[Ntp] Draft extension NTS for pools
David Venhoek <david@venhoek.nl> Fri, 22 December 2023 10:27 UTC
Return-Path: <david@venhoek.nl>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF7D5C14F5F5 for <ntp@ietfa.amsl.com>; Fri, 22 Dec 2023 02:27:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.907
X-Spam-Level:
X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=venhoek-nl.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rsRYAy3N-pY1 for <ntp@ietfa.amsl.com>; Fri, 22 Dec 2023 02:27:51 -0800 (PST)
Received: from mail-ej1-x62b.google.com (mail-ej1-x62b.google.com [IPv6:2a00:1450:4864:20::62b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A35FBC14F5EB for <ntp@ietf.org>; Fri, 22 Dec 2023 02:27:51 -0800 (PST)
Received: by mail-ej1-x62b.google.com with SMTP id a640c23a62f3a-a2339262835so187192666b.3 for <ntp@ietf.org>; Fri, 22 Dec 2023 02:27:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=venhoek-nl.20230601.gappssmtp.com; s=20230601; t=1703240869; x=1703845669; darn=ietf.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=YAzbaVvuTMi2IAfsBQR5/xtLp4rl1bGiEDzxxN4E/0Y=; b=KcKAgkUv2023KvjCLYiJ9zgji9rDM1E2baVviHrFLF2EW1u7KggfN0BI5o8hz85LcA dBR6fF7ViZ0XXbRcUxUX8+mnzQVjRmtDNRFHK/4sRhqIYIVRH4kDAxgNcaOccC985XOL Q30iOQsfOpjl8RBY/fcemvd1sxs0sFqbL4GkoBaggJeSMe3bSI/CWferYMNX0VoOUCxz qnlDt8NiWdZNLyYbXt4SpWbEvE2Dx3QjRYJueFwlhH/oYIZd+FyWjS5DjoMtPCQwpSIu oZMYhg8AC3rbdU2IbVhzMmPqnmcYa5Qe/ZyOE3FL7ItgCxK2CsGeiwD5+pAJuh26RaoR 2D8Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1703240869; x=1703845669; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=YAzbaVvuTMi2IAfsBQR5/xtLp4rl1bGiEDzxxN4E/0Y=; b=IGOjg1FXtadH+QmkmadloBSvY6ve41cDBsxBcgbPhcqUd2MUWCJ7j3YdDzo2VBWpoS mUGxge1feOn7TGYVGk6Q4ACamMY9xRpA2TBq5AxPOKfn0vDuS4WHq068AfaozMZAAhSs 5W6xJd4KlZ/Hf2/PIIsRf35Vo3eyv5mACugbCICTHiQY3kCz0fRKd8Cdu+I8+0DBAXim F0LONkCQ0OrTQjtwV40e2jUNEkA4OHN0av9bo39LM56MAF7I7koHLXQPmEB37niTB/MU 37opmK+DfbVtDnP9b7BhT6nEOBzuz+HupJ3JO+Q2W7Z/UL9/sr3JF5yhmkSC+Gj3/EvA flaw==
X-Gm-Message-State: AOJu0YzRvU/J6ML+i4I542F4qkMPJinlQ9Gt0ZNJdWmZDJVyrXw5DNSd 9hoNbF3c9SWKe/sVkGR6nIb82+1ug1YZkFT7ekoZEcQjYsWKcRO3620uGb/VCAc=
X-Google-Smtp-Source: AGHT+IGLsizJNcH0TYVpSQnewLKpkPyn7CIPlti6AuZaqctHDdPmbgWEedbTv6eoGzmqAh/fBDau6EQZbUqJ4ISTCsU=
X-Received: by 2002:a17:907:7e93:b0:a22:ef86:bf2c with SMTP id qb19-20020a1709077e9300b00a22ef86bf2cmr815290ejc.51.1703240869232; Fri, 22 Dec 2023 02:27:49 -0800 (PST)
MIME-Version: 1.0
From: David Venhoek <david@venhoek.nl>
Date: Fri, 22 Dec 2023 11:27:38 +0100
Message-ID: <CAPz_-SWidPW1bACgt_dN7saGfjPYbXtZLbqFpTGhPj5OOK4xYg@mail.gmail.com>
To: NTP WG <ntp@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/v546BefBhF1g4toddHVZFj9D-AA>
Subject: [Ntp] Draft extension NTS for pools
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Dec 2023 10:27:53 -0000
Dear All, As promised during the last interrim, a few colleagues and I have worked to put into a draft the approach we have taken in our experiments to get a prototype NTS pool working. The draft is at https://datatracker.ietf.org/doc/draft-venhoek-nts-pool/00/, if you want to provide suggestions for edits, the easiest way to do so is through the documents github: https://github.com/pendulum-project/nts-pool-draft To give some background, the main problem inhibiting an NTS pool currently is that it is hard to provide key exchange services for a heterogeneous pool of NTP servers supporting NTS. It seems there is a fundamental choice between 1 of 4 options that needs to be taken to make a pool. You either need to: - Modify clients to handle a second layer of indirection in the DNS lookup, for example when using srv records to make the pool - Share large amounts of master secrets between the pool and all pool servers, either - through sharing TLS certificates for the pool domain so each pool server can run its own key exchange - or by sharing cookie format and secrets with the pool so the pool can make cookies for each server, - or modify the server side to allow the pool to ask for cookies for arbitrary keys. We have decided to experiment with the latter as it seemed the most achievable way that still preserves a decent amount of security. In particular, we preferred it because it doesn't require modification of clients to use it. (though our current design does allow clients with additional support to gain some efficiency) We have mostly implemented the design suggested in the draft within the ntpd-rs project, see https://github.com/pendulum-project/ntpd-rs/tree/main/nts-pool-ke for instructions on how to experiment with it. There are some differences between what's implemented and the draft, primarily because the draft already learned from some of our experiences with the implementation and we haven't (yet) had the time to implement those lessons. Thanks all in advance for any feedback. Kind regards (also on behalf of Folkert de Vries and Marc Schoolderman), David Venhoek
- Re: [Ntp] Draft extension NTS for pools Hal Murray
- Re: [Ntp] Draft extension NTS for pools Miroslav Lichvar
- Re: [Ntp] Draft extension NTS for pools Miroslav Lichvar
- [Ntp] Draft extension NTS for pools David Venhoek
- Re: [Ntp] Draft extension NTS for pools David Venhoek
- Re: [Ntp] Draft extension NTS for pools Miroslav Lichvar
- Re: [Ntp] Draft extension NTS for pools David Venhoek
- Re: [Ntp] Draft extension NTS for pools Miroslav Lichvar
- Re: [Ntp] Draft extension NTS for pools David Venhoek
- Re: [Ntp] Draft extension NTS for pools David Venhoek
- Re: [Ntp] Draft extension NTS for pools Hal Murray