|
1 | 1 | --- |
2 | 2 | title: "NTS extensions for enabling pools" |
3 | 3 | abbrev: "NTS pools" |
4 | | -category: std |
| 4 | +category: exp |
5 | 5 |
|
6 | 6 | docname: draft-venhoek-nts-pool-latest |
7 | 7 | submissiontype: IETF # also: "independent", "editorial", "IAB", or "IRTF" |
|
20 | 20 | |
21 | 21 | # arch: https://example.com/WG |
22 | 22 | github: "pendulum-project/nts-pool-draft" |
23 | | - latest: "https://pendulum-project.github.io/nts-pool-draft/draft-nts-pool.html" |
| 23 | + latest: "https://pendulum-project.github.io/nts-pool-draft/draft-venhoek-nts-pool.html" |
24 | 24 |
|
25 | 25 | author: |
26 | 26 | - |
@@ -80,10 +80,12 @@ In {{RFC8915}}, cookies are generated based on key material that is extracted fr |
80 | 80 |
|
81 | 81 | To facilitate communication between the pool and the time sources, 4 new NTS records are defined in {{records}}. Together these records provide a way for the pool to provide key exchange services to clients on behalf of the time sources. |
82 | 82 |
|
83 | | -The Supported Next Protocol List ({{supportedprotocol}}) and Supported Algorithm List ({{supportedalgorithm}}) records allow the pool to ask a time source which protocols and algorithms it supports. This information can be requested by the pool at any time, and can be cached for short periods of time to improve efficiency. |
| 83 | +The Supported Next Protocol List ({{supportedprotocol}}), Supported Algorithm List ({{supportedalgorithm}}) and List Server Names ({{listservernames}})) records allow the pool to ask a time source which protocols and algorithms it supports, and which server names are used in the NTP server records it generates. This information can be requested by the pool at any time, and can be cached for short periods of time to improve efficiency. |
84 | 84 |
|
85 | 85 | Using knowledge of a time source's supported protocols and algorithms, the pool can then handle client connections for that time source, using the clients indicated desires to choose a concrete next protocol and AEAD algorithm. The pool can then extract the keys from the TLS connection and use the Fixed Key record ({{fixedkey}}) to request cookies for these keys from the time source. |
86 | 86 |
|
| 87 | +The list of server names provided by the time source can be used by the pool to honor requests by the client to not repeat a certain server. This allows more efficient retrieval of multiple sources from a pool. |
| 88 | + |
87 | 89 | As it is wasteful to setup a new TLS session between the pool and the time source for each of these interactions. To facilitate reuse of the TLS sessions, we further introduce the Keep Alive record ({{keepalive}}). This record allows the pool to indicate to the time source a desire to keep the session alive for more than a single request-response interaction. |
88 | 90 |
|
89 | 91 | ## Authenticating the pool to time sources {#poolauth} |
@@ -140,6 +142,18 @@ When included, the server MUST NOT negotiate a next protocol, AEAD algorithm, or |
140 | 142 |
|
141 | 143 | We include the algorithm key size in the response so that a pool does not itself need knowledge of which AEAD algorithms exist, and what their key sizes are. Instead, it can use the provided key length when extracting keys from the TLS connection between end user and pool. This allows adoption of new AEAD algorithms without any changes to the pool software. |
142 | 144 |
|
| 145 | +## List Server Names {#listservernames} |
| 146 | +Record Type Number: To be assigned by IANA (draft implementations: 0x4005) |
| 147 | +Critical bit: 1 |
| 148 | + |
| 149 | +This record can be used by a pool to query time sources about which server names they use in NTP server records in their responses. |
| 150 | + |
| 151 | +When a client sends this record the body MUST have size 0. Clients MAY use Keep Alive in combination with this record. Contrary to {{RFC8915}}, a request with this record SHOULD NOT include a "Next Protocol Negotiation", "AEAD Algorithm Negotiation" or "Fixed Key Request" record. |
| 152 | + |
| 153 | +Servers MUST NOT include this record in a response. When receiving this record, servers MUST ignore any body of this record sent by the client, and MUST send in the response one NTP server record for each server name the server may use responses to fixed key requests. If a server never sents a NTP server record in response to a fixed key request, it MAY opt to not provide one in response to this record. |
| 154 | + |
| 155 | +When receiving this record, a server MUST NOT negotiate a next protocol, AEAD algorithm, or keys for this request. A server MAY treat this record as unknown for clients that are not authenticated as described in {{poolauth}}. |
| 156 | + |
143 | 157 | ## Fixed Key Request {#fixedkey} |
144 | 158 | Record Type Number: To be assigned by IANA (draft implementations: 0x4002) |
145 | 159 | Critical Bit: 1 |
@@ -187,8 +201,9 @@ IANA is requested to allocate the following entries in the Network Time Security |
187 | 201 | | Record Type Number | Description | Reference | |
188 | 202 | | --- | --- | --- | |
189 | 203 | | [[TBD]] | Keep Alive | [[this memo]] {{keepalive}} | |
190 | | -| [[TBD]] | Supported Next Protocol List | [[this memo]] {{keepalive}} | |
| 204 | +| [[TBD]] | Supported Next Protocol List | [[this memo]] {{supportedprotocol}} | |
191 | 205 | | [[TBD]] | Supported Algorithm List | [[this memo]] {{supportedalgorithm}} | |
| 206 | +| [[TBD]] | List Server Names | [[this memo]] {{listservernames}} | |
192 | 207 | | [[TBD]] | Fixed Key Request | [[this memo]] {{fixedkey}} | |
193 | 208 | | [[TBD]] | NTP Server Deny | [[this memo]] {{serverdeny}} | |
194 | 209 |
|
|
0 commit comments