IETF Logo Mail Archive

Re: [Ntp] I-D Action: draft-ietf-ntp-using-nts-for-ntp-27.txt

Ragnar Sundblad <ragge@netnod.se> Wed, 25 March 2020 14:10 UTC

Return-Path: <ragge@netnod.se>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4CDF53A05A7 for <ntp@ietfa.amsl.com>; Wed, 25 Mar 2020 07:10:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.888
X-Spam-Level:
X-Spam-Status: No, score=-1.888 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, T_SPF_TEMPERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=netnod-se.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x5F4KDIO83b7 for <ntp@ietfa.amsl.com>; Wed, 25 Mar 2020 07:10:29 -0700 (PDT)
Received: from mail-lj1-x234.google.com (mail-lj1-x234.google.com [IPv6:2a00:1450:4864:20::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 981C63A03EA for <ntp@ietf.org>; Wed, 25 Mar 2020 07:10:29 -0700 (PDT)
Received: by mail-lj1-x234.google.com with SMTP id r24so2609070ljd.4 for <ntp@ietf.org>; Wed, 25 Mar 2020 07:10:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netnod-se.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=IJ1Blko+VHV2IoAKD88giPWpXhsYK1TUOLjZXbxtlI0=; b=EYYX6MN7OySnoo/Rxh3CHzE8wqCC8iIguiE/Ah0fP3+24LjDXEUYNnIHrkvTV3BKyQ 4JI0H+PspSFTpdIBwzMm7UBTwZZiZGdXE9jP7l7V/Y8w/ZaOfXR5MP+UpNGj3Nnh1+81 t0cGre9gT2LoBVcjVLKh8UPC6CPAvoJwUfz6DPH5olDQubVuYQpnJXgln/DuE7/f2IvZ iH7h57DDmBglT39SbiorMgaoAAQS5ez7z0L+0H+YlY8xbuah5GF25HKVlvgsJttGxK6n rlyhZFRCmP3fh1Jrqc33LNIb9CUZO1pPFiPd1h4vui/h9FqdzUpAtA0coc3PwmPryUft slrQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=IJ1Blko+VHV2IoAKD88giPWpXhsYK1TUOLjZXbxtlI0=; b=QG8ZRSJe484T7FUIsXRKvx2tqQ/g/QquBnzvAO1F6yc9iHYn1fOCe5RErjubafvTFt jtu5RKG1trHi2TCdIPCl2j2CscA1hZCogUtAZuaeUJ/dByBNUT5do25Sh5HcLHuEt1TV AYkALUKaT6oJAAqg8UE9v9fINvvYmASZh67WVVvb4ng8ucYtHrXMXOxPKe9ZvqnIJiAI ncG5n7LvEhtXh/KN6NyaXm+97e38vkNtYCAUhq5E03chywqiUS30Y/+s8SzTECvYqgh6 wCUO+0Y0zKgTyuoMXRqDxuD7Kgvn/tfB3Zctx1uC9dv8FQyc4weCtoh2/zZ6LwOdlJwv MfUQ==
X-Gm-Message-State: ANhLgQ3/bXTMNBx/X2ELSbUv/LqMM5P8NiWcW+iO2BQgC9pfy0HidoK9 cJ6gQduB+cFwUZSQEs6Coq828g==
X-Google-Smtp-Source: APiQypJgPBWPO/gD3rnvTes8hgRkBVYoGC6bLaXfavMwePXfrbBmcwvJBDfnOuo4fTemiBY7tLoehg==
X-Received: by 2002:a05:651c:228:: with SMTP id z8mr2156425ljn.71.1585145427002; Wed, 25 Mar 2020 07:10:27 -0700 (PDT)
Received: from ?IPv6:2a01:3f0:1:0:a906:35bf:ec5:53a8? ([2a01:3f0:1:0:a906:35bf:ec5:53a8]) by smtp.gmail.com with ESMTPSA id y2sm7942692ljy.70.2020.03.25.07.10.25 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 25 Mar 2020 07:10:25 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
From: Ragnar Sundblad <ragge@netnod.se>
In-Reply-To: <20200325115834.GC25803@localhost>
Date: Wed, 25 Mar 2020 15:10:24 +0100
Cc: ntp@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <74B1B8F5-5762-4AB1-B3F2-D5AC2BC325C1@netnod.se>
References: <158507294813.11622.18159158243943940302@ietfa.amsl.com> <20200325115834.GC25803@localhost>
To: Miroslav Lichvar <mlichvar@redhat.com>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/zfaxLn6Z7P-LidpWTqsw0ph89z4>
Subject: Re: [Ntp] I-D Action: draft-ietf-ntp-using-nts-for-ntp-27.txt
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Mar 2020 14:10:39 -0000

Hi Miroslav,

NTP traffic and KE traffic are very different; KE traffic is supposed to occur
very seldom, NTP traffic is a constant (very slow) stream, and I don’t think
they can be compared in any really useful way.

If they share resources, like running on a single server, one could starve the
other. It may be a good idea to prioritise NTP responses, at least to a
certain extent, in a typical use case. This has to be studied, I think.

Note that if there are many new TCP connections pending and server doesn’t
even accept new connections, the cost for the server is considerably
less than even for replying to NTP.
If the server listens but is slow to respond, the client will just hang
there for a while until it gets a response (or timeouts), with a very
small cost.

Also note that it takes 9 tries to get to to a retry interval of more than
1024, and that the average request interval up to that point is about
2 minutes.

We do not want to complicate this more than absolutely necessary.

Best regards,

Ragnar

> On 25 Mar 2020, at 12:58, Miroslav Lichvar <mlichvar@redhat.com> wrote:
> 
> On Tue, Mar 24, 2020 at 11:02:28AM -0700, internet-drafts@ietf.org wrote:
>> A diff from the previous version is available at:
>> https://www.ietf.org/rfcdiff?url2=draft-ietf-ntp-using-nts-for-ntp-27
> 
> One of the changes in the latest version is a new section on
> recommended NTS-KE retry intervals. There was some discussion in the
> github issue #153 and there was a suggestion to continue here.
> 
> Does anyone else think that the minimum retry interval of 10 seconds
> is way too short?
> 
> I think it should be at least 1024 seconds (corresponding to the
> default NTP maxpoll), with an exception for retrying a TCP connection
> when the server doesn't accept the connection, or it's closed before
> the TLS handshake to implement a rate limiting. Is there anything else
> that would be likely to change on the server for the NTS-KE to succeed
> just after 10 seconds?
> 
> In my tests NTS-KE seems to be about 200x more expensive than an
> NTS-NTP (a single core handling about 500 NTS-KE requests per second
> or 100000 NTS-NTP requests per second). That's with the AES-NI
> support.
> 
> A widely used polling interval of NTP clients is between 64 and 1024
> seconds. That means a single NTS client retrying NTS-KE after only 10
> seconds wasted the same amount of resources as about 10000 clients
> using only NTS-NTP. That's crazy.
> 
> Yes, the server can limit the number of threads available to NTS-KE or
> limit the connection rate, but that will have a disproportionate
> impact on clients using more reasonable retry intervals.
> 
> I suggest to modify the second paragraph of the section to the
> following:
> 
>  Clients SHOULD use an exponential backoff with a base of 2. The
>  initial retry interval SHOULD be at least 16 seconds if the previous
>  NTS-KE connection failed, or the server closed it before the TLS
>  handshake, and 1024 seconds in other cases. The maximum interval
>  SHOULD be at least 524288 seconds (~6 days). The minimum interval in
>  seconds, t, for the nth retry can be calculated as
> 
> 		t = min(R * 2^(n-1), 2^19)
> 		where R is 16 or 1024 depending on the previous error
> 
> I suggest powers of 2 to make it compatibille with NTP polling
> intervals and avoid floating point operations.
> 
> -- 
> Miroslav Lichvar
> 
> _______________________________________________
> ntp mailing list
> ntp@ietf.org
> https://www.ietf.org/mailman/listinfo/ntp

v2.23.0 | Report a Bug | By Email