On Wed, Mar 23, 2016 at 04:01:41AM -0400, Sharon Goldberg wrote: > Dear WG, > > Another question, and please forgive me if this was discussed already and I > missed it. > > It would be helpful to know why NTS is not just just running over IPsec. (I > can see why running NTP over TLS makes little sense, since TLS runs over > TCP while NTP runs over UDP so everything would probably > break.) But NTP runs over IP. I suppose there are some performance > hits to using IPsec? What are they?
I think the main problem is that they don't want that many IPsec tunnels at the same time. As far as I understand it, the design wants to avoid storing this much state information on the server side. I'm not sure I agree with this design decision. It could also use DTLS instead of TLS, which does work over UDP. (D)TLS can already store the session on the client side, and give that to the server on "resumption". But maybe that would require too many packets? I'm also worried about the soundness of the crypto. I have a feeling this is designed by people that don't have enough background to design something like this. I think it needs to be looked at by several people who do. I've asked about this before but nobody ever replied to it. Kurt _______________________________________________ TICTOC mailing list [email protected] https://www.ietf.org/mailman/listinfo/tictoc
