[time-nuts] Time security musing - attacking the clock itself

Jonatan Walck jwalck at netnod.se
Tue Dec 4 07:50:48 UTC 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/04/2012 04:44 AM, Hal Murray wrote:
> 
> 
> PTP is basically making the network transit times more accurate
> than "symmetrical" by measuring them.  Each box that processes a
> packet updates the packet with the processing/queuing delays.
> 
> I think the PTP geeks are working on crypto.  I'm not tracking the
> details.
> 

We're shifting slightly off topic here, apologies in advance. As far
as I know PTP cannot calculate link asymmetry, even though it does
indeed take delays in switches/routers into account if they are
IEEE1588-aware by updating timestamps en route.

IEEE1588-2008 can compensate for link asymmetry too, but have no way
of calculating it. That is to say, something else has to give input
telling PTP the characteristics of the link asymmetry. This is
measurable in a static local network but is a hopeless task over Internet.

I've seen some trials of using IPSec to protect PTP-traffic from
tampering/manipulation, and I think there has been extensions tested
similar to those used in NTP but I haven't seen those in IEEE1588.
Using the approaches of NTP applied directly to PTP is hopeless with a
IEEE1588-aware network though, all checksums will fail given that the
path actively prods around in the packet like a true MITM (one can
only hope these men in the middle are friendly:).

I found a possibly good read on IETF tictoc re: security requirements
for PTP and NTP for those who want to learn how deep the rabbit hole
goes.[1] As Harlan Stenn pointed out in another part of the thread, we
have to know what we're protecting ourselves against before we start
to throw in counter-measures.

// jwalck

[1]:
https://tools.ietf.org/html/draft-ietf-tictoc-security-requirements-03
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBAgAGBQJQvatYAAoJEFwg9i9GDX+ncQcP/A/ZWMKZAnWaapr1gfDMsLmd
UuNLjrxw3uJSpvGTmBI3+W1C2bYl88laTZWQWPUFpW5R/PLxFZwuA3FlNKQwzI5S
Adyo3Kzhk7ukbYvSULFyhQTnGMLLSx3kmzy4abln47/olft63SWhh0QTKvNeeQXl
8r21xvUlr7cBA+lGv0+P253SCFAcgn1V2ViCx8oHioWrjtxE1xB2mquU5ieGMPzA
L/KMzvkWakwPm/pNeKNuUCh8uP/FvybaqXhm9NcA/GswdzU5+xgSDpeS0cC1LEuo
G7rk2WazFgghKaCGF/HILsBXZ2eWRiI5XbOBgi2T3qSUur4Qo1K+ZJuZc464/ARE
hdsiN1o3f5LCNKFyCUQnjOOr0Oe26NGeA9jEDKMtlRWqAaudxOR2EnArDu3rSCe5
gDgmHq2ysBP5wUQrRa6OBIU/kQsLOFYOtdRKIQgfq2nOA96t1NblglXTkGv7zSDz
ujnpMtAvVCNsC5d9ialDLID8bLEfQnBzfR/jmHXVxXoEc/d+GoLjTZ6sdlfyFqet
jqRXtUER4PmQBEeac9Tlof9qQFmdQOWpjgV0YwfqIJ/9TB9zgpbGYeDDNEdyr0h6
MobJKpbedKrYhBlZyAvYAg6IB4Ad0W8+nBHO2XQ8YAWtVVXo27r7nN6wqnq+BZRz
LEWmpz7gSolJWlaby/Sr
=wdso
-----END PGP SIGNATURE-----



More information about the time-nuts mailing list