On Thu, Oct 13, 2011 at 7:07 PM, Danny Mayer <ma...@ntp.org> wrote: > On 10/13/2011 2:28 PM, Kevin Gross wrote: >> Definitely important issues for some synchronization protocols but it >> seems though two-step 1588 would work through such a connection. The >> followup message will contain an accurate (and encrypted) timestamp. >> Encryption delays would not result in significant loss of accuracy with >> respect to an unencrypted connection also using two step. > > Has anyone tested or measured that? I have not seen any information how > this will work without losing accuracy. Don't forget the followon > message will also have to be encrypted and decrypted when sent making > for additional uncertainties and errors. I have not reviewed how the > two-step IEEE 1588 protocol works so I don't have a good understanding > of the effects of IPsec encryption on such packets.
The cost of crypto can be measured, and performance generally deterministic (particularly when there's no side channels in the crypto) (assuming no mid-crypto context switches), so that it should be possible to correct for the delays introduced by crypto (just as it's possible to measure and estimate network latency). Indeed, crypto processing will likely be more deterministic than network latency :) However, I do agree that there's no point to encrypting time synchronization signals unless they facilitate traffic analysis (say). Nor do I see the point of using WESP for this. Also, NTP has a public key authentication facility nowadays -- why not use it? Nico -- _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
