>
>I’m sorry I haven’t been following this discussion, so I’m not sure
>what the requirements of NTS are. Whatever they are, I’m pretty sure
>that AH is not the
> answer, because AH is being deprecated in many stacks (we’ve done it
>in 2003).
>
>There are modes of IPsec that do not require per association state,
>but that depends on what kind of traffic you have and on your trust
>model (that’s like “threat
> model” only looking on the bright side of life). For example, there
>is GDOI where a single key is used for all associations. That’s fine
>as long as you trust the group members to not impersonate each other.
>
>As for the complexity of IPsec, this is largely a myth. IPsec is no
>more or less complex then the record layer of TLS/DTLS. The IKE
>protocol has many more knobs
> than SSLv3, but by the current version of TLS (TLS 1.2) they’ve
>caught up with the complexity, offering PFS and non-PFS, PSKs,
>passwords and what have you. It seems simpler because most of us get
>to see TLS encased in a browser, while an IKE daemon is usually
> installed separately and configured through a text file or arcane
>command-lines. All consumer operating systems these days have IPsec
>clients (either L2TP or IKEv2) that are extremely easy to configure.
>
>If you’re really interested in pursuing this, I suggest you summarize
>the requirements and send a message to the ipsec list. Lots of IPsec
>people there, including
> the author of [2].
My opinion is that we are not interested in pursuing this in our capacity as authors of the NTS documents.
However, it might still be overall advisable to pursue this.
Maybe someone would be interested in following up on this and write up a paragraph about how best to use/configure IPsec to secure NTP traffic (and possibly some pros and cons about doing this, too). This text might, for example, be added to the Security Considerations of the NTP BCP document.
What do people think about this?
>
>Yoav
>
>>PPS: is there a mode for IPsec which does what NTS
>>is trying to achieve (namely requiring on the server side neither a
>>per-association state nor classic
>> asymmetric cryptography like digital signatures)? If so, some text
>>might be in order somewhere (NTP BCP document?), stating that if
>>IPsec is used for securing NTP, said mode would be the best one to
>>use.
>
>
>This is a really good question and I tried and failed to answer it so
>far. IPsec is amazingly complex and easy to configure wrongly. One
>thing that I can tell so far is that traffic should be secured in "AH
>Transport" mode but I cannot
> figure out what IPsec KE is appropriate. It does seem that by
>default IPsec uses mutual authentication of client and server, (while
>NTS "MUST" accommodate one-sided authentication). I wonder if IPsec
>also supports one-sided authentication; at the moment
> I have not figured out if/how this works.
_______________________________________________ TICTOC mailing list [email protected] https://www.ietf.org/mailman/listinfo/tictoc
