
> 
>>> If the client sends its request with an LI value of 0x0 before leap
>>> smearing starts, the server SHOULD respond with correct time with an LI
>>> value of 0x0, 0x1, or 0x2.
>>
>> No. If the server has been configured to smear the time and hide the
>> leap second then it should do so by default, which also means *not* to
>> send a leap second warning to a client unless the client clearly
>> indicates in its request that it anyway knows about the upcoming leap
>> second. Only in this case the server should send the leap second warning
>> flag 0x1 or 0x2 and true UTC instead of smeared time.
> 
> If you want your server to ALWAYS send smeared time, then you are right.

That's the intended behavior when using leap second smearing.

> If you want your server to offer correct time to clients that know how
> to handle the leap second and smeared time to clients that do not state
> they know how to handle a leap second, then I probably disagree with you
> and I'd appreciate our discussing this more so we can come to an agreement.

My main goals would be to not break compatibility with existing clients,
don't make configuration more complex than absolutely necessary, and
only if possible without side affects provide optional ways to improve
the client's behavior and resulting accuracy.

>>> If the client sends its request with an LI
>>> value of 0x0 *during* a leap smear correction, the server SHOULD respond
>>> with leap-smeared time and an LI value of 0x0, and MAY respond with
>>> correct time and an LI value of 0x1 or 0x2.
>>
>> No. IMO, if the client sends leap bits 0x0 or 0x3 then the server MUST
>> NOT respond with correct time and an LI value of 0x1 or 0x2 if it has
>> been configured to smear the leap second.
> 
> I do see your point and I remember thinking about this a lot, and there
> was a reason I wrote what I did.  That reason could be as simple as
> "SHOULD" means "you really really should do this, unless you have a Good
> Reason not to, in which case you MAY respond with LI=[12] and correct
> time." Put another way, I'm leaving an "escape hatch" for the
> possibility that there's a special case that hasn't been considered.
> 
>>> Furthermore, responses containing leap-smeared time SHOULD include a
>>> REFID that identifies the "system peer" as a leap-smeared source.  See
>>> draft-stenn-ntp-leap-smear-refid for more information.  This response
>>> also SHOULD include a SUGGESTED-REFID extension field, as described by
>>> draft-stenn-ntp-suggest-refid, to make it obvious that the system is
>>> following leap-smeared time.  These points address the  two follow-on
>>> questions.
>>
>> This is a good idea, but older clients or other client implementations
>> may not recognize the LEAP-SMEAR-REFID as a special case, and they may
>> not even accept a response from a server that has an extension field
>> they don't expect.
> 
> Agreed, and that's what the I-DO EF is for.  If the client sends this,
> the server knows what the client can accept.
> 
> It's been my experience that we don't want to send unsolicited EFs in
> server responses.

That's what I meant.

>> So eventually extension field handling should be mandatory for v5 of the
>> NTP protocol, and only if a v5 client request is received the server
>> should append that extension field.
> 
> Agreed.
> 
>> BTW, is there a common place to collect suggestions for v5 of the NTP
>> protocol?
> 
> I have a list of our ideas, and I'm happy to set up a place for it.

That would be appreciated.

>>> The LEAP-SMEAR-REFID and SUGGESTED-REFID extensions have another key
>>> role during the application of a leap smear - that of making sure the
>>> system behaves properly during the last half of the 12/12 leap smear
>>> correction.
>>>
>>> Once the leap second has applied, the LI value for correct time reverts
>>> to 0x0.  When a leap smearing client asks for time during the second
>>> phase of this correction, it will be sending its requests with LI=0x0,
>>> as *all* time requests from a leap-smearing client will contain LI=0x0
>>> when a leap event is not pending.  But in this case, how does the server
>>> know it should continue sending leap-smeared time, as opposed to correct
>>> time?  The answer is that the client requests include the client's
>>> REFID, which in this case SHOULD be a LEAP-SMEAR-REFID.
>>>
>>> When a server receives a mode 3 (client) request containing a
>>> LEAP-SMEAR-REFID during the second phase of a leap-smear correction, the
>>> server SHOULD respond with leap-smeared time and a LEAP-SMEAR-REFID as
>>> the SUGGESTED-REFID.
>>
>> Of course, the server should continue to send smeared time and the
>> LEAP-SMEAR-REFID as long as smearing is still in progress, but as I've
>> mentioned before, it should not append an extension field by default if
>> the client request is protocol v3 or v4.
> 
> Certainly not for v3, as EFs didn't exist there.  I'm fine with sending
> known-allowed EFs in v4 responses.

Which EF discussed here is known-allow for all or non-current NTPv4
implementations?

>> However, if the server *only* responds with leap-smeared time if it
>> receives the LEAP-SMEAR-REFID from the client then I'd expect that this
>> *breaks compatibility* with many simple client implementations that are
>> out in the wild. If such clients won't send this special REFID then they
>> would get non-smeared time back from the server after the leap second
>> has occurred, which may cause a 0.5 s time step on the client.
> 
> Yes.  And in that case there are several options to avoid this problem:
> 
> - configure the clients to query servers that will give them the time
> they want (there are several ways to do this),

That's the basic idea. If the client just has to use smeared time I
configure a server that provides it, and if I don#t want this I choose a
"normal" server. This doesn't require any tricks.

> - get motivated to upgrade the client software after the next leap second.

I think you know this is often not possible due to various reasons.

>> I don't think this consistent with the original idea of leap smearing,
>> which should explicitly avoid time steps.
> 
> Yes, but if the client is following a regular server they'll step by a
> second.  If they follow a leap smear server then they won't step.  And
> if they follow a "new style" server that offers smeared time to folks
> who only send a leap smear refid in the last half of the correction then
> they'll step a half-second correction.

Yes, and the operators of the client machine will be happy if they
configured leap smearing to avoid time steps, and now the time sis
stepped in spite of the smearing.

Sorry Harlan, but this sounds pretty error prone.


Martin
-- 
Martin Burnicki

Senior Software Engineer

MEINBERG Funkuhren GmbH & Co. KG
Email: martin.burnicki@meinberg.de
Phone: +49 5281 9309-414
Linkedin: https://www.linkedin.com/in/martinburnicki/

Lange Wand 9, 31812 Bad Pyrmont, Germany
Amtsgericht Hannover 17HRA 100322
Geschäftsführer/Managing Directors: Günter Meinberg, Werner Meinberg,
Andre Hartmann, Heiko Gerstung
Websites: https://www.meinberg.de  https://www.meinbergglobal.com
Training: https://www.meinberg.academy