Sharon Goldberg writes: > Harlan wrote: >> If the two sides already have an ntp.keys file then this key can be >> used for a MAC, correct? > > Harlan you are suggesting MACing the actual traffic with PSK right > away before the KE completes? I don't think this works since you will, > just like TLS, still need a key exchange to agree you need a PSK.
I'm only suggesting this as a possibility for situations where the ntp.keys file is available. This is OK as a solution for smallish sets of machines. It doesn't make much sense to set up private/symmetric key stuff only to handle initial packets on a larger scale. > Moreover, adding a PSK mode to NTS adds additional complexity. Do we > really want to introduce this additional complexity? I am very wary > of this, as recent attacks on TLS and IPsec have shown that the > proliferation of modes and complexity in these protocols can be > exploited by attackers [1],[2]. Can one have reliable IPSEC if the time is unknown? Once upon a time, we had Bell 212A modems (that had constant-delay characteristics) and real copper wire between endpoints. It did a surprisingly good job of moving time around. Then we got soft modems, which introduced noticeable variation in the processing delays, and then the phone system changed as well. Phones are no longer a useful way to move time around accurately. IPSEC likely adds variable delays as well. H _______________________________________________ TICTOC mailing list [email protected] https://www.ietf.org/mailman/listinfo/tictoc
