Re: [Ntp] Antwort: Re: NTS4UPTP Rev 03 - Formal request for WG adoption [FORMAL RESPONSES?]

Heiko Gerstung <> Mon, 14 June 2021 06:22 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 4E2EB3A1515 for <>; Sun, 13 Jun 2021 23:22:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id fu5E35rhEBWM for <>; Sun, 13 Jun 2021 23:22:54 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id F37223A1512 for <>; Sun, 13 Jun 2021 23:22:53 -0700 (PDT)
Received: from (unknown []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id 9B5FD71C1229; Mon, 14 Jun 2021 08:22:51 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=d2021; t=1623651771; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=HwM0Gsu5hPc5b0i42vMBSgnuP8iDQX9T5W+AOlZrC5k=; b=B1MTx3hC5sc9RwMwdsDCFIVuHFp+NCzViF0TxMSCCePlhUKDozMDfcWGdcM5qnM4k7uHiv RHdoyeY8u7qef0Nwk/Bjs1jdWw9sPzqKv6s73MZFzZKuAwNoIqZDPcCkVc8DqwGL7ru02B MicjtguIT2e3MFcTA0BE7PDixrvIbBjN1Kklltiwb/vU43wfaeivaqJ/eHuBLWSzEuJDBC 3/caKeM3V+5ZMHDNpTwIfHqrBNu2ClC5gu/scCEhoOnu+jltlLfknVOLSsLoMpjlYArtHA m2EVF0n0Mdke04LEOpoliOUgV5C7lAyOjbFuNjVUG2HWmK0Zml2AufLQL9Ke6w==
Received: from ( []) (using TLSv1.3 with cipher AEAD-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS; Mon, 14 Jun 2021 08:22:50 +0200 (CEST)
X-Footer: bWVpbmJlcmcuZGU=
User-Agent: Microsoft-MacOutlook/16.49.21050901
Date: Mon, 14 Jun 2021 08:22:48 +0200
Message-ID: <>
Thread-Topic: [Ntp] Antwort: Re: NTS4UPTP Rev 03 - Formal request for WG adoption [FORMAL RESPONSES?]
References: <> <>
In-Reply-To: <>
Importance: Normal
X-Priority: 3
Thread-Index: AZ2x3tU+MmUzMWI2OGZjYWEzMTI2Mw==
From: Heiko Gerstung <>
To: Hal Murray <>, "" <>
Cc: NTP WG <>
X-SM-outgoing: yes
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="----1289E316F5587CF3989B2EFF390F8CF7"
Archived-At: <>
Subject: Re: [Ntp] Antwort: Re: NTS4UPTP Rev 03 - Formal request for WG adoption [FORMAL RESPONSES?]
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 14 Jun 2021 06:22:59 -0000

> Am 11.06.21, 17:14 schrieb "ntp im Auftrag von Hal Murray"
> < im Auftrag von>:
> I don't know anything about PTP (except what the draft explains).

You can find more explanations about PTP in our blog (, since unicast PTP is quite different from multicast PTP, I recommend these articles:

These are short articles. I am sure Doug is happy to answer any questions regarding PTP. 

> I'm working from draft-gerstung-nts4uptp-02.pdf  (which I got a few minutes
> ago)
> I don't see any fatal flaws, but it doesn't feel good.
> You will have to prove that phase 2 is secure.  That doesn't look easy to
> me,
> but I'm not a crypto geek.

We did come up with this proposal after quite a number of iterations and a lot of discussions and we are quite sure it is secure. As already mentioned earlier, nothing provides 100% security, therefore it is important to define what "secure" means. We believe that the proposed draft describes a method of securing unicast PTP to a point where it is "secure enough" for almost all applications.

> Why not move phase 2 to the TLS connection?
That would be an option, but it would require a lot more resources on the uncast PTP server. The current proposal requires the PTP client to establish a TLS connection once or twice a day to the NTS-KE server. Moving phase 2 into the TLS connection would require every PTP client to establish a TLS connection to each unicast PTP server it uses every couple of minutes (or even more often, depending on the duration of the contract (subscription) for the packet transmission). 

> If you do that, is there any need for cookies?
I do not think you would need a cookie in this case.

Best Regards,

Heiko Gerstung 
Managing Director 
MEINBERG® Funkuhren GmbH & Co. KG 
Lange Wand 9 
D-31812 Bad Pyrmont, Germany 
Phone: +49 (0)5281 9309-404 
Fax: +49 (0)5281 9309-9404 
Amtsgericht Hannover 17HRA 100322 
Geschäftsführer/Management: Günter Meinberg, Werner Meinberg, Andre Hartmann, Heiko Gerstung 
Do not miss our Time Synchronization Blog:
Connect via LinkedIn: