> > The main reasoning here was, I believe, that an inherent solution would be > easier to tailor to a time synchronization protocol's special needs, > particularly for the additional delays caused by the cryptographic > operations on time-sensitive packets to be small (and ideally > symmetrical). >
OK, that's interesting. Can you please elaborate on the symmetrical requirement? And, following some comments of Miroslav I also wonder the following: 1) Will NTS's KE messages be piggybacked on NTP's normal packets with the usual T1, T2, T3, T4 timestamps? 2) If yes, then during the KE, will the client actually uses these timestamps to set its clock or inform any of NTP's clock discipline algorithms? 3) If yes, then I guess you will want to be very careful about the delay introduced by the public key crypto operations in the KE. How will you deal with that, in light of the fact that eg. RSA signing is 10x slower than RSA verification, and RSA encryption is 10x faster than RSA decryption? Does this even matter? Maybe it depends on what "symmetrical" means? When you say symmetrical, do you mean that the time the *query packet is in flight* (ie T2-T1) should be symmetrical with the time the *response packet is in flight* (ie T4-T3)? Or do you mean that that time the server spends processing the packet should be symmetrical to the time the client spends processing the same packet? (This seems problematic if eg. the server is a powerful machine that does crypto in hardware while the client is a lame machine that does crypto in software.) This issue could impact that regular timing exchanges even if it does not impact the KE. Thanks, Sharon -----"TICTOC" <[email protected]> schrieb: ----- >An: [email protected], [email protected] >Von: Sharon Goldberg >Gesendet von: "TICTOC" >Datum: 23.03.2016 10:07 >Betreff: [TICTOC] WGLC on NTS: Why not run over IPsec? > >Dear WG, > >Another question, and please forgive me if this was discussed already >and I missed it. > >It would be helpful to know why NTS is not just just running over >IPsec. (I can see why running NTP over TLS makes little sense, since >TLS runs over TCP while NTP runs over UDP so everything would >probably >break.) But NTP runs over IP. I suppose there are some performance >hits to using IPsec? What are they? > >Thanks, >Sharon >
_______________________________________________ TICTOC mailing list [email protected] https://www.ietf.org/mailman/listinfo/tictoc
