Re: [TICTOC] [ntpwg] WGLC on NTS: Why not run over IPsec?

Dieter Sibold <> Thu, 24 March 2016 10:36 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 65A7112D0AB for <>; Thu, 24 Mar 2016 03:36:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id LmcBWALKxucC for <>; Thu, 24 Mar 2016 03:36:21 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 568EE12D1CE for <>; Thu, 24 Mar 2016 03:36:21 -0700 (PDT)
Received: from ( []) by with ESMTP id u2OAaGPo014748-u2OAaGPq014748 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=FAIL); Thu, 24 Mar 2016 11:36:16 +0100
Received: from ( []) by (Postfix) with ESMTP id 321BA3D3E7; Thu, 24 Mar 2016 11:36:16 +0100 (CET)
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
X-Pgp-Agent: GPGMail 2.6b2
From: Dieter Sibold <>
In-Reply-To: <>
Date: Thu, 24 Mar 2016 11:36:10 +0100
Message-Id: <>
References: <> <> <>
To: Kurt Roeckx <>
Content-Type: multipart/signed; boundary="Apple-Mail=_23A6BFBC-0821-40C2-8EB5-E348EEF7F874"; protocol="application/pgp-signature"; micalg=pgp-sha512
Archived-At: <>
Cc: Sharon Goldberg <>,,
Subject: Re: [TICTOC] [ntpwg] WGLC on NTS: Why not run over IPsec?
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Timing over IP Connection and Transfer of Clock BOF <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 24 Mar 2016 10:36:29 -0000

Sorry, I forgot to add the reference [1]. It is:

1.	Modadugu, N. and E. Rescorla. The Design and Implementation of Datagram TLS. in NDSS. 2004.

> Am 24.03.2016 um 11:04 schrieb Dieter Sibold < <>>:
>> Am 23.03.2016 um 18:27 schrieb Kurt Roeckx < <>>:
>> On Wed, Mar 23, 2016 at 04:01:41AM -0400, Sharon Goldberg wrote:
>>> Dear WG,
>>> Another question, and please forgive me if this was discussed already and I
>>> missed it.
>>> It would be helpful to know why NTS is not just just running over IPsec. (I
>>> can see why running NTP over TLS makes little sense, since TLS runs over
>>> TCP while NTP runs over UDP so everything would probably
>>> break.) But NTP runs over IP. I suppose there are some performance
>>> hits to using IPsec? What are they?
>> I think the main problem is that they don't want that many IPsec
>> tunnels at the same time.  As far as I understand it, the design
>> wants to avoid storing this much state information on the server
>> side.  I'm not sure I agree with this design decision.
>> It could also use DTLS instead of TLS, which does work over UDP.
> At the time we discovered that we cannot use NTP’s autokey approach we also considered to use DTLS. However at this time there has been hardly any implementation of it. Also we learned from  [1] that DTLS is not target for an application with a communication pattern like NTP.
> "Note that the requirement to create a session means that DTLS is primarily suited for long- lived “connection-oriented” protocols as opposed to to- tally connectionless ones like DNS. Connectionless proto- cols are better served by application layer object-security protocols.“
> It might be that today DTLS’ scope has broadened.
> I also want to point out that last year Florian Weimer proposed to utilize DTLS for the key exchange. We regarded his suggestion and moved the CMS based key exchange into an appendix. In the normative part of the document we specified the requirements that have to be meet during the initial phase of NTS. See 6.1.1 in <>
> The NTS for NTP draft requires that the CMS-based key exchange is to be implemented. However it allows also the implementation of an alternative key exchange, e.g. DTLS, see 4.1 in <>
>> (D)TLS can already store the session on the client side, and
>> give that to the server on "resumption".  But maybe that would
>> require too many packets?
>> I'm also worried about the soundness of the crypto.  I have a
>> feeling this is designed by people that don't have enough
>> background to design something like this.  I think it needs to be
>> looked at by several people who do.  I've asked about this before
>> but nobody ever replied to it.
> We frequently invited people to review the documents. So did the chair of NTP’s working group. Also Kristof gave a presentation of the documents in the SAAG session of 91st IETF.
>> Kurt
>> _______________________________________________
>> ntpwg mailing list
>> <>
>> <>
> _______________________________________________
> TICTOC mailing list
> <>
> <>