IETF Logo Mail Archive

Re: [ntpwg] NTS: DTLS and symmetric mode

Miroslav Lichvar <mlichvar@redhat.com> Tue, 01 August 2017 07:39 UTC

Return-Path: <ntpwg-bounces+ntp-archives-ahfae6za=lists.ietf.org@lists.ntp.org>
X-Original-To: ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com
Delivered-To: ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 869EB132A7A for <ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com>; Tue, 1 Aug 2017 00:39:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wHtTROBJtH6E for <ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com>; Tue, 1 Aug 2017 00:39:12 -0700 (PDT)
Received: from lists.ntp.org (psp3.ntp.org [185.140.48.241]) by ietfa.amsl.com (Postfix) with ESMTP id CD18B132A78 for <ntp-archives-ahFae6za@lists.ietf.org>; Tue, 1 Aug 2017 00:39:09 -0700 (PDT)
Received: from lists.ntp.org (unknown [127.0.0.235]) by lists.ntp.org (Postfix) with ESMTP id 1EBE786DBB5 for <ntp-archives-ahFae6za@lists.ietf.org>; Tue, 1 Aug 2017 07:39:09 +0000 (UTC)
X-Original-To: ntpwg@lists.ntp.org
Delivered-To: ntpwg@lists.ntp.org
Received: from mail1.ntp.org (fortinet.ntp.org [10.224.90.254]) by lists.ntp.org (Postfix) with ESMTP id 8E89F86DAB4 for <ntpwg@lists.ntp.org>; Tue, 1 Aug 2017 07:39:05 +0000 (UTC)
Received: from mx1.redhat.com ([209.132.183.28]) by mail1.ntp.org with esmtps (TLSv1:AES256-SHA:256) (Exim 4.77 (FreeBSD)) (envelope-from <mlichvar@redhat.com>) id 1dcRlZ-000Jb2-UG for ntpwg@lists.ntp.org; Tue, 01 Aug 2017 07:39:05 +0000
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 99E287CDF5; Tue, 1 Aug 2017 07:38:56 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 99E287CDF5
Authentication-Results: ext-mx04.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com
Authentication-Results: ext-mx04.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=mlichvar@redhat.com
Received: from localhost (unknown [10.43.2.117]) by smtp.corp.redhat.com (Postfix) with ESMTPS id A3DC967C91; Tue, 1 Aug 2017 07:38:55 +0000 (UTC)
Date: Tue, 01 Aug 2017 09:38:54 +0200
From: Miroslav Lichvar <mlichvar@redhat.com>
To: Daniel Franke <dfoxfranke@gmail.com>
Message-ID: <20170801073854.GB2346@localhost>
References: <707deca2-9037-c9fc-69bc-71ee80cb4c97@nwtime.org> <CAJm83bBjUU_PHhOcH4Sa7LdE2JEN3wojmXTWv_F_nnnRQz61Rw@mail.gmail.com> <c251d5c2-ae87-7c66-7b08-f3bc68680be8@nwtime.org> <CAJm83bA+vJjq74pKBJKRHbqG2W9rJi3HRU48go=cws92gx6DBw@mail.gmail.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <CAJm83bA+vJjq74pKBJKRHbqG2W9rJi3HRU48go=cws92gx6DBw@mail.gmail.com>
User-Agent: Mutt/1.8.0 (2017-02-23)
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.28]); Tue, 01 Aug 2017 07:38:56 +0000 (UTC)
X-SA-Exim-Connect-IP: 209.132.183.28
X-SA-Exim-Rcpt-To: ntpwg@lists.ntp.org
X-SA-Exim-Mail-From: mlichvar@redhat.com
X-SA-Exim-Version: 4.2
X-SA-Exim-Scanned: Yes (on mail1.ntp.org)
Subject: Re: [ntpwg] NTS: DTLS and symmetric mode
X-BeenThere: ntpwg@lists.ntp.org
X-Mailman-Version: 2.1.24
Precedence: list
List-Id: IETF Working Group for Network Time Protocol <ntpwg.lists.ntp.org>
List-Unsubscribe: <http://lists.ntp.org/options/ntpwg>, <mailto:ntpwg-request@lists.ntp.org?subject=unsubscribe>
List-Archive: <http://lists.ntp.org/pipermail/ntpwg/>
List-Post: <mailto:ntpwg@lists.ntp.org>
List-Help: <mailto:ntpwg-request@lists.ntp.org?subject=help>
List-Subscribe: <http://lists.ntp.org/listinfo/ntpwg>, <mailto:ntpwg-request@lists.ntp.org?subject=subscribe>
Cc: ntpwg <ntpwg@lists.ntp.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: ntpwg-bounces+ntp-archives-ahfae6za=lists.ietf.org@lists.ntp.org
Sender: ntpwg <ntpwg-bounces+ntp-archives-ahfae6za=lists.ietf.org@lists.ntp.org>

On Mon, Jul 31, 2017 at 02:59:30PM -0400, Daniel Franke wrote:
> On 7/31/17, Harlan Stenn <stenn@nwtime.org> wrote:
> > Is DTLS well-suited for symmetric associations, which require mutual
> > authentication?
> 
> Yes. DTLS supports mutual authentication through the use of client
> certificates or pre-shared keys.

That will work nicely for an active-passive association, but I'm still
not sure about active-active associations. You said the source port of
a DTLS client is supposed to be random. How will an active peer know
that an incoming connection corresponds to a peer it has already
connected to or it's trying to connect to? With symmetric keys/autokey
it was possible to have multiple associations with the same IP address
(e.g. multiple machines behind NAT).

I think a bigger problem with NTP over DTLS might be that timing
messages are sent on a different port than 123 and are encrypted. This
makes it incompatible with existing HW/configuration and future NTP
extensions.

Here is the list of issues I posted previously (with no response) [1]:

- no stateless passive mode
- problematic pairing of DTLS sessions
- requires timestamping of messages on a new port
  - won't work with HW which can timestamp only packets on port 123
    (or 319)
  - will require changes in QoS classification on routers/switches
- won't work with future NTP extensions for delay corrections in
  routers/switches

[1] http://lists.ntp.org/pipermail/ntpwg/2017-June/003307.html

-- 
Miroslav Lichvar
_______________________________________________
ntpwg mailing list
ntpwg@lists.ntp.org
http://lists.ntp.org/listinfo/ntpwg

v2.23.0 | Report a Bug | By Email