IETF Logo Mail Archive

Re: [TICTOC] [ntpwg] WGLC on NTS: Why not run over IPsec?

Sharon Goldberg <goldbe@cs.bu.edu> Thu, 24 March 2016 22:36 UTC

Return-Path: <sharon.goldbe@gmail.com>
X-Original-To: tictoc@ietfa.amsl.com
Delivered-To: tictoc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 21ADA12D164 for <tictoc@ietfa.amsl.com>; Thu, 24 Mar 2016 15:36:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.399
X-Spam-Level:
X-Spam-Status: No, score=-2.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.199, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DNQFo9agU5Sy for <tictoc@ietfa.amsl.com>; Thu, 24 Mar 2016 15:36:11 -0700 (PDT)
Received: from mail-wm0-x22e.google.com (mail-wm0-x22e.google.com [IPv6:2a00:1450:400c:c09::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AF45F12D0C8 for <tictoc@ietf.org>; Thu, 24 Mar 2016 15:36:10 -0700 (PDT)
Received: by mail-wm0-x22e.google.com with SMTP id u125so3507685wmg.1 for <tictoc@ietf.org>; Thu, 24 Mar 2016 15:36:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=+O5T8kfwxpTBlmEP0Ol1mwSs47ZcGex/ZavK+5N4G5o=; b=zC2NhxtacdB/Ism/rLyvGKR/XIcwm0g9AN4vf60d0yLBL4lDy7GxtBUYxFMT5exDm7 nio/RkyLXM+tLWYdD6Iz0vabRBsIiCtXPDiw7JgsfhRj/VohJsS9SlVCi+w24F8SPV17 U8QFwJbGmuqbhsTzJzL2vctZBqUsquh82AwIdxb2FxrgLp0JA/xO2pLEUd0Pzk5PwWA6 O8Jw+T4qGl2+DCtADQfndZhDOJB/1FEZdnAws308EK58pebJ7ZnByJvtZmkSVK5XaGfk LcTQgBwbCgiiGX7dQq30Bruf9yTO3Vdhr/UZ3nzyYQqXgyuU5Z7RvBNO6uc39RK42zb+ 4LTQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=+O5T8kfwxpTBlmEP0Ol1mwSs47ZcGex/ZavK+5N4G5o=; b=jHBz2SW4m2Xh36hqs/1Vv5uijtlJGfplgBfNF/WcxtmTcOcEyo4r7f61kZTUvFrfHF tvsz0YZs0ARLdUXzDsvWEP4q03hHSSk+DhJj1HuBAH7x7lGYurCsf3596eLuo747RZ+1 v8YGZVCzUxllHVGVc6Gi5niAnaAWTN69uatSSm2890IcZyJvBnLPixAIRwtYZBObMc+z IbGhYxHltSJVOnMCD37d3iN+rnkM9vr4hv0YtTBX+oU1Iug82zK7f39uyWwLthsB4HbV if1CeHmelgASAEu2VQJTodwUCfmviH5jHdFpRCFmfPqxaRHlX3a3GbfRioQfrZHIkgKK m0pw==
X-Gm-Message-State: AD7BkJLsslfjQk1+ilXuM39rM3xi/0BZz6IzJ2ObAOXvjK9MmrklpCVxKJ7hXC7BkiPiAjlfjXGFQs/VtAGFrg==
X-Received: by 10.28.220.215 with SMTP id t206mr12704975wmg.68.1458858969238; Thu, 24 Mar 2016 15:36:09 -0700 (PDT)
MIME-Version: 1.0
Sender: sharon.goldbe@gmail.com
Received: by 10.194.242.35 with HTTP; Thu, 24 Mar 2016 15:35:29 -0700 (PDT)
In-Reply-To: <20160323172740.GA28288@roeckx.be>
References: <CAJHGrrQH0Ce+UFTy6m=SrzTk0AWmBFywC88HccHy0+WG16ibdQ@mail.gmail.com> <20160323172740.GA28288@roeckx.be>
From: Sharon Goldberg <goldbe@cs.bu.edu>
Date: Thu, 24 Mar 2016 18:35:29 -0400
X-Google-Sender-Auth: aVjOEoaLbD10aS2Lkckbz3tFur8
Message-ID: <CAJHGrrS82zYYHq0Yrx+HbRSOGLS6MEA+5aBigMrmX0NPM3YbvQ@mail.gmail.com>
To: Kurt Roeckx <kurt@roeckx.be>
Content-Type: multipart/alternative; boundary="001a114b2d46a393a7052ed3126a"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tictoc/PZ7cSF7UCYWq3rjjqWpHr5u_gNQ>
Cc: NTP Working Group <ntpwg@lists.ntp.org>, tictoc@ietf.org
Subject: Re: [TICTOC] [ntpwg] WGLC on NTS: Why not run over IPsec?
X-BeenThere: tictoc@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Timing over IP Connection and Transfer of Clock BOF <tictoc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tictoc>, <mailto:tictoc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tictoc/>
List-Post: <mailto:tictoc@ietf.org>
List-Help: <mailto:tictoc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tictoc>, <mailto:tictoc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Mar 2016 22:36:13 -0000

Kurt,

It could also use DTLS instead of TLS, which does work over UDP.
>
> (D)TLS can already store the session on the client side, and
> give that to the server on "resumption".  But maybe that would
> require too many packets?
>
> You make a really good point here.  I would like to understand better why
DTLS does not work here.

Even if NTS does not run over DTLS, it would be helpful to go over the DTLS
RFCs anyway, since several issues that affect DTLS might also affect NTS.

For example:

1) Have we confirmed the NTS's KE messages can fit in a single IP packet?
If not, and since this is all sent over UDP, there is no guarantee that the
packets arrive in order.  DTLS explicitly addresses this issue, see Section
4.2.3 of the [1] the DTLS RFC.   How will NTS deal with this?

2) Similarly, the KE for NTS will need reliable delivery: if one of the KE
messages fails to arrive, the KE won't complete.  But again, this is sent
over UDP. See Section 4.2.4 of the DTLS RFC [1] for more on this. How will
NTS deal with this issue?

Thanks,
Sharon

[1] https://tools.ietf.org/html/rfc4347

-- 
Sharon Goldberg
Computer Science, Boston University
http://www.cs.bu.edu/~goldbe

v2.23.0 | Report a Bug | By Email