Re: [Ntp] Follow-up to yesterday's mic comment about PTP security

kristof.teichel@ptb.de Thu, 25 July 2019 08:21 UTC

Return-Path: <kristof.teichel@ptb.de>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9EBF2120096; Thu, 25 Jul 2019 01:21:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.811
X-Spam-Level:
X-Spam-Status: No, score=0.811 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, GUARANTEED_100_PERCENT=2.699, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_FILL_THIS_FORM_SHORT=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0w6qQ7M8M_kU; Thu, 25 Jul 2019 01:21:24 -0700 (PDT)
Received: from mx1.bs.ptb.de (mx1.bs.ptb.de [192.53.103.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1264A120045; Thu, 25 Jul 2019 01:21:23 -0700 (PDT)
Received: from smtp-hub.bs.ptb.de (smtpint01.bs.ptb.de [141.25.87.32]) by mx1.bs.ptb.de with ESMTP id x6P8LLmK004469-x6P8LLmM004469 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Thu, 25 Jul 2019 10:21:21 +0200
Received: from lotus.bs.ptb.de (lotus.bs.ptb.de [141.25.85.200]) by smtp-hub.bs.ptb.de (Postfix) with ESMTPS id F036C815B04; Thu, 25 Jul 2019 10:21:18 +0200 (CEST)
In-Reply-To: <2CF584EA-17C5-4623-AA0A-FAB215DEF288@meinberg.de>
References: <OFBC3F40BE.7ED6BF0D-ONC1258441.0023FF5E-C1258441.002675FE@ptb.de> <626997121-17255@srv-kerioconnect.py.meinberg.de> <OFA2356644.91C0B8AD-ONC1258442.00272352-C1258442.0027B093@ptb.de> <2CF584EA-17C5-4623-AA0A-FAB215DEF288@meinberg.de>
To: "Heiko Gerstung" <heiko.gerstung@meinberg.de>
Cc: "Daniel Franke" <dfoxfranke@gmail.com>, "Doug Arnold" <doug.arnold@meinberg.de>, "NTP WG" <ntp@ietf.org>, "ntp" <ntp-bounces@ietf.org>
MIME-Version: 1.0
Message-ID: <OF38BC0986.F976A33A-ONC1258442.002A3C5D-C1258442.002DE4E1@ptb.de>
From: kristof.teichel@ptb.de
Date: Thu, 25 Jul 2019 10:22:05 +0200
Content-Type: multipart/alternative; boundary="=_alternative 002DE4DFC1258442_="
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/qdMIXVMU2NBVUhP9xZoJ7qSf0pw>
Subject: Re: [Ntp] Follow-up to yesterday's mic comment about PTP security
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Jul 2019 08:21:27 -0000

To be clear: I'm not trying to say that using NTP/NTS rather than PTP on 
campus (locally) helps you out in any significant way.
But using NTP/NTS rather than GNSS to *get UTC to your campus* (globally) 
helps you out on one critical aspect: guaranteed traceability - the other 
being precision/accuracy levels, (where NTP/NTS performs much worse than 
GNSS).
If you're able to use PTP (hopefully secured PTP soon) over a 
long-distance landline to synchronize to a master that is NMI-levels close 
to UTC, then that seems pretty close to ideal - but it does require the 
appropriate landline, which is not trivial and rules this option out for 
many users.

Regarding generalizations of protocol properties: some things do depend on 
the transmission protocol, specifically on whether it allows messages in 
both directions or just one.
We have proof that "NTP/NTS = (Time of NTP/NTS Server) +- (roughly half of 
RTT)" is actually valid. This holds because you get a crypto-secured 2-way 
exchange.
And it works if your NTP server in this case is the NTP server of your 
appropriate NMI, and they might be able to give you the additional 
uncertainty for how close to their utc(NMI) the NTP server is - and that 
gets you very close to actual, full on 100%-guaranteed (if you assume the 
worst-cases conservatively enough) traceability, proven by the properties 
of the transmission protocol.
That is something that you *cannot* get with any purely 1-way based 
transmission method, specifically with a GNSS receiver - no matter what 
crypto people throw onto the GNSS signal, because delay attacks exist and 
are not just unpreventable but unbounded in pure 1-way connections.

I know that MiFID II in particular does not acknowledge this and 
specifically accepts GNSS (I think even explicitly GPS) as satisfactory - 
but I think that this should be changed in the next guideline, and also 
carefully suspect that it actually might be.


Best regards,
Kristof





 


Von:    "Heiko Gerstung" <heiko.gerstung@meinberg.de>;
An:     "kristof.teichel@ptb.de"; <kristof.teichel@ptb.de>;, "Doug Arnold" 
<doug.arnold@meinberg.de>;
Kopie:  "NTP WG" <ntp@ietf.org>;, "Daniel Franke" <dfoxfranke@gmail.com>;
Datum:  25.07.2019 09:39
Betreff:        Re: [Ntp] Follow-up to yesterday's mic comment about PTP 
security
Gesendet von:   "ntp" <ntp-bounces@ietf.org>;



I agree with Kristof that using GPS (or any other GNSS for that matter) 
does not automagically turns your PTP GM into a UTC traceable time source. 
The folks of NPL have shown that you can use PTP (without GNSS) to 
transfer UTC traceable time with a high level of accuracy (<1us) over long 
distances. So "PTP != UTC" is obviously as generalizing as "NTP/NTS = 
UTC". It doesn't depend on the network protocol. 
 
I get the point of Kristof that using GPS in the setup Doug described will 
not guarantee UTC, but funny as it is, the European MiFID II regulation 
specifically accepts using GNSS to obtain time and be compliant with the 
UTC requirements of ESMA. 
 
My goal is to work on using NTS-KE for PTP as well, if anyone is 
interested in joining us to work out something please let me know. 
 
Regards,
   Heiko
 
 
-- 
Heiko Gerstung 
Managing Director

MEINBERG® Funkuhren GmbH & Co. KG
Lange Wand 9
D-31812 Bad Pyrmont, Germany
Phone:    +49 (0)5281 9309-404
Fax:        +49 (0)5281 9309-9404

Amtsgericht Hannover 17HRA 100322
Geschäftsführer/Management: Günter Meinberg, Werner Meinberg, Andre 
Hartmann, Heiko Gerstung

Email:
 heiko.gerstung@meinberg.de 
Web:
 Deutsch   https://www.meinberg.de
 English    https://www.meinbergglobal.com

Do not miss our Time Synchronization Blog:
 https://blog.meinbergglobal.com 

Connect via LinkedIn: 
https://www.linkedin.com/in/heikogerstung
 
 
 
Von: ntp <ntp-bounces@ietf.org>; im Auftrag von <kristof.teichel@ptb.de>;
Datum: Donnerstag, 25. Juli 2019 um 09:14
An: Doug Arnold <doug.arnold@meinberg.de>;
Cc: NTP WG <ntp@ietf.org>;, Daniel Franke <dfoxfranke@gmail.com>;
Betreff: Re: [Ntp] Follow-up to yesterday's mic comment about PTP security
 
Good morning all, 

what you will really need from these folks, Doug, is a clear statement of 
whether they need their level of synchronicity (50ms, 100us, whatever) 
only locally between all their machines or also in reference to a global 
time scale such as UTC. 
And maybe if they need different precision/accuracy levels for both, such 
as needing/wanting sub-ns level locally and a 100% guaranteed 100us within 
UTC or something like that (I suspect something like this will turn out to 
be true for most of them). 

Using PTP to make sure that all of their devices agree on the time to a 
better-than-100us level is fine, but if they need actual guarantees with 
regard to UTC, it might be short-sighted to just go "well, our server is 
GPS-disciplined, so basically as good as UTC". 


Best regards, 
Kristof 




Von:        "Doug Arnold" <doug.arnold@meinberg.de>; 
An:        "NTP WG" <ntp@ietf.org>; 
Kopie:        kristof.teichel@ptb.de, "Daniel Franke" 
<dfoxfranke@gmail.com>; 
Datum:        24.07..2019 21:17 
Betreff:        Re: [Ntp] Follow-up to yesterday's mic comment about PTP 
security 




Hello Everyone, 

Some financial companies only need 50 ms, and for them I recommend NTP. It 
is cheaper and easier to install than PTP, and the protocol is more mature 
and implementations are usually robust.  In general they prefer to have 
their own NTP servers, inside their network, and behind the fire wall.  I 
will be recommending NTS when available from their vendor.  That will be 
an easy sell, since they generally want to turn on security options for 
the protocols they use. 

Some network operators tell me that achieving 100 us time synchronization 
in their network is near the edge of what they currently get using NTP, so 
they want to switch to PTP for this spec and the coming tighter specs. 
Most of them have switches and routers which have PTP on path support or 
the operators expect them to in the near future.  This will be an issue 
which needs discussion since that represents a security challenge.  If 
every switch is shaping the information, then there is either a "secret" 
every node knows, or many secrets, each of which must be kept. 

Doug


From: <kristof.teichel@ptb.de>; 
To: Daniel Franke <dfoxfranke@gmail.com>; 
Cc: NTP WG <ntp@ietf.org>; 
Sent: 7/24/2019 9:00 AM 
Subject: Re: [Ntp] Follow-up to yesterday's mic comment about PTP security 


Hey all, 

first of all, I'm really glad if this whole thing (security of one-way 
mechanisms and mechanism selection) is a discussion that we're going to 
have in the WG. 

To comment on your assertions, Daniel: 

1. 
It is established in general (and I have a proof lying around for a model 
of NTS in particular) that a client performing a request-response exchange 
with NTS and using all relevant checks gets a strong guarantee that the 
error in its measured offset is no larger than half the added flight times 
of the packets (plus some negligibly small delta accounting for frequency 
instability of the clocks used on client and server side). 
For anyone wondering why we bothered to prove this again: this guarantee 
is 100%, and the new part is "no matter what a Man-in-the-Middle attacker 
did in the process". 
So I would be careful about naming a specific amount, because flight times 
do depend on the specific client's connection - but 50ms seems like a good 
rule of thumb, and I overall agree with your assertion. 

2.-3. 
If we're operating und the assumptions that 
a) you can only use one time sync mechanism at a time and keep track of 
one clock disciplined via data from that mechansim, and 
b) end users always have exactly one requirement level for each of 
security and precision/accuracy and need to use the least-effort path to 
achieve them 
.... then I agree with your assertions whole-heartedly. 

But I really think both assumptions deserve their own hard looks and 
considerations. 
For example, it might be reasonable for someone, specifically a financial 
institute, to run NTP with NTS in their local network to obtain a 100% 
security guarantee for a 100us level (demanded by MiFID II for example) 
and also still use PTP / White Rabbit (unsecured for the time being) to 
have the precision/accuracy levels they actually want - with no strong 
guarantee, but still valid in the (most likely) case that their 
infrastructures are not currently under attack. 

4. 
Again, I agree with the assertion for the most part and in the given 
status quo. 
But the underlying assumption that every relevant adversarial 2-way 
network also suffers from long, unpredictable and asymmetric travel times 
is mostly valid because the only candidate for such a network is the 
internet. 
If someone built, say, a GNSS network where two-way communication (with 
satellites or between two ground stations) was readily available to 
everyone, the whole situation would be different: 
That would still potentially qualify as an adversarial network, but with 
the proper crypto, your 100% security guarantees could be extended to much 
better precision/accuracy levels. 
The same thing could be true for long-distance tree-topology fibre-based 
networks exclusively for time synchronization - which are kind of in the 
process of being built all over Europe. 


Lengthy comments and caveats notwithstanding, I agree with and would 
endorse your 1.-4. decision making sheet as an excellent starting point. 


Best regards, 
Kristof 


"ntp" <ntp-bounces@ietf.org>; schrieb am 23.07.2019 18:19:33:

> Von: "Daniel Franke" <dfoxfranke@gmail.com>; 
> An: "NTP WG" <ntp@ietf.org>; 
> Datum: 23.07.2019 18:20 
> Betreff: [Ntp] Follow-up to yesterday's mic comment about PTP security 
> Gesendet von: "ntp" <ntp-bounces@ietf.org>; 
> 
> My comments yesterday about PTP security shifted context a few times
> so it may have been hard to follow what I was claiming. My assertions
> were:
> 
> 1. If you need 50ms precision, pick some good public NTP servers and use 
NTS.
> 
> 2. If you need 100µs precision, colocate a time source in the same
> datacenter as the client systems. Use NTP and NTS; you don't need PTP
> for this.
> 
> 3. If you need 1µs precision, use PTP and physically secure the link
> between the time source and the clients so that cryptographic
> authentication is unnecessary.
> 
> 4. If you need 1µs precision over an adversarial network, good luck!
> This is simply not achievable and no amount of cryptographic pixie
> dust is ever going to save you.
> 
> _______________________________________________
> ntp mailing list
> ntp@ietf.org
> https://www.ietf.org/mailman/listinfo/ntp


_______________________________________________ 
ntp mailing list 
ntp@ietf.org 
https://www.ietf.org/mailman/listinfo/ntp 

_______________________________________________ ntp mailing list 
ntp@ietf.org https://www.ietf.org/mailman/listinfo/ntp 
_______________________________________________
ntp mailing list
ntp@ietf.org
https://www.ietf.org/mailman/listinfo/ntp