IETF Logo Mail Archive

Re: [TICTOC] WGLC on NTS: Why not run over IPsec?

kristof.teichel@ptb.de Wed, 23 March 2016 13:14 UTC

Return-Path: <kristof.teichel@ptb.de>
X-Original-To: tictoc@ietfa.amsl.com
Delivered-To: tictoc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5973912D588 for <tictoc@ietfa.amsl.com>; Wed, 23 Mar 2016 06:14:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.809
X-Spam-Level:
X-Spam-Status: No, score=-0.809 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTML_MIME_NO_HTML_TAG=0.377, MIME_HTML_ONLY=0.723, T_RP_MATCHES_RCVD=-0.01] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ff8KidJq0c2l for <tictoc@ietfa.amsl.com>; Wed, 23 Mar 2016 06:14:15 -0700 (PDT)
Received: from mx1.bs.ptb.de (mx1.bs.ptb.de [192.53.103.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0C1E612DA8D for <tictoc@ietf.org>; Wed, 23 Mar 2016 06:01:50 -0700 (PDT)
Received: from smtp-hub.bs.ptb.de (smtpint01.bs.ptb.de [141.25.87.32]) by mx1.bs.ptb.de with ESMTP id u2ND1hNd001288-u2ND1hNf001288 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=FAIL); Wed, 23 Mar 2016 14:01:43 +0100
Received: from rose.bs.ptb.de (rose.bs.ptb.de [141.25.85.201]) by smtp-hub.bs.ptb.de (Postfix) with ESMTP id B9C5A3CC50; Wed, 23 Mar 2016 14:01:43 +0100 (CET)
MIME-Version: 1.0
X-Disclaimed: 1
Importance: Normal
X-Priority: 3 (Normal)
In-Reply-To: <CAJHGrrQH0Ce+UFTy6m=SrzTk0AWmBFywC88HccHy0+WG16ibdQ@mail.gmail.com>
References: <CAJHGrrQH0Ce+UFTy6m=SrzTk0AWmBFywC88HccHy0+WG16ibdQ@mail.gmail.com>
From: kristof.teichel@ptb.de
To: Sharon Goldberg <goldbe@cs.bu.edu>, ntpwg@lists.ntp.org, tictoc@ietf.org
Message-ID: <OF4B113298.5D5188A9-ONC1257F7F.0046A923-C1257F7F.0047919A@ptb.de>
Date: Wed, 23 Mar 2016 14:01:43 +0100
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="ISO-8859-1"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tictoc/JrSGkbc9Ti7-X_VgrWL7Fd8OYK4>
Subject: Re: [TICTOC] WGLC on NTS: Why not run over IPsec?
X-BeenThere: tictoc@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Timing over IP Connection and Transfer of Clock BOF <tictoc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tictoc>, <mailto:tictoc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tictoc/>
List-Post: <mailto:tictoc@ietf.org>
List-Help: <mailto:tictoc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tictoc>, <mailto:tictoc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Mar 2016 13:14:17 -0000

Hello Sharon,

essentially, the answer to this question is that at some point it was determined that an inherent solution would benefit NTP more than one which was along the lines of tunneling NTP traffic over some external security protocol.
The main reasoning here was, I believe, that an inherent solution would be easier to tailor to a time synchronization protocol's special needs, particularly for the additional delays caused by the cryptographic operations on time-sensitive packets to be small (and ideally symmetrical).

Best regards,
Kristof

PS: I also want to add that as far as I know, there is nothing in any NTP-related specification that would keep anyone from running NTP over IPsec. On the other hand, there doesn't seem to be a special need for a specification on using IPsec to run NTP over it. I believe this is why, currently, IPsec is simply not mentioned anywhere in an NTP or NTS context.

PPS: Out of curiosity: is there a mode for IPsec which does what NTS is trying to achieve (namely requiring on the server side neither a per-association state nor classic asymmetric cryptography like digital signatures)? If so, some text might be in order somewhere (NTP BCP document?), stating that if IPsec is used for securing NTP, said mode would be the best one to use.


-----"TICTOC" <tictoc-bounces@ietf.org> schrieb: -----

>An: tictoc@ietf.org, ntpwg@lists.ntp.org
>Von: Sharon Goldberg
>Gesendet von: "TICTOC"
>Datum: 23.03.2016 10:07
>Betreff: [TICTOC] WGLC on NTS: Why not run over IPsec?
>
>Dear WG,
>
>Another question, and please forgive me if this was discussed already
>and I missed it.
>
>It would be helpful to know why NTS is not just just running over
>IPsec. (I can see why running NTP over TLS makes little sense, since
>TLS runs over TCP while NTP runs over UDP so everything would
>probably
>break.) But NTP runs over IP. I suppose there are some performance
>hits to using IPsec? What are they?
>
>Thanks,
>Sharon
>
>--
>Sharon Goldberg
>Computer Science, Boston University
>http://www.cs.bu.edu/~goldbe
>
>_______________________________________________
>TICTOC mailing list
>TICTOC@ietf.org
>https://www.ietf.org/mailman/listinfo/tictoc
>

v2.23.0 | Report a Bug | By Email