IETF Logo Mail Archive

Re: [TICTOC] [ntpwg] WGLC on NTS: Why not run over IPsec?

Kurt Roeckx <kurt@roeckx.be> Wed, 23 March 2016 17:27 UTC

Return-Path: <kurt@roeckx.be>
X-Original-To: tictoc@ietfa.amsl.com
Delivered-To: tictoc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F06112D12E for <tictoc@ietfa.amsl.com>; Wed, 23 Mar 2016 10:27:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Rpipf0FVf1ka for <tictoc@ietfa.amsl.com>; Wed, 23 Mar 2016 10:27:44 -0700 (PDT)
Received: from excelsior.roeckx.be (excelsior.roeckx.be [195.234.45.115]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2168A12D717 for <tictoc@ietf.org>; Wed, 23 Mar 2016 10:27:44 -0700 (PDT)
Received: from intrepid.roeckx.be (localhost [127.0.0.1]) by excelsior.roeckx.be (Postfix) with ESMTP id C9A75A8A026C; Wed, 23 Mar 2016 17:27:41 +0000 (UTC)
Received: by intrepid.roeckx.be (Postfix, from userid 1000) id 7F6EE1FE0156; Wed, 23 Mar 2016 18:27:41 +0100 (CET)
Date: Wed, 23 Mar 2016 18:27:41 +0100
From: Kurt Roeckx <kurt@roeckx.be>
To: Sharon Goldberg <goldbe@cs.bu.edu>
Message-ID: <20160323172740.GA28288@roeckx.be>
References: <CAJHGrrQH0Ce+UFTy6m=SrzTk0AWmBFywC88HccHy0+WG16ibdQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAJHGrrQH0Ce+UFTy6m=SrzTk0AWmBFywC88HccHy0+WG16ibdQ@mail.gmail.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tictoc/vLJXbo6JBn1Jn-DcuvJODUQBtzM>
Cc: ntpwg@lists.ntp.org, tictoc@ietf.org
Subject: Re: [TICTOC] [ntpwg] WGLC on NTS: Why not run over IPsec?
X-BeenThere: tictoc@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Timing over IP Connection and Transfer of Clock BOF <tictoc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tictoc>, <mailto:tictoc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tictoc/>
List-Post: <mailto:tictoc@ietf.org>
List-Help: <mailto:tictoc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tictoc>, <mailto:tictoc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Mar 2016 17:27:46 -0000

On Wed, Mar 23, 2016 at 04:01:41AM -0400, Sharon Goldberg wrote:
> Dear WG,
> 
> Another question, and please forgive me if this was discussed already and I
> missed it.
> 
> It would be helpful to know why NTS is not just just running over IPsec. (I
> can see why running NTP over TLS makes little sense, since TLS runs over
> TCP while NTP runs over UDP so everything would probably
> break.) But NTP runs over IP. I suppose there are some performance
> hits to using IPsec? What are they?

I think the main problem is that they don't want that many IPsec
tunnels at the same time.  As far as I understand it, the design
wants to avoid storing this much state information on the server
side.  I'm not sure I agree with this design decision.

It could also use DTLS instead of TLS, which does work over UDP.

(D)TLS can already store the session on the client side, and
give that to the server on "resumption".  But maybe that would
require too many packets?

I'm also worried about the soundness of the crypto.  I have a
feeling this is designed by people that don't have enough
background to design something like this.  I think it needs to be
looked at by several people who do.  I've asked about this before
but nobody ever replied to it.


Kurt

v2.23.0 | Report a Bug | By Email