> > PPS: Out of curiosity: is there a mode for IPsec which does what NTS is > trying to achieve (namely requiring on the server side neither a > per-association state nor classic asymmetric cryptography like digital > signatures)? If so, some text might be in order somewhere (NTP BCP > document?), stating that if IPsec is used for securing NTP, said mode would > be the best one to use. > > This is a really good question and I tried and failed to answer it so far. IPsec is amazingly complex and easy to configure wrongly. One thing that I can tell so far is that traffic should be secured in "AH Transport" mode but I cannot figure out what IPsec KE is appropriate. It does seem that by default IPsec uses mutual authentication of client and server, (while NTS "MUST" accommodate one-sided authentication). I wonder if IPsec also supports one-sided authentication; at the moment I have not figured out if/how this works.
Maybe if folks from this WG go to IETF (sadly I am not) someone could ask one of the IPsec folks for advice on what KE they suggest? Anyway I've talked to several friends who are who do research on crypto flaws in practice, and they say the complexity of IPsec is both a barrier to its adoption and also a security risk [1]. Sigh. Sharon [1] http://www.spiegel.de/media/media-35529.pdf [2] https://nohats.ca/wordpress/blog/2014/12/29/dont-stop-using-ipsec-just-yet/
_______________________________________________ TICTOC mailing list [email protected] https://www.ietf.org/mailman/listinfo/tictoc
