Re: [TICTOC] [ntpwg] WGLC on NTS: Why not run over IPsec?
Kurt Roeckx <kurt@roeckx.be> Wed, 23 March 2016 17:27 UTC
Return-Path: <kurt@roeckx.be>
X-Original-To: tictoc@ietfa.amsl.com
Delivered-To: tictoc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F06112D12E for <tictoc@ietfa.amsl.com>; Wed, 23 Mar 2016 10:27:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Rpipf0FVf1ka for <tictoc@ietfa.amsl.com>; Wed, 23 Mar 2016 10:27:44 -0700 (PDT)
Received: from excelsior.roeckx.be (excelsior.roeckx.be [195.234.45.115]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2168A12D717 for <tictoc@ietf.org>; Wed, 23 Mar 2016 10:27:44 -0700 (PDT)
Received: from intrepid.roeckx.be (localhost [127.0.0.1]) by excelsior.roeckx.be (Postfix) with ESMTP id C9A75A8A026C; Wed, 23 Mar 2016 17:27:41 +0000 (UTC)
Received: by intrepid.roeckx.be (Postfix, from userid 1000) id 7F6EE1FE0156; Wed, 23 Mar 2016 18:27:41 +0100 (CET)
Date: Wed, 23 Mar 2016 18:27:41 +0100
From: Kurt Roeckx <kurt@roeckx.be>
To: Sharon Goldberg <goldbe@cs.bu.edu>
Message-ID: <20160323172740.GA28288@roeckx.be>
References: <CAJHGrrQH0Ce+UFTy6m=SrzTk0AWmBFywC88HccHy0+WG16ibdQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAJHGrrQH0Ce+UFTy6m=SrzTk0AWmBFywC88HccHy0+WG16ibdQ@mail.gmail.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tictoc/vLJXbo6JBn1Jn-DcuvJODUQBtzM>
Cc: ntpwg@lists.ntp.org, tictoc@ietf.org
Subject: Re: [TICTOC] [ntpwg] WGLC on NTS: Why not run over IPsec?
X-BeenThere: tictoc@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Timing over IP Connection and Transfer of Clock BOF <tictoc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tictoc>, <mailto:tictoc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tictoc/>
List-Post: <mailto:tictoc@ietf.org>
List-Help: <mailto:tictoc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tictoc>, <mailto:tictoc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Mar 2016 17:27:46 -0000
On Wed, Mar 23, 2016 at 04:01:41AM -0400, Sharon Goldberg wrote: > Dear WG, > > Another question, and please forgive me if this was discussed already and I > missed it. > > It would be helpful to know why NTS is not just just running over IPsec. (I > can see why running NTP over TLS makes little sense, since TLS runs over > TCP while NTP runs over UDP so everything would probably > break.) But NTP runs over IP. I suppose there are some performance > hits to using IPsec? What are they? I think the main problem is that they don't want that many IPsec tunnels at the same time. As far as I understand it, the design wants to avoid storing this much state information on the server side. I'm not sure I agree with this design decision. It could also use DTLS instead of TLS, which does work over UDP. (D)TLS can already store the session on the client side, and give that to the server on "resumption". But maybe that would require too many packets? I'm also worried about the soundness of the crypto. I have a feeling this is designed by people that don't have enough background to design something like this. I think it needs to be looked at by several people who do. I've asked about this before but nobody ever replied to it. Kurt
- [TICTOC] WGLC on NTS: Why not run over IPsec? Sharon Goldberg
- Re: [TICTOC] WGLC on NTS: Why not run over IPsec? kristof.teichel
- Re: [TICTOC] [ntpwg] WGLC on NTS: Why not run ove… Kurt Roeckx
- Re: [TICTOC] [ntpwg] WGLC on NTS: Why not run ove… Dieter Sibold
- Re: [TICTOC] [ntpwg] WGLC on NTS: Why not run ove… Dieter Sibold
- Re: [TICTOC] WGLC on NTS: Why not run over IPsec? Sharon Goldberg
- Re: [TICTOC] [ntpwg] WGLC on NTS: Why not run ove… Sharon Goldberg
- Re: [TICTOC] [ntpwg] WGLC on NTS: Why not run ove… Harlan Stenn
- Re: [TICTOC] WGLC on NTS: Why not run over IPsec? Yoav Nir
- Re: [TICTOC] WGLC on NTS: Why not run over IPsec? kristof.teichel
- Re: [TICTOC] [ntpwg] WGLC on NTS: Why not run ove… Hal Murray
- Re: [TICTOC] [ntpwg] WGLC on NTS: Why not run ove… kristof.teichel