NTS - Network TIme Security
hmurray at megapathdsl.net
Tue Mar 29 08:42:52 UTC 2016
There is work in progress in the IETF on authenticated NTP. As far as I can
tell, getting off the ground is a really hard problem. All the classical
crypto work uses time to decide if the info you have is still valid and
prevent replay attacks and things like that.
I think we should have a way for something dumb, like a toaster, to be able
to get the right time.
Another nasty case is a board that has been on the spares shelf for 10 years.
There is a specific proposal called NTS. The next to last draft is 40 pages.
(I'm one behind.)
It takes 6 packets to set things up. The last step uses a certificate chain
so you need to know the time. ...
There is another proposal on how o use the above on NTP. (It's intended to
cover PTP too.) The basic problem there is that the NTP packet format wasn't
designed with extensions in mind. It seems simple to me. Just grandfather
the old magic lengths and make all the new stuff use TLV (type, length,
value) type formats. But it hasn't settled down yet.
These are my opinions. I hate spam.
More information about the devel