Re: Need for HW-clock independent timestamps

Development discussion of WireGuard
 help / color / mirror / Atom feed

From: Kalin KOZHUHAROV <me.kalin@gmail.com>
To: Devan Carpenter <mail@dvn.me>
Cc: WireGuard mailing list <wireguard@lists.zx2c4.com>
Subject: Re: Need for HW-clock independent timestamps
Date: Tue, 15 May 2018 22:49:15 +0200	[thread overview]
Message-ID: <CAKXLc7drht4CVexsCTXwHe-Z_RyFghAhQsXom=z9dtQuxQU48Q@mail.gmail.com> (raw)
In-Reply-To: <20180515202126.yw57deh6st5ebnk6@kowloon>

On Tue, May 15, 2018 at 10:21 PM, Devan Carpenter <mail@dvn.me> wrote:
> Aaron Jones transcribed 3.1K bytes:
>> On 12/05/18 19:29, Axel Neumann wrote:
>> > You want WG to secure your network. So the suggestion can not be to open
>> > your network for a pretty insecure deamon in order to get WG working.
>> > This would essentially allow attackers to a fake the ntp server and then
>> > block WG forever.
>>
>> Someone in a position to fake NTP (which needs bidirectional
>> communication) is already in a position to block WG forever (by simply
>> refusing to forward its packets).
>>
>> Additionally, there are a few very well-designed and secure NTP daemons
>> out there (such as OpenNTPd).
>>
>
> Using NTP is not a viable solution for a distributed mesh network. What
> if the Internet is only accesible via WG, or what if the network is not
> connected to the Internet at all?
>
Why do you need the Internet at all?
You can do as simple as plug a $20 GPS receiver (serial/USB) in any
node and get precise time that is shared with others in the network.
Heck, even go analog and use the Colorado WWV radio signal.
Or go fancy and buy a dedicated Cesium-backed "private" NTP server.

> It's not a trivial problem, but I think it would be benefecial to WireGuard as a project to not depend on
> centralized time authority *if there is an option not to*.
>
I wouldn't call universal time a "centralized authority", it is more
of a well-agreed-upon concept.
With a clear view of the sky and some math, you can use the stars (Sun
incl.) even and nobody can ban you from knowing the time.
It is not like say centralized DNS.

So, yes you need a method for obtaining the time at somewhat precise
scale[1], but "NTP-to-I'net" is just one somewhat convenient method.

[1]  Can anyone point me to the piece in code that shows that
precision? In other words, how far apart can 2 peers' clocks be and
still connect.
I spend some time grepping, but couldn't find it... I guess it is
connected to 'REJECT_AFTER_TIME = 180 * HZ;' ?

Cheers,
Kalin.

next prev parent reply	other threads:[~2018-05-15 20:49 UTC|newest]

Thread overview: 40+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-05-11 22:07 WG: " Axel Neumann
2018-05-11 22:45 ` Kalin KOZHUHAROV
2018-05-12  0:05   ` Glen Bojsza
2018-05-12 19:29   ` Axel Neumann
2018-05-12 19:41     ` Aaron Jones
2018-05-15 20:21       ` Devan Carpenter
2018-05-15 20:49         ` Kalin KOZHUHAROV [this message]
2018-05-16  7:10           ` Matthias Urlichs
2018-05-16 19:32           ` Axel Neumann
2018-05-16 20:32             ` Steve Gilberd
2018-05-17  3:40               ` Paul
2018-05-17  5:03                 ` Roman Mamedov
2018-05-17  5:53                   ` Matthias Urlichs
2018-05-17  7:07                     ` Axel Neumann
2018-05-17  8:28                       ` Matthias Urlichs
2018-05-16 20:35             ` Kalin KOZHUHAROV
2018-05-12 22:10     ` Toke Høiland-Jørgensen
2018-05-12 23:05     ` Reuben Martin
2018-05-13  6:11     ` Matthias Urlichs
2018-05-13 12:37       ` Toke Høiland-Jørgensen
2018-05-16  7:01         ` Axel Neumann
2018-05-16  9:38           ` Toke Høiland-Jørgensen
2018-05-16 11:08             ` Matthias Urlichs
2018-05-16 11:12             ` Axel Neumann
2018-05-13 14:21   ` Wang Jian
2018-05-21 10:07 ` WG: " Axel Neumann
2018-05-21 11:22   ` Reto Brunner
2018-05-21 11:52     ` Axel Neumann
2018-05-21 12:31       ` Axel Neumann
2018-05-21 12:35       ` Reto Brunner
2018-05-21 13:53         ` Matthias Urlichs
2018-05-21 14:56           ` Bruno Wolff III
2018-05-21 15:34             ` Matthias Urlichs
2018-05-22 20:25               ` Ivan Labáth
2018-05-23  2:51                 ` Matthias Urlichs
2019-02-04 14:56                 ` Jason A. Donenfeld
2019-02-23  4:00                   ` Axel Neumann
2019-02-23 12:35                     ` Ivan Labáth
     [not found] <1324673763.992877.1526187430298.ref@mail.yahoo.com>
2018-05-13  4:57 ` reiner otto
2018-05-13 12:35   ` Toke Høiland-Jørgensen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAKXLc7drht4CVexsCTXwHe-Z_RyFghAhQsXom=z9dtQuxQU48Q@mail.gmail.com' \
    --to=me.kalin@gmail.com \
    --cc=mail@dvn.me \
    --cc=wireguard@lists.zx2c4.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).