Re: [Ntp] Fwd: Re: Antwort: Re: TLS records vs NTS-KE
Miroslav Lichvar <mlichvar@redhat.com> Wed, 27 June 2018 11:12 UTC
Return-Path: <mlichvar@redhat.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 74D45130F9C for <ntp@ietfa.amsl.com>; Wed, 27 Jun 2018 04:12:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zPLncNNbUEvm for <ntp@ietfa.amsl.com>; Wed, 27 Jun 2018 04:12:19 -0700 (PDT)
Received: from mx1.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4E885130F5B for <ntp@ietf.org>; Wed, 27 Jun 2018 04:12:19 -0700 (PDT)
Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 90FCB70206; Wed, 27 Jun 2018 11:12:18 +0000 (UTC)
Received: from localhost (unknown [10.43.134.11]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 08A7F1C66F; Wed, 27 Jun 2018 11:12:17 +0000 (UTC)
Date: Wed, 27 Jun 2018 13:12:17 +0200
From: Miroslav Lichvar <mlichvar@redhat.com>
To: Martin Langer <mart.langer@ostfalia.de>
Cc: ntp@ietf.org
Message-ID: <20180627111217.GS22354@localhost>
References: <81cc0512-5971-d36a-edc0-b5eae8f03023@ostfalia.de> <5de4efab-cee1-2402-186f-9f2bda3396d0@ostfalia.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <5de4efab-cee1-2402-186f-9f2bda3396d0@ostfalia.de>
User-Agent: Mutt/1.9.1 (2017-09-22)
X-Scanned-By: MIMEDefang 2.79 on 10.11.54.5
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.2]); Wed, 27 Jun 2018 11:12:18 +0000 (UTC)
X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.2]); Wed, 27 Jun 2018 11:12:18 +0000 (UTC) for IP:'10.11.54.5' DOMAIN:'int-mx05.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'mlichvar@redhat.com' RCPT:''
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/uF2_CNVp4BCBSGfkDTsYqe_6c9E>
Subject: Re: [Ntp] Fwd: Re: Antwort: Re: TLS records vs NTS-KE
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Jun 2018 11:12:22 -0000
On Wed, Jun 27, 2018 at 12:38:19PM +0200, Martin Langer wrote: > But what can we do if we need requests larger than 1K (maybe in the future)? > For example: A new record type needs parameters/key material/certificates > and the size of this records is over 1K. > ....but ok. Actually it is not a problem, I guess. Do you think there might be a case where we would need to exchange keys or certificates as application data? I'd expect that to be handled by TLS itself. If it does turn out later that 1K is too small for a request, in the worst case I think we can always define "ntske/2" as a new ALPN name for the same protocol with larger limits. > cookie: 256 > > The definition of the cookie size is a bit ...tricky. ...and do you mean the > cookie itself or the whole record? Just the cookie, i.e. the data the client has to save in order to send a valid NTP+NTS packet after NTS-KE is finished. > But the NTP connection can be interessting: > - max. space for NTS extension fields: 1500 bytes MTU (Ethernet) - 20 bytes > IPv4 header - 8 bytes UDP header - 48 bytes NTPv4 header = 1424 bytes > - UniqueID_ExtField and AuthAndEncExt_ExtField need around 80 bytes --> so > we have 1344 bytes for cookies EFs > - current guideline: max. 8 cookies or placeholder ---> 1344/8 = 168 bytes > (without IP fragmentation) > ....but I think this is not a problem. With a limit of 255 bytes we can > transmit 5 cookies/placeholder without IP fragmentaion That's a good point. We should also not forget that clients may use extension fields for other things than NTS. -- Miroslav Lichvar
- Re: [Ntp] Fwd: Re: Antwort: Re: TLS records vs NT… Martin Langer
- Re: [Ntp] Fwd: Re: Antwort: Re: TLS records vs NT… Miroslav Lichvar
- [Ntp] Fwd: Re: Antwort: Re: TLS records vs NTS-KE Martin Langer
- Re: [Ntp] Antwort: Re: TLS records vs NTS-KE Miroslav Lichvar
- Re: [Ntp] TLS records vs NTS-KE Miroslav Lichvar
- Re: [Ntp] TLS records vs NTS-KE Daniel Franke
- [Ntp] TLS records vs NTS-KE Miroslav Lichvar
- [Ntp] Antwort: Re: TLS records vs NTS-KE dieter.sibold
- Re: [Ntp] TLS records vs NTS-KE Miroslav Lichvar