IETF Logo Mail Archive

Re: [Ntp] The trick to timestamp with authentication

James <james.ietf@gmail.com> Fri, 04 December 2020 09:12 UTC

Return-Path: <james.ietf@gmail.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 243C43A0ABB for <ntp@ietfa.amsl.com>; Fri, 4 Dec 2020 01:12:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id js_k9dDJPNqY for <ntp@ietfa.amsl.com>; Fri, 4 Dec 2020 01:12:00 -0800 (PST)
Received: from mail-ej1-x635.google.com (mail-ej1-x635.google.com [IPv6:2a00:1450:4864:20::635]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4BDC23A0B10 for <ntp@ietf.org>; Fri, 4 Dec 2020 01:12:00 -0800 (PST)
Received: by mail-ej1-x635.google.com with SMTP id bo9so7570657ejb.13 for <ntp@ietf.org>; Fri, 04 Dec 2020 01:12:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding:content-language; bh=320HdJpJW59Og8wDlikbquSoov22LaN7wPWRl+GUiQo=; b=RbC+/V7sRXFbx9BHtLMFQ6335RkZnOuN3L82qG1e4JmIbEHt94mHYphMJfR6RkjYHt 0WcukygkCxJydX1QO8ulj0o/B1oZqBmqheh4CDpZ7VJGdSdnZNpy4lbKC6uXUjrGFgAO g+NlzQfAP5QXiMjnXy5+72K5e+kH6mULNbmEomdu5bu63co5EI8g7wfDaw9AUS3JmfIG vxwBUhBjm6QxsJrnAFo/HZVRznGaFpI0YWMSfGf+4LrccFdNmxnGHFCiMj97AeVV295K Io+/LD0+UOmeCVxdzZxFqvjzYfERQwYoWpNY+DxHIaOVKPjtFTIL4z50Rr5LLgCCJ89M 3toA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=320HdJpJW59Og8wDlikbquSoov22LaN7wPWRl+GUiQo=; b=b2PJsx1EvTi3xLjUaokIEvBrc5XckOw8Od7ol7jt/x/5jSBPO4PMXyrZRlgH7R6Bqr 5TTmUeP1mzW9vqM1xYN3tXQhzevuFgbNLq4ayGwhHXUg9QCQphPdT8fZUN44QORDwhxv msCUo+ofs7efsjbagcH0nysZb3txpN2YNg5l8Tr3k0LKnbO63msGuoTsnnmIjEOmBhbO fQkL2khmf6H2wKeJn3jVRED7z/owEYH9akweNKIlijH8nJ3Mn2rSs6s0HM4OZ+Pv8JZ/ vzNNAxLVW7P3d2KGpFvZosBOFI77k86MRdndsT8yYrEvKERa8UUiAj5UglUt4LGj+9Pz E+aA==
X-Gm-Message-State: AOAM533Iem67mP2+7XpZkCOpSybyN6wtK3vrz3Fq3HjM2jX6lCRyPpz6 2jYREdZUCQ7BbGAmLfTs+xgXi41CWd9Xbw==
X-Google-Smtp-Source: ABdhPJxXxx+aQr9gN6QU+JKjeHTbNhVLBKVAXjACXATyuAiGECcB+nC2py+kSZYTErk4n8k3SChitw==
X-Received: by 2002:a17:906:9605:: with SMTP id s5mr5942800ejx.179.1607073118288; Fri, 04 Dec 2020 01:11:58 -0800 (PST)
Received: from ?IPv6:2001:984:65b0:2:e5d1:618f:bc7:a47c? ([2001:984:65b0:2:e5d1:618f:bc7:a47c]) by smtp.gmail.com with ESMTPSA id ov22sm2696825ejb.23.2020.12.04.01.11.57 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 04 Dec 2020 01:11:57 -0800 (PST)
To: Doug Arnold <doug.arnold@meinberg-usa.com>
Cc: NTP WG <ntp@ietf.org>
References: <doug.arnold@meinberg-usa.com> <BEF7C4D9-81CD-42AD-BA06-433D45C0DCD1@meinberg-usa.com> <20201203233634.15F7940605C@ip-64-139-1-69.sjc.megapath.net> <12C6B0FF-8C20-4363-AF41-FDF98B2D8072@meinberg-usa.com>
From: James <james.ietf@gmail.com>
Message-ID: <f4170b63-4e5e-9136-7414-8588dbfce2aa@gmail.com>
Date: Fri, 04 Dec 2020 10:11:56 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:78.0) Gecko/20100101 Thunderbird/78.5.0
MIME-Version: 1.0
In-Reply-To: <12C6B0FF-8C20-4363-AF41-FDF98B2D8072@meinberg-usa.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-AU
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/uB4VnYTROSr2nCmEFa_J4IdeWLc>
Subject: Re: [Ntp] The trick to timestamp with authentication
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Dec 2020 09:12:02 -0000

Speaking as someone in broadcast, whilst the industry has standardised 
on the use of PTP in a few places (AES67, SMPTE 2110, etc) there are use 
cases where NTP is used instead, particularly where PTP is either not 
feasible or simply overkill for the application. Many of those operate 
on less-trusted networks or public internet and thus would greatly 
benefit from NTPv5 having greater security.

I don't believe on-path corrections and security are completely 
exclusive capabilities, but there's a spectrum between having on-path 
connection with either limited or more complicated security, or greater 
security with limitations on what corrections can be applied. As part of 
the requirements for NTPv5 I think the working group should decide where 
in the metaphorical spectrum we should focus on.

- J

On 04-12-2020 01:03, Doug Arnold wrote:
> I think that the enterprise networks of financial institutions, broadcast companies and power grids all want security and on path support.  Maybe large data centers as well. Broadcast and power have already adopted ptp and will probably stick with that, but my interactions with people in finance and data centers suggest that some of them would prefer a more precise version of ntp.  Some companies in finance are already doing nonstandard sub microsecond "ntp."  That is hardware timestamped ntp packets, but with higher than normal message rates and different client algorithms.
>
> The ntp working group could decide ntpv5 can support on path corrections or security, but not both.  However, I suspect a lot of people would be disappointed.
>
> Doug
>
> On 12/3/20, 6:36 PM, "Hal Murray" <hmurray@megapathdsl.net> wrote:
>
>
>      doug.arnold@meinberg-usa.com said:
>      > This could be handled using a symmetric group key that authorized nodes get
>      > periodically from a key exchange server.  See, for example GDOI.  I believe
>      > that NTS could be adapted to group key operation as well.
>
>      The whole idea of patching an authenticated packet seems wrong.
>
>      How much effort has gone into investigating alternatives?
>
>
>      > I see you were paying attention. Accuracy and security are a trade-off.  If
>      > you want on path timing support and security, then you either have to have a
>      > lot of secrets or a secret that a lot of nodes are in on.  Either way it is
>      > less secure than just NTS between a client and a server.  However, in a
>      > private network where someone wants microsecond level time transfer accuracy
>      > that might be a sensible trade-off.
>
>      That seems like a narrow market.  It's a private network.  They want
>      authentication so they don't trust their network yet they do trust it enough
>      to patch their authenticated packets.
>
>
>      --
>      These are my opinions.  I hate spam.
>
>
>
>
> _______________________________________________
> ntp mailing list
> ntp@ietf.org
> https://www.ietf.org/mailman/listinfo/ntp

v2.23.0 | Report a Bug | By Email