On Tue, Mar 29, 2016 at 10:44:23AM -0400, Sharon Goldberg wrote: > On Tue, Mar 29, 2016 at 6:15 AM, Miroslav Lichvar <[email protected]> > wrote: > > From the server point of view, I think there should be no change in > > the observed packet rate (after IP defragmentation) when clients > > enable NTS. > > > > This worries me.
(Sharon, the last sentence is not from my mail, it seems your client breaks quoting sometimes). > Note that NTS uses certificates to authenticate the KE. Generally, a > certificate chain cannot fit into a single IP packet. Yes, there was a discussion about that on the ntpwg list recently and currently NTS relies on IP fragmentation even with the standard ethernet MTU of 1500. I agree it could be a problem. It seems IPv6 doesn't even require hosts to defragment packets larger than 1500 octets. Adding fragmentation to the NTP protocol seems like a horrible idea. Would it be safe to assume an NTP+NTS packet can always contain a single certificate without requiring fragmentation with MTU of 1500? Perhaps the server_cook message could be split into multiple messages. With the client_cook message I suspect it would be much more difficult. -- Miroslav Lichvar _______________________________________________ TICTOC mailing list [email protected] https://www.ietf.org/mailman/listinfo/tictoc
