AS I indicated in my review comments, this is well off the path for a DNS Directorate review. I feel that the draft does not clearly position itself with respect to what NTS can (and connot) provide in terms of assurance of the integrity of the NTP time signal and what Knronos provides. I note that the Introduction states that: "Time shifting attacks on NTP clients can be based on interfering with the communication between the NTP clients and servers or compromising the servers themselves.”, but I assume that a reader would find it useful to note that NTS would conventionally mnake it more challenging for a party to interfere with the communication, but is of little impact if the servers themselves are compromised. Such a statement (and a reference to the NTS RFC8195) would address my concerns here about clarity of intended scope of Khronos. thanks, Geoff > On 12 Jul 2023, at 7:43 pm, Neta R S <neta.r.schiff@xxxxxxxxx> wrote: > > Hi Geoff, > > I am so sorry I missed your question... > We do mention NTS in the draft and say that they can be combined. Khronos provides provable security given a ratio of compromised NTP pool servers while NTS provides authentication for NTP servers but has no effect if the servers are compromised. > > Best regards, > Neta > > On Mon, Jun 12, 2023 at 5:02 PM Neta R S <neta.r.schiff@xxxxxxxxx> wrote: > Hi Geoff, > > Thanks for the feedback! > > Best, > Neta > > > On Fri, Jun 9, 2023, 1:57 AM Geoff Huston via Datatracker <noreply@xxxxxxxx> wrote: > Reviewer: Geoff Huston > Review result: Ready > > The draft makes no reference to the DNS, and as such there is little for this > DNS Directorate reviewer to comment on from the perspective of the DNS. > > This is also a informational RFC, and the review questions for such an RFC are > necessarily focused on the clarity of the descriptions contained in the > document as well as attention to the accuracy of any calims made in the > document. From this reviewer's perspective the document is clear and thew > assertions appear to be reasonable. > > AS a purely personal comment, which the authors may chose to pay heed to or > just ingore, the document makes absolutely no reference to the NTS protocol. > Since the presumed attack is an attack on the NTP transactions, when what are > the attributes of Khronos that make it an attractive alternative to NTS? > > However, to the extent that this is not a document that touches in any > substantive weay on the DNS and this is a DNS directorate review, there is > nothing that is worthing of flagging for further attention in this document > > -- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
