Re: [Ntp] NTP over PTP

Doug Arnold <doug.arnold@meinberg-usa.com> Mon, 28 June 2021 16:55 UTC

Return-Path: <doug.arnold@meinberg-usa.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 507C43A0FB0 for <ntp@ietfa.amsl.com>; Mon, 28 Jun 2021 09:55:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=meinberg-usa.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Vgr-7tA27XAp for <ntp@ietfa.amsl.com>; Mon, 28 Jun 2021 09:55:11 -0700 (PDT)
Received: from EUR02-HE1-obe.outbound.protection.outlook.com (mail-eopbgr10088.outbound.protection.outlook.com [40.107.1.88]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4D5AA3A0FAF for <ntp@ietf.org>; Mon, 28 Jun 2021 09:55:09 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=fQjuN1xaeDVnJZ4zZ32wMGyjyTFjxgYjpkNam7tBoCOS9SCBiIEGb3haRQA1/n7XGe9gkecXLk7BzzlVjSB4aMBh/yYMtTCueCbYKvHXTMfMPNW4e7BXUWSa/+rHg/O+fZB+qJdGZRwrerIu53hpxp+17U5/X+rTBt+Q91o9rnyTyT6psFaQcYN0EKDi7wlo72UY1W+0W+xGzZ2e0qs8jSTB0w7PqJ0dIg2PvURdBbitKA7hF9vI0oOsQJHMayEe8/NH2ml+tRXf0oJnWiNBh4FyhztaoO9lS8c8RD78ZmPqbjw9bSOV2p9ybk76fCQINLR8rZ+hZp2VyUTkHAPREw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=dQssvYthOu/4Ft9mBLPCEXIro1TN9vELWF/HIx9rPVk=; b=GAt1oRlfUEYujZsRdMN3Wc0pE37KAIYTcV6gVnqz+jl9QXv5TXrpxWgc9WUKsQhFCPLUNEGYcIKzwtClP5hPts2zqcIue8pBevNSniRS+Laf+dRtKvcK7yaogLLoOJ0aSISxdJafRixAqFywiMHHSom05fmKtHDfVeLPCSzRbuu+m1NcUP0bPhr7yvKavWkANbZtXhyAldTsEeh0i3Rfm/as24IeXuP+rDTOEf4VUw/LwSfUIW1HOCjVAZ4KfnnKgWKARgpeAUO5BMGljnlAbVYdqQ8wncjRdUmCUEOorzEI7DXErHOxc+1Oiv4/HbNNnil1M8EfaYw5tenLDFqnFQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=meinberg-usa.com; dmarc=pass action=none header.from=meinberg-usa.com; dkim=pass header.d=meinberg-usa.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=meinberg-usa.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=dQssvYthOu/4Ft9mBLPCEXIro1TN9vELWF/HIx9rPVk=; b=jOfQ57j7wxs2je/a2dUtbg7R/zhPkNGwUyYFX9a6MclzifO/7t0dJQowk67cMlbTHU84rxs+nHaol0nCzQPwG/e2+wAXhHCljvFCu7CNhCRNIbqNIhIykHyasVvz7c6sbwySmlsGnTv6BZ2/3PU78so4TWaQPbh9amNmqjnBQP11Cnx5j8F814Zzug1vzoKHBYzJhvXkNwXVxhJDKcXRYeNVUx3isS9IjYchYiauLXi//19ZMt8uIts/vnzQInPqjQe/DTtZi25w9HJKiH4vfrl6hf3nqAfDGEICIinUiWRa4ouBOU6JXZ9QxbnK93IZQL7BVjOY/t3csRsjs1Xkkg==
Received: from AM7PR02MB5765.eurprd02.prod.outlook.com (2603:10a6:20b:102::15) by AM5PR0201MB2292.eurprd02.prod.outlook.com (2603:10a6:203:32::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4264.23; Mon, 28 Jun 2021 16:55:06 +0000
Received: from AM7PR02MB5765.eurprd02.prod.outlook.com ([fe80::7021:78f3:a3bd:4cd9]) by AM7PR02MB5765.eurprd02.prod.outlook.com ([fe80::7021:78f3:a3bd:4cd9%7]) with mapi id 15.20.4242.023; Mon, 28 Jun 2021 16:55:06 +0000
From: Doug Arnold <doug.arnold@meinberg-usa.com>
To: Miroslav Lichvar <mlichvar@redhat.com>, Heiko Gerstung <heiko.gerstung@meinberg.de>
CC: "ntp@ietf.org" <ntp@ietf.org>
Thread-Topic: [Ntp] NTP over PTP
Thread-Index: AQHXaOy2RanQBIDiAE2pVM3dA2BOcKskskeAgATDsICAADNMXA==
Date: Mon, 28 Jun 2021 16:55:06 +0000
Message-ID: <AM7PR02MB576522E4C926CAA7D3E65F45CF039@AM7PR02MB5765.eurprd02.prod.outlook.com>
References: <YNRtXhduDjU4/0T9@localhost> <36AAC858-BFED-40CE-A7F7-8C49C7E6782C@meinberg.de>, <YNnSj8eXSyJ89Hwv@localhost>
In-Reply-To: <YNnSj8eXSyJ89Hwv@localhost>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: redhat.com; dkim=none (message not signed) header.d=none;redhat.com; dmarc=none action=none header.from=meinberg-usa.com;
x-originating-ip: [64.30.82.72]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: d5463642-681b-4d90-9193-08d93a557b7a
x-ms-traffictypediagnostic: AM5PR0201MB2292:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <AM5PR0201MB22929C621D66B85CEDCE1F07CF039@AM5PR0201MB2292.eurprd02.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: pXa0XU8ZEHEBbbdaK4JMCGQGC4tJXKU/+751aHJacbpBov9BCNwkWbJyYTb5z+vuzvrpJaeOxOPtM59B32XMfyz0tM5YARGtU3EKYgl5DFYb6u/D88wG/ZB5ndh+d1zl4ik6+rtnt7o6F3aEhv+CAyQOT8bOHQ6OUalZWeqyveiDXbByU6RIEdyyUMcpODWiFn158Pf9NwWnz2mUgJ8xDGRyGQhbHI8H33LFA/HKbidXrpccMraqyKFOKI704NW7DHsw2RUcyKnYPmLpVd3u8ruGYPhEYwha3jF2WybD1ktYl/BEo1Bf7C8tHHD75U6DjolyNbc7PVZv9qGMUgljkG8f3g+3keF7EzMbzRt8VhF9xi3XHNRgUYEhuDKZ1GKhN/WQ0C71JzbzR2DPqNJXNigbwAyxjM/SWW8AX+0UDmU7ygmS86mTWOSaGAqSzsg56bbzTgCG7jSVXDIBntZYj92mvp8kg4+FI6ztX6uq4+Gy+qS2HeFvhIHL7t13MlJ/T3fiWv6i62627VZk6S7bw8JvB9YuRIK3Vzo/ZZerZEhOtXOGKHYlgNEkxuyORqQyoD3E7HpZAeH0hAnsx/RHIcsSMn/KPUIGYtjg35RzVclEFRJ8U4RTm2CUQbU0NXwwhz5Yqxaqw8otZ+XDi7PBpvJFIzAtAC3C1d+ONFBOrmNEJIbozNg+UJ/SEjneNYBI0xI4ylgdAiLiGFILof/DE/H/CmJjNVZEtkvn/NZeZ9Qn8gCHiVCHAW2RSl05HAG4ECY2k5TdERGPEW/BVGPoSA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM7PR02MB5765.eurprd02.prod.outlook.com; PTR:; CAT:NONE; SFS:(346002)(376002)(366004)(39830400003)(396003)(136003)(71200400001)(86362001)(83380400001)(478600001)(4326008)(26005)(2906002)(66446008)(166002)(186003)(38100700002)(122000001)(91956017)(7696005)(6506007)(64756008)(44832011)(52536014)(9686003)(110136005)(5660300002)(33656002)(76116006)(53546011)(66476007)(66946007)(966005)(55016002)(8936002)(316002)(66556008)(8676002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?Windows-1252?Q?k+WhvQ24gwZd+4gxGj9YI8RY6COR4XjzOxD+RrcuPpZKfb5yGqjzajjj?= =?Windows-1252?Q?yOx6Y8HyamBAuo6hciCxLW36MoyTT6mhvnAvbF03NIQbRVEHaPhkEaKH?= =?Windows-1252?Q?YL+Hqkfnv2KBMOuGRSltzHBxasbcfy3oGQQrLyCm4ZpJ8+sFEx3fqyTB?= =?Windows-1252?Q?CLSG28IEKSEQxxL2IBM1IuDFbzqI1b8vbpRPO/QNmTotgElQgO2xDIlT?= =?Windows-1252?Q?LkdbiX+Clpx+sXfed1cYOMv9olpSho57W1dlpGIx7sZG1Wlm4susTiqt?= =?Windows-1252?Q?fBQySU4mzx/AoyhV9BumM1FEdSHO3aeM/oQFaANUM7ixuKjQlOtHkLjF?= =?Windows-1252?Q?PrpDelrPaoFvcvmQAurzo82UkCHVyKMCj+BVdWpLgFG9u14aJVuAN2Vr?= =?Windows-1252?Q?yf0bDPnirp+CYISzh/Qdi2iUvdFRDwYrOlgOT11MLp/KhGoLoZF5g9kD?= =?Windows-1252?Q?87yXUltTD48BdR3F+qLqel8VEYP/MwF64Z+keSaLaYKXtrJu8sBbmsHc?= =?Windows-1252?Q?+OUdfF6xMZKfIaIrPIr/rFL7AKvrb6E1Hq4Mzj4eFhblBeVZnXrMs9KV?= =?Windows-1252?Q?rh9qL+NEWLCPltQfd7h5aGgM+rthnk9s+yHA5/lwkCVma/GbnSIT6pMQ?= =?Windows-1252?Q?aAKb8mWF/JMa3XRb5kEVAt7NH1VOiqYzxHmuE+xyib45Q/BO9nqteDef?= =?Windows-1252?Q?a4lrKspDpHa3XUgWchxGMmUC/8ZbTNmH3jajyivZW0byKsmuqsdejpe3?= =?Windows-1252?Q?eA5OHLwNqkA/ysEW9T0k+k2niz0/PY8Ci+TQoEEAmBF3bvXucthkq4wM?= =?Windows-1252?Q?RRj/j9Pij0qO2NCkYVxoV5R9cPjuvjphNB3+tB07Sk5OaCNhQhfIOMT9?= =?Windows-1252?Q?VzzBEWRlln4zRN8QFiSpaxfWoBr5tf8waFD/Fikff0DIAhT5UJdOc1gD?= =?Windows-1252?Q?f/31C+uYbnTBSykstDl6EgKzdQkd6KdtMvk8VjKhOGc2EZDKCcO31fJh?= =?Windows-1252?Q?ckwQD9apaVk/bvX+PZqnyKNzqt/qIS9DH/kSuoLeVkW1FR93R/uQuFBx?= =?Windows-1252?Q?4igPbUgeGgZKujJFV/yRQCfY8zfxqhqP6qcDNtDTvh4T5utbpI6cX/3U?= =?Windows-1252?Q?GF1MKTpj0yFm59BnA8tFnLfPelIwpWEFTC6BRclfZi+4A5uHxTL+XQjr?= =?Windows-1252?Q?Q7UZZAdOh/WXovGjUykLjej1BHQBJcCsZSDzrwBLhKAJHEOHZHpIiNJ4?= =?Windows-1252?Q?MzBIlbQOhc3nuGvS3xgPSu6ZE3RBsYJcuPoedZrAUmcmcJB/bLOOauzI?= =?Windows-1252?Q?lJQR290M1hnwoOL0gV2EykdZAs0YJGuhLtVIAL05uUu7BOItvunDVWgk?= =?Windows-1252?Q?VzS35RpwqbZ4PBTUtiblLjPfHOZkYV7T59qKN4tUopij+BakpyDXXFHK?= =?Windows-1252?Q?WXZpOSqTbyti2ptqEEiylw=3D=3D?=
Content-Type: multipart/alternative; boundary="_000_AM7PR02MB576522E4C926CAA7D3E65F45CF039AM7PR02MB5765eurp_"
MIME-Version: 1.0
X-OriginatorOrg: meinberg-usa.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM7PR02MB5765.eurprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: d5463642-681b-4d90-9193-08d93a557b7a
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Jun 2021 16:55:06.7319 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: d59904cd-769f-4368-8bd0-f5f435893a38
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 6JvxAXAvMYZnfzMAZyo6MIKg7MN0rslFfq2TyL/6alZQvDgVmsWshn6vAHHyQeSE/b1R6CQnU2AaAVw8f5ipstwKqswsmTCHVdq2u1M+z68=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM5PR0201MB2292
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/zNR8BY9Zd6UKhMDWpw_BHQicHug>
Subject: Re: [Ntp] NTP over PTP
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Jun 2021 16:55:16 -0000

The telecom industry is definitely going to use unicast PTP whether NTP is better or not.  They have invested a lot in PTP and it is all over in their standards.  The telecom industry won’t even go to the bathroom unless there is a standard for it.  People in the power industry sometimes use unicast PTP between substations because their substations are connected using technology barrowed the telecom industry.  Some people in finance also use unicast PTP.  Unicast PTP is here for foreseeable future.  We need to make it as robust as we can.

Doug

From: ntp <ntp-bounces@ietf.org> on behalf of Miroslav Lichvar <mlichvar@redhat.com>
Date: Monday, June 28, 2021 at 9:46 AM
To: Heiko Gerstung <heiko.gerstung@meinberg.de>
Cc: ntp@ietf.org <ntp@ietf.org>
Subject: Re: [Ntp] NTP over PTP
On Fri, Jun 25, 2021 at 03:00:25PM +0200, Heiko Gerstung wrote:
> If I follow your argument that unicast PTP is like the NTP control mode then yes, both mode 6 and unicast PTP are not secured against replay and amplification attacks. The NTS4UPTP draft is exactly addressing this for unicast PTP and provides the required protection. I outlined in the draft that the proposed approach achieves most of the stated objectives/goals of NTS4NTP, which is well secured (we certainly agree on that).

If I understand it correctly, your draft is addressing the
amplification issue by requiring client authentication. That's
probably the best one can do, but it doesn't make it comparable to NTP
or NTS4NTP. The operator will still have to trust the clients to not
abuse their credentials and also trust them to not get compromised.
That's nothing like NTS4NTP where you can run a public server without
any worry about someone exploiting your server for amplification.

> In the interim meeting I believe there have been multiple participants that agreed that
> a) PTP should be secured (it is worth it)

At least for the normal non-unicast mode, I agree.

The unicast mode seems to be intended for networks with partial
on-path hardware support, where requirements on accuracy are less
strict, and I think this might already be better supported by NTP.

> Arguing that the two drafts on the table might just need TLS instead of NTS-KE is something I cannot understand, too. PTP already has a security mechanism that is standardized and, with some extensions (provided by the submitted drafts), can be used to significantly enhance security of the protocol. What is needed is a key exchange mechanism and some additional features to close the security holes (i.e. no protection for the source IP address) - again, exactly what the two drafts provide.

Ok, but to me it seems it would be simpler if you have skipped NTS-KE
and went with TLS directly. Anyway, for adopting the document that
shouldn't matter.

> Regarding "NTP over PTP": trying to trick the hardware timestamping engines of a large variety of vendors into timestamping a PTP packet is bound to fail IMHO. There is no standard for how these timestamping engines work, some may even look at sizes of packets (they should not do that, as PTP messages can theoretically carry TLVs, but sometimes hardware vendors take shortcuts). Some implementations will forward packets to a management CPU when the forwarding plane detects a PTP frame. The CPU will not recognize that this is NTP and will probably throw away the packet. Again, most likely not the right way to do it, but alas ...

If there is some hardware that can timestamp only fixed-length PTP
messages with no TLVs, then that will not work with any form of
NTS4UPTP either, right? There has to be some TLV to authenticate the
message and the hardware needs to accept that.

The same applies to one-step clocks. If implemented in silicon, that
will not work in any case.

--
Miroslav Lichvar

_______________________________________________
ntp mailing list
ntp@ietf.org
https://www.ietf.org/mailman/listinfo/ntp