IETF Logo Mail Archive

Re: [TICTOC] The draft for IPsec synchronization security

"Greg Dowd" <GDowd@symmetricom.com> Sat, 04 December 2010 01:20 UTC

Return-Path: <btv1==9547f99e7a2==GDowd@symmetricom.com>
X-Original-To: tictoc@core3.amsl.com
Delivered-To: tictoc@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 819803A69D2 for <tictoc@core3.amsl.com>; Fri, 3 Dec 2010 17:20:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.19
X-Spam-Level:
X-Spam-Status: No, score=-2.19 tagged_above=-999 required=5 tests=[AWL=0.075, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mmpMBhJcZeer for <tictoc@core3.amsl.com>; Fri, 3 Dec 2010 17:20:57 -0800 (PST)
Received: from mail5.symmetricom.com (mail5.symmetricom.com [69.25.98.10]) by core3.amsl.com (Postfix) with ESMTP id 3BD523A67B1 for <tictoc@ietf.org>; Fri, 3 Dec 2010 17:20:57 -0800 (PST)
X-ASG-Debug-ID: 1291425735-5aa93e3c0001-4wH9i1
Received: from sjowa.symmetricom.com ([192.168.10.41]) by mail5.symmetricom.com with ESMTP id DwGmcXAP0zzIdB20; Fri, 03 Dec 2010 17:22:15 -0800 (PST)
X-Barracuda-Envelope-From: GDowd@symmetricom.com
X-ASG-Whitelist: Client
Received: from sjmail2.symmetricom.com ([192.168.10.66]) by sjowa.symmetricom.com with Microsoft SMTPSVC(6.0.3790.4675); Fri, 3 Dec 2010 17:22:15 -0800
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Date: Fri, 03 Dec 2010 17:22:18 -0800
X-ASG-Orig-Subj: RE: [TICTOC] The draft for IPsec synchronization security
Message-ID: <CB45EB047BD43041BF1F4CC7D6DB21BF05DF6FEB@sjmail2.symmetricom.com>
In-Reply-To: <AANLkTinOPD2bnwof9nBfHytYu5gtyxDbQv=q578CvAu+@mail.gmail.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [TICTOC] The draft for IPsec synchronization security
Thread-Index: AcuTTYbST73sUfPTQqGRfMT3UuWNrgAARnwQ
References: <AANLkTi=M+JWv+REtvHMkc1+sAWZeSuWS1LiKNeqWV4CS@mail.gmail.com><00a401cb8492$da18ef70$51106f0a@china.huawei.com><AANLkTikeXMTm+kMt4E-gC8ygyxCxoYwCTPqrpqWG8b+S@mail.gmail.com><CB45EB047BD43041BF1F4CC7D6DB21BF05DF6B26@sjmail2.symmetricom.com><AANLkTi=EXtnP5YO_qPEGk_yO3_K0qwXF2dVB7AcADaG0@mail.gmail.com><082B1A87E77649DEB574DD78E5F160D2@china.huawei.com> <AANLkTinOPD2bnwof9nBfHytYu5gtyxDbQv=q578CvAu+@mail.gmail.com>
From: Greg Dowd <GDowd@symmetricom.com>
To: Jack Kohn <kohn.jack@gmail.com>, Michel Ouellette <michel.ouellette@huawei.com>
X-OriginalArrivalTime: 04 Dec 2010 01:22:15.0018 (UTC) FILETIME=[AF23BCA0:01CB9351]
X-Barracuda-Connect: UNKNOWN[192.168.10.41]
X-Barracuda-Start-Time: 1291425735
X-Barracuda-URL: http://192.168.10.96:80/cgi-mod/mark.cgi
X-Virus-Scanned: by bsmtpd at symmetricom.com
Cc: tictoc@ietf.org
Subject: Re: [TICTOC] The draft for IPsec synchronization security
X-BeenThere: tictoc@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Timing over IP Connection and Transfer of Clock BOF <tictoc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tictoc>, <mailto:tictoc-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tictoc>
List-Post: <mailto:tictoc@ietf.org>
List-Help: <mailto:tictoc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tictoc>, <mailto:tictoc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 04 Dec 2010 01:21:16 -0000

Currently, the ITU Recommendation 8265.1 IEEE1588 profile for telecom (frequency delivery without support from network nodes) precludes the use of on-path support which makes part of the discussion somewhat moot.  However, emerging designs for phase are definitely leveraging PTP aware elements.  If there are trust issues on the link between the master and a BC, there are likely to be trust issues with the bearer traffic as well, again arguing for a common model.  However, it is true that a separate method such as Annex K would also work.  I would note that there is a significant error in the published standard in the security associated with the initialization of the session parameters which would need to be taken into account in any implementation.  I think Georg Gaderer (AAS) already published a review and a suggested method to correct this problem at one of the ISPCS meetings.  I would also point out that time is ephemeral and it is quite possible to maliciously interfere with a synchronization session merely by modulating the delay and/or introducing asymmetry which would not be mitigated by any encryption or authentication mechanism currently proposed.  This is a subject of longstanding discussion in the NTP community as well.

This is a good topic since we, as engineers, typically try to solve the problem logically but then find that some standards body forgot that synchronization is a fundamental concept and mandates something like backhaul being tunneled through an IPSec connection!  Then again, I have to admit that I sometimes forget that the packet network isn't there just to carry PTP but occasionally needs to push mail to my Droid :-)   Have a good weekend.




-----Original Message-----
From: tictoc-bounces@ietf.org [mailto:tictoc-bounces@ietf.org] On Behalf Of Jack Kohn
Sent: Friday, December 03, 2010 4:52 PM
To: Michel Ouellette
Cc: tictoc@ietf.org
Subject: Re: [TICTOC] The draft for IPsec synchronization security

Hi Michel,

> Have a look at the following two internet-drafts for reference
> http://tools.ietf.org/html/draft-xie-tictoc-femtocell-analysis-00
> http://tools.ietf.org/html/draft-xu-tictoc-ipsec-security-for-synchronizatio
> n-00
>
> an example is 3GPP, "Security of Home Node B (HNB) / Home evolved Node B
> (HeNB)", 3GPP TR 33.820 8.1.0, June 2009.

Thanks for the pointers.

>
> As Greg said, note that Annex K of IEEE1588 is an informative and
> experimental Annex and might not represent the requirements of a particular
> application like femtocells.
>
> Can you clarify what you mean by "we need to provide security between the
> master and the boundary clocks"?

"we" was the provider.

You would need to provide security (data integrity) between the master
and the boundary so that no intermediary node can change the contents
of the PTP packet before it reaches the BC.

Jack

>
> Who is "we" and why do you think there is a need for security between a GM
> and BC?
>
> Bye.
>
> -----Original Message-----
> From: tictoc-bounces@ietf.org [mailto:tictoc-bounces@ietf.org] On Behalf Of
> Jack Kohn
> Sent: December 03, 2010 01:12 PM
> To: Greg Dowd
> Cc: tictoc@ietf.org
> Subject: Re: [TICTOC] The draft for IPsec synchronization security
>
> Any pointers on where i can get the LTE standard for femto?
>
> I was under the impression that this would also be used by 1588 for
> delivering a solution for frequency distribution, when we need to
> provide security between the master and the boundary clocks, etc.
>
> On Fri, Dec 3, 2010 at 6:30 AM, Greg Dowd <GDowd@symmetricom.com> wrote:
>> I believe the goal was not to suggest a method for adding security but a
> method for handling the security imposed by the LTE standard for femto.
>>
>> -----Original Message-----
>> From: tictoc-bounces@ietf.org [mailto:tictoc-bounces@ietf.org] On Behalf
> Of Jack Kohn
>> Sent: Thursday, December 02, 2010 4:49 PM
>> To: Xie Lei
>> Cc: tictoc@ietf.org
>> Subject: Re: [TICTOC] The draft for IPsec synchronization security
>>
>> Xie,
>>
>> Is there a reason why you cant use the Security mechanism described in
>> Annex K of IEEE std 1588-2008?
>>
>> Jack
>>
>> On Mon, Nov 15, 2010 at 12:30 PM, Xie Lei <xielei57471@huawei.com> wrote:
>>>
>>>
>>> Hi Jack
>>>
>>> Thanks for your information, i had discussed with RFC5840 authors in IETF
>>> 79# meeting. It is possible to use RFC5840 to fulfill
> this synchronization
>>> requirements. I will follow the progress and provide more information to
>>> Tictoc group.
>>>
>>> BR
>>>
>>> Rock
>>>
>>> ----- Original Message -----
>>> From: Jack Kohn
>>> To: xielei57471@huawei.com ; tictoc@ietf.org
>>> Sent: Saturday, November 13, 2010 12:30 PM
>>> Subject: RE: The draft for IPsec synchronization security
>>> Xie:
>>>
>>> While i understand your motivation to secure the timing packets, you
>>> really dont need the extensions that you have defined in the below
>>> draft. You must look at RFC 5840 that extends ESP and see how that can
>>> be used for achieving the same functionality as you desire.
>>>
>>> Jack
>>>
>>>> Hi Yaakov and all
>>>> Huawei has submitted one draft for IPSec synchronization security, you
> can
>>>> find it in following link
>>>>
>>>>
> http://www.ietf.org/id/draft-xu-tictoc-ipsec-security-for-synchronization-00
> .txt
>>>>
>>>> We also attach one discussion document in this email, i hope we can
>>>> present it in IETF Beijing meeting.
>>>>
>>>> BR
>>>> Rock
>> _______________________________________________
>> TICTOC mailing list
>> TICTOC@ietf.org
>> https://www.ietf.org/mailman/listinfo/tictoc
>>
> _______________________________________________
> TICTOC mailing list
> TICTOC@ietf.org
> https://www.ietf.org/mailman/listinfo/tictoc
>
>
_______________________________________________
TICTOC mailing list
TICTOC@ietf.org
https://www.ietf.org/mailman/listinfo/tictoc

v2.23.0 | Report a Bug | By Email