essentially, the answer to this question is that at some point it was determined that an inherent solution would benefit NTP more than one which was along the lines of tunneling NTP traffic over some external security protocol.
The main reasoning here was, I believe, that an inherent solution would be easier to tailor to a time synchronization protocol's special needs, particularly for the additional delays caused by the cryptographic operations on time-sensitive packets to be small (and ideally symmetrical).
Best regards,
Kristof
PS: I also want to add that as far as I know, there is nothing in any NTP-related specification that would keep anyone from running NTP over IPsec. On the other hand, there doesn't seem to be a special need for a specification on using IPsec to run NTP over it. I believe this is why, currently, IPsec is simply not mentioned anywhere in an NTP or NTS context.
PPS: Out of curiosity: is there a mode for IPsec which does what NTS is trying to achieve (namely requiring on the server side neither a per-association state nor classic asymmetric cryptography like digital signatures)? If so, some text might be in order somewhere (NTP BCP document?), stating that if IPsec is used for securing NTP, said mode would be the best one to use.
-----"TICTOC" <[email protected]> schrieb: -----
>An: [email protected], [email protected]
>Von: Sharon Goldberg
>Gesendet von: "TICTOC"
>Datum: 23.03.2016 10:07
>Betreff: [TICTOC] WGLC on NTS: Why not run over IPsec?
>
>Dear WG,
>
>Another question, and please forgive me if this was discussed already
>and I missed it.
>
>It would be helpful to know why NTS is not just just running over
>IPsec. (I can see why running NTP over TLS makes little sense, since
>TLS runs over TCP while NTP runs over UDP so everything would
>probably
>break.) But NTP runs over IP. I suppose there are some performance
>hits to using IPsec? What are they?
>
>Thanks,
>Sharon
>
>--
>Sharon Goldberg
>Computer Science, Boston University
>http://www.cs.bu.edu/~goldbe
>
>_______________________________________________
>TICTOC mailing list
>[email protected]
>https://www.ietf.org/mailman/listinfo/tictoc
>
>An: [email protected], [email protected]
>Von: Sharon Goldberg
>Gesendet von: "TICTOC"
>Datum: 23.03.2016 10:07
>Betreff: [TICTOC] WGLC on NTS: Why not run over IPsec?
>
>Dear WG,
>
>Another question, and please forgive me if this was discussed already
>and I missed it.
>
>It would be helpful to know why NTS is not just just running over
>IPsec. (I can see why running NTP over TLS makes little sense, since
>TLS runs over TCP while NTP runs over UDP so everything would
>probably
>break.) But NTP runs over IP. I suppose there are some performance
>hits to using IPsec? What are they?
>
>Thanks,
>Sharon
>
>--
>Sharon Goldberg
>Computer Science, Boston University
>http://www.cs.bu.edu/~goldbe
>
>_______________________________________________
>TICTOC mailing list
>[email protected]
>https://www.ietf.org/mailman/listinfo/tictoc
>
_______________________________________________ TICTOC mailing list [email protected] https://www.ietf.org/mailman/listinfo/tictoc
