Re: [TICTOC] [Ntp] draft-ietf-ntp-mac, extensions

Miroslav Lichvar <mlichvar@redhat.com> Fri, 02 March 2018 09:33 UTC

Return-Path: <mlichvar@redhat.com>
X-Original-To: tictoc@ietfa.amsl.com
Delivered-To: tictoc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 653E812DA6B; Fri, 2 Mar 2018 01:33:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, T_SPF_HELO_PERMERROR=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ibJzQvM_MY9D; Fri, 2 Mar 2018 01:33:26 -0800 (PST)
Received: from mx1.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B238012DA29; Fri, 2 Mar 2018 01:33:18 -0800 (PST)
Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 18A1617CEF8; Fri, 2 Mar 2018 09:33:18 +0000 (UTC)
Received: from localhost (unknown [10.43.134.11]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 77F0910B0F20; Fri, 2 Mar 2018 09:33:17 +0000 (UTC)
Date: Fri, 02 Mar 2018 10:33:16 +0100
From: Miroslav Lichvar <mlichvar@redhat.com>
To: Hal Murray <hmurray@megapathdsl.net>
Cc: ntp@ietf.org, tictoc@ietf.org
Message-ID: <20180302093316.GK22394@localhost>
References: <mlichvar@redhat.com> <20180301084414.GG22394@localhost> <20180301223645.C0D6D40605C@ip-64-139-1-69.sjc.megapath.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20180301223645.C0D6D40605C@ip-64-139-1-69.sjc.megapath.net>
User-Agent: Mutt/1.9.1 (2017-09-22)
X-Scanned-By: MIMEDefang 2.78 on 10.11.54.3
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.2]); Fri, 02 Mar 2018 09:33:18 +0000 (UTC)
X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.2]); Fri, 02 Mar 2018 09:33:18 +0000 (UTC) for IP:'10.11.54.3' DOMAIN:'int-mx03.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'mlichvar@redhat.com' RCPT:''
Archived-At: <https://mailarchive.ietf.org/arch/msg/tictoc/wuYzRKmPFbGR0GuFDtkj2YTSq_U>
Subject: Re: [TICTOC] [Ntp] draft-ietf-ntp-mac, extensions
X-BeenThere: tictoc@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Timing over IP Connection and Transfer of Clock BOF <tictoc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tictoc>, <mailto:tictoc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tictoc/>
List-Post: <mailto:tictoc@ietf.org>
List-Help: <mailto:tictoc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tictoc>, <mailto:tictoc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Mar 2018 09:33:34 -0000

On Thu, Mar 01, 2018 at 02:36:45PM -0800, Hal Murray wrote:
> > As I understand it, the main advantage is better performance (when
> > implemented properly). For instance, on a server configured with a SHA256
> > key I'm observing a 40% drop in performance when compared to no
> > authentication. With AES-CMAC the impact should be much smaller. I've not
> > tried it yet.

> How are you measuring performance?

I was measuring the maximum rate of requests the NTP server could
handle, so that includes all overhead of receiving and sending
packets in the OS, etc.

> My measurements are that the CMAC part is 696 ns in software and 499 ns with 
> AES-NI.  That was on a 2+ GHz cloud server.  (None of my handy boxes have 
> AES-NI.)  SHA512 was 594 with 16 or 20 byte key and 624/614 with 24/32 byte 
> keys.  That's just the crypto part to compute the digest.

Does that include the time spent in allocation of the CMAC context and
the initialization with the key? I think an optimized implementation
could avoid both. (With the old MAC the key has to be hashed with each
message).

Anyway, older versions of the ntp-mac draft included some measurements
of latency and throughput, which showed that with AES-NI the CMAC is
significantly faster than MD5, which should be significantly faster
than SHA512.

https://www.ietf.org/archive/id/draft-aanchal4-ntp-mac-03.txt

I think the only downside of AES-CMAC is that it is not widely
supported in crypto libraries yet. OpenSSL seems to be an exception.

-- 
Miroslav Lichvar