summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc8039.txt
diff options
context:
space:
mode:
authorThomas Voss <mail@thomasvoss.com> 2024-11-27 20:54:24 +0100
committerThomas Voss <mail@thomasvoss.com> 2024-11-27 20:54:24 +0100
commit4bfd864f10b68b71482b35c818559068ef8d5797 (patch)
treee3989f47a7994642eb325063d46e8f08ffa681dc /doc/rfc/rfc8039.txt
parentea76e11061bda059ae9f9ad130a9895cc85607db (diff)
doc: Add RFC documents
Diffstat (limited to 'doc/rfc/rfc8039.txt')
-rw-r--r--doc/rfc/rfc8039.txt955
1 files changed, 955 insertions, 0 deletions
diff --git a/doc/rfc/rfc8039.txt b/doc/rfc/rfc8039.txt
new file mode 100644
index 0000000..537361e
--- /dev/null
+++ b/doc/rfc/rfc8039.txt
@@ -0,0 +1,955 @@
+
+
+
+
+
+
+Internet Engineering Task Force (IETF) A. Shpiner
+Request for Comments: 8039 Mellanox
+Category: Experimental R. Tse
+ISSN: 2070-1721 Microsemi
+ C. Schelp
+ Oracle
+ T. Mizrahi
+ Marvell
+ December 2016
+
+
+ Multipath Time Synchronization
+
+Abstract
+
+ Clock synchronization protocols are very widely used in IP-based
+ networks. The Network Time Protocol (NTP) has been commonly deployed
+ for many years, and the last few years have seen an increasingly
+ rapid deployment of the Precision Time Protocol (PTP). As time-
+ sensitive applications evolve, clock accuracy requirements are
+ becoming increasingly stringent, requiring the time synchronization
+ protocols to provide high accuracy. This memo describes a multipath
+ approach to PTP and NTP over IP networks, allowing the protocols to
+ run concurrently over multiple communication paths between the master
+ and slave clocks, without modifying these protocols. The multipath
+ approach can significantly contribute to clock accuracy, security,
+ and fault tolerance. The multipath approach that is presented in
+ this document enables backward compatibility with nodes that do not
+ support the multipath functionality.
+
+Status of This Memo
+
+ This document is not an Internet Standards Track specification; it is
+ published for examination, experimental implementation, and
+ evaluation.
+
+ This document defines an Experimental Protocol for the Internet
+ community. This document is a product of the Internet Engineering
+ Task Force (IETF). It represents the consensus of the IETF
+ community. It has received public review and has been approved for
+ publication by the Internet Engineering Steering Group (IESG). Not
+ all documents approved by the IESG are a candidate for any level of
+ Internet Standard; see Section 2 of RFC 7841.
+
+ Information about the current status of this document, any errata,
+ and how to provide feedback on it may be obtained at
+ http://www.rfc-editor.org/info/rfc8039.
+
+
+
+
+Shpiner, et al. Experimental [Page 1]
+
+RFC 8039 Multipath Time Synchronization December 2016
+
+
+Copyright Notice
+
+ Copyright (c) 2016 IETF Trust and the persons identified as the
+ document authors. All rights reserved.
+
+ This document is subject to BCP 78 and the IETF Trust's Legal
+ Provisions Relating to IETF Documents
+ (http://trustee.ietf.org/license-info) in effect on the date of
+ publication of this document. Please review these documents
+ carefully, as they describe your rights and restrictions with respect
+ to this document. Code Components extracted from this document must
+ include Simplified BSD License text as described in Section 4.e of
+ the Trust Legal Provisions and are provided without warranty as
+ described in the Simplified BSD License.
+
+Table of Contents
+
+ 1. Introduction ....................................................3
+ 2. Conventions Used in This Document ...............................4
+ 2.1. Abbreviations ..............................................4
+ 2.2. Terminology ................................................4
+ 3. Multiple Paths in IP Networks ...................................5
+ 3.1. Load Balancing .............................................5
+ 3.2. Using Multiple Paths Concurrently ..........................5
+ 3.3. Two-Way Paths ..............................................5
+ 4. Solution Overview ...............................................6
+ 4.1. Path Configuration and Identification ......................6
+ 4.2. Combining ..................................................6
+ 5. Multipath Time Synchronization over IP Networks .................7
+ 5.1. Overview ...................................................7
+ 5.2. Single-Ended Multipath Synchronization .....................8
+ 5.2.1. Single-Ended MPPTP Synchronization Message
+ Exchange ............................................8
+ 5.2.2. Single-Ended MPNTP Synchronization Message
+ Exchange ............................................9
+ 5.3. Dual-Ended Multipath Synchronization ......................10
+ 5.3.1. Dual-Ended MPPTP Synchronization Message Exchange ..10
+ 5.3.2. Dual-Ended MPNTP Synchronization Message Exchange ..11
+ 5.4. Using Traceroute for Path Discovery .......................12
+ 5.5. Using Unicast Discovery for MPPTP .........................13
+ 6. Combining Algorithm ............................................13
+ 7. Security Considerations ........................................14
+ 8. Scope of the Experiment ........................................14
+ 9. References .....................................................15
+ 9.1. Normative References ......................................15
+ 9.2. Informative References ....................................15
+ Acknowledgments ...................................................17
+ Authors' Addresses ................................................17
+
+
+
+Shpiner, et al. Experimental [Page 2]
+
+RFC 8039 Multipath Time Synchronization December 2016
+
+
+1. Introduction
+
+ The two most common time synchronization protocols in IP networks are
+ (1) the Network Time Protocol [NTP] and (2) the Precision Time
+ Protocol (PTP) as defined in the IEEE 1588 standard [IEEE1588].
+
+ The accuracy of the time synchronization protocols directly depends
+ on the stability and the symmetry of propagation delays in both
+ directions between the master and slave clocks. Depending on the
+ nature of the underlying network, time synchronization protocol
+ packets can be subject to variable network latency or path asymmetry
+ (e.g., [ASYMMETRY] [ASYMMETRY2]). As time-sensitive applications
+ evolve, accuracy requirements are becoming increasingly stringent.
+ Using a single network path in a clock synchronization protocol
+ closely ties the slave clock accuracy to the behavior of the specific
+ path, which may suffer from temporal congestion, faults, or malicious
+ attacks. Relying on multiple clock servers, as in NTP, solves these
+ problems but requires active maintenance of multiple accurate sources
+ in the network, which is not always possible. The usage of
+ Transparent Clocks (TCs) in PTP solves the congestion problem by
+ eliminating the queuing time from the delay calculations but does not
+ address security or fault-tolerance aspects.
+
+ ____
+ ______/ \_____
+ ___/ \____
+ ____/ \
+ ____ / path 1 / ___
+ / \ / ________________________ \ / \
+ /Master\____\___/ \____\________/Slave\
+ \Clock / / \________ _______________/ \ \Clock/
+ \____/ \ / \__ /
+ \____ path 2 __/
+ \_______ ______/
+ \_________/
+
+ Figure 1: Multipath Connection
+
+ Since master and slave clocks are often connected through more than
+ one path in the network, as shown in Figure 1, [SLAVEDIV] suggested
+ that a time synchronization protocol can be run over multiple paths,
+ providing several advantages. First, it can significantly increase
+ the clock accuracy as shown in [SLAVEDIV]. Second, this approach
+ provides additional security, allowing the mitigation of
+ man-in-the-middle attacks against the time synchronization protocol
+ [DELAY-ATT]. Third, using multiple paths concurrently provides an
+ inherent failure protection mechanism.
+
+
+
+
+Shpiner, et al. Experimental [Page 3]
+
+RFC 8039 Multipath Time Synchronization December 2016
+
+
+ This document introduces Multipath PTP (MPPTP) and Multipath NTP
+ (MPNTP). The functionality of the multipath approach is defined at
+ the network layer and does not require any changes in PTP or NTP.
+
+ MPPTP and MPNTP are defined over IP networks. As IP networks
+ typically combine ECMP routing, this property is leveraged for the
+ multiple paths used in MPPTP and MPNTP. The key property of the
+ multipath approach is that clocks in the network can use more than
+ one IP address. Each {master IP, slave IP} address pair defines a
+ path. Depending on the network topology and configuration, the IP
+ combination pairs can form multiple diverse paths used by the
+ multipath synchronization protocols. It has been shown [MULTI] that
+ using multiple IP addresses over the wide Internet indeed allows two
+ endpoints to attain multiple diverse paths.
+
+ This document introduces two variants of the multipath approach:
+ (1) a variant that requires both master and slave nodes to support
+ the multipath functionality, referred to as the dual-ended variant,
+ and (2) a backward-compatible variant that allows a multipath clock
+ to connect to a conventional single-path clock, referred to as the
+ single-ended variant.
+
+2. Conventions Used in This Document
+
+2.1. Abbreviations
+
+ BMC Best Master Clock [IEEE1588]
+
+ ECMP Equal-Cost Multipath
+
+ LAN Local Area Network
+
+ MPNTP Multipath Network Time Protocol
+
+ MPPTP Multipath Precision Time Protocol
+
+ NTP Network Time Protocol [NTP]
+
+ PTP Precision Time Protocol [IEEE1588]
+
+2.2. Terminology
+
+ In the NTP terminology, a time synchronization protocol is run
+ between a client and a server, while PTP uses the terms 'master' and
+ 'slave'. Throughout this document, the sections that refer to both
+ PTP and NTP generically use the terms 'master' and 'slave'.
+
+
+
+
+
+Shpiner, et al. Experimental [Page 4]
+
+RFC 8039 Multipath Time Synchronization December 2016
+
+
+3. Multiple Paths in IP Networks
+
+3.1. Load Balancing
+
+ Traffic sent across IP networks is often load-balanced across
+ multiple paths. The load-balancing decisions are typically based on
+ packet header fields: source and destination addresses, Layer 4
+ ports, the Flow Label field in IPv6, etc.
+
+ Three common load-balancing criteria are per-destination, per-flow,
+ and per-packet. The per-destination load balancers take a
+ load-balancing decision based on the destination IP address.
+ Per-flow load balancers use various fields in the packet header,
+ e.g., IP addresses and Layer 4 ports, for the load-balancing
+ decision. Per-packet load balancers use flow-blind techniques such
+ as round-robin without basing the choice on the packet content.
+
+3.2. Using Multiple Paths Concurrently
+
+ To utilize the diverse paths that traverse per-destination
+ load balancers or per-flow load balancers, the packet transmitter can
+ vary the IP addresses in the packet header. The analysis in [PARIS2]
+ shows that a significant majority of the flows on the Internet
+ traverse per-destination or per-flow load balancing. It presents
+ statistics that 72% of the flows traverse per-destination
+ load balancing and 39% of the flows traverse per-flow load balancing,
+ while only a negligible part of the flows traverse per-packet
+ load balancing. These statistics show that the vast majority of the
+ traffic on the Internet is load-balanced based on packet header
+ fields.
+
+ The approaches in this document are based on varying the source and
+ destination IP addresses in the packet header. Possible extensions
+ have been considered that also vary the UDP ports. However, some of
+ the existing implementations of PTP and NTP use fixed UDP port values
+ in both the source and destination UDP port fields and thus do not
+ allow this approach.
+
+3.3. Two-Way Paths
+
+ A key property of IP networks is that packets forwarded from A to B
+ do not necessarily traverse the same path as packets from B to A.
+ Thus, we define a two-way path for a master-slave connection as a
+ pair of one-way paths: the first from master to slave and the second
+ from slave to master.
+
+
+
+
+
+
+Shpiner, et al. Experimental [Page 5]
+
+RFC 8039 Multipath Time Synchronization December 2016
+
+
+ If possible, a traffic engineering approach can be used to verify
+ that time synchronization traffic is always forwarded through
+ bidirectional two-way paths, i.e., that each two-way path uses the
+ same route in the forward and reverse directions, thus allowing
+ propagation time symmetry. However, in the general case, two-way
+ paths do not necessarily use the same path for the forward and
+ reverse directions.
+
+4. Solution Overview
+
+ The multipath time synchronization protocols we present here are
+ comprised of two building blocks: one is the path configuration and
+ identification, and the other is the algorithm used by the slave to
+ combine the information received from the various paths.
+
+4.1. Path Configuration and Identification
+
+ The master and slave clocks must be able to determine the path of
+ transmitted protocol packets and to identify the path of incoming
+ protocol packets. A path is determined by a {master IP, slave IP}
+ address pair. The synchronization protocol message exchange is run
+ independently through each path.
+
+ Each IP address pair defines a two-way path and thus allows the
+ clocks to bind a transmitted packet to a specific path or to identify
+ the path of an incoming packet.
+
+ If possible, the routing tables across the network should be
+ configured with multiple traffic-engineered paths between the pair of
+ clocks. By carefully configuring the routers in such networks, it is
+ possible to create diverse paths for each of the IP address pairs
+ between two clocks in the network. However, in public and provider
+ networks, the load-balancing behavior is hidden from the end users.
+ In this case, the actual number of paths may be less than the number
+ of IP address pairs, since some of the address pairs may share common
+ paths.
+
+4.2. Combining
+
+ Various methods can be used for combining the time information
+ received from the different paths. The output of the combining
+ algorithm is the accurate time offset. Combining methods are further
+ discussed in Section 6.
+
+
+
+
+
+
+
+
+Shpiner, et al. Experimental [Page 6]
+
+RFC 8039 Multipath Time Synchronization December 2016
+
+
+5. Multipath Time Synchronization over IP Networks
+
+5.1. Overview
+
+ This section presents two variants of MPPTP and MPNTP: single-ended
+ multipath time synchronization and dual-ended multipath time
+ synchronization. In the first variant, the multipath approach is
+ only implemented by the slave, and the master is not aware of its
+ usage. In the second variant, all clocks use multiple paths.
+
+ The dual-ended variant provides higher path diversity by using
+ multiple IP addresses at both ends, the master and slave, while the
+ single-ended variant only uses multiple addresses at the slave.
+ Consequently, the single-ended approach can interoperate with
+ existing implementations that do not use multiple paths. The
+ dual-ended and single-ended approaches can coexist in the same
+ network; each slave selects the connection(s) it wants to make with
+ the available masters. A dual-ended slave could switch to
+ single-ended mode if it does not see any dual-ended masters
+ available. A single-ended slave could connect to a single IP address
+ of a dual-ended master.
+
+ Multipath time synchronization, in both variants, requires clocks to
+ use multiple IP addresses. Using multiple IP addresses introduces a
+ trade-off. A large number of IP addresses allows a large number of
+ diverse paths, providing the advantages of slave diversity discussed
+ in Section 1. On the other hand, a large number of IP addresses is
+ more costly, requires the network topology to be more redundant, and
+ exacts extra management overhead.
+
+ If possible, the set of IP addresses for each clock should be chosen
+ in a way that enables the establishment of paths that are the most
+ different. If the load-balancing rules in the network are known, it
+ is possible to choose the IP addresses in a way that enforces path
+ diversity. However, even if the load-balancing scheme is not known,
+ a careful choice of the IP addresses can increase the probability of
+ path diversity. For example, choosing multiple addresses with
+ different prefixes is likely to produce higher path diversity, as BGP
+ routers are more likely to route these different prefixes through
+ different routes.
+
+ The use of Network Address Translation (NAT) may significantly reduce
+ the effectiveness of multipath synchronization in some cases. For
+ example, if a master uses multiple IP addresses that are translated
+ to a single IP address, the path diversity can be dramatically
+ reduced compared to a network that does not use NAT. Thus, path
+
+
+
+
+
+Shpiner, et al. Experimental [Page 7]
+
+RFC 8039 Multipath Time Synchronization December 2016
+
+
+ discovery should be used to identify the possible paths between the
+ master and slave. Path discovery is further discussed in
+ Section 5.4.
+
+ The concept of using multiple IP addresses or multiple interfaces is
+ well established and is being used today by various applications and
+ protocols, e.g., [MPTCP]. Using multiple interfaces introduces some
+ challenges and issues, which were presented and discussed in [MIF].
+
+ The descriptions in this section refer to the end-to-end scheme of
+ PTP but are similarly applicable to the peer-to-peer scheme. MPNTP,
+ as described in this document, refers to the NTP client-server mode,
+ although the concepts described here can be extended to include the
+ symmetric variant as well.
+
+ Multipath synchronization by nature requires protocol messages to be
+ sent as unicast. Specifically in PTP, the following messages must be
+ sent as unicast in MPPTP: Sync, Delay_Req, Delay_Resp, PDelay_Req,
+ PDelay_Resp, Follow_Up, and PDelay_Resp_Follow_Up. Note that
+ [IEEE1588] allows these messages to be sent either as multicast or as
+ unicast.
+
+5.2. Single-Ended Multipath Synchronization
+
+ In the single-ended approach, only the slave is aware of the fact
+ that multiple paths are used, while the master is agnostic to the
+ usage of multiple paths. This approach allows a hybrid network,
+ where some of the clocks are multipath clocks and others are
+ conventional one-path clocks. A single-ended multipath clock
+ presents itself to the network as N independent clocks, using N IP
+ addresses, as well as N clockIdentity [IEEE1588] values (in PTP).
+ Thus, the usage of multiple slave identities by a slave clock is
+ transparent from the master's point of view, such that it treats each
+ of the identities as a separate slave clock.
+
+5.2.1. Single-Ended MPPTP Synchronization Message Exchange
+
+ The single-ended MPPTP message exchange procedure is as follows.
+
+ o Each single-ended MPPTP clock has a fixed set of N IP addresses
+ and N corresponding clockIdentities. Each clock arbitrarily
+ defines one of its IP addresses and clockIdentity values as the
+ clock primary identity.
+
+ o A single-ended MPPTP port sends Announce messages only from its
+ primary identity, according to the BMC algorithm.
+
+
+
+
+
+Shpiner, et al. Experimental [Page 8]
+
+RFC 8039 Multipath Time Synchronization December 2016
+
+
+ o The BMC algorithm at each clock determines the master, based on
+ the received Announce messages.
+
+ o A single-ended MPPTP port that is in the 'slave' state uses
+ unicast negotiation to request the master to transmit unicast
+ messages to each of the N slave clockIdentity values. The slave
+ port periodically sends N Signaling messages to the master, using
+ each of its N identities. The Signaling message includes the
+ REQUEST_UNICAST_TRANSMISSION TLV [IEEE1588].
+
+ o The master periodically sends unicast Sync messages from its
+ primary identity, identified by the sourcePortIdentity [IEEE1588]
+ and IP address, to each of the slave identities.
+
+ o The slave, upon receiving a Sync message, identifies its path
+ according to the destination IP address. The slave sends a
+ Delay_Req unicast message to the primary identity of the master.
+ The Delay_Req is sent using the slave identity corresponding to
+ the path through which the Sync was received. Note that the rate
+ of Delay_Req messages may be lower than the Sync message rate, and
+ thus a Sync message is not necessarily followed by a Delay_Req.
+
+ o The master, in response to a Delay_Req message from the slave,
+ responds with a Delay_Resp message using the IP address and
+ sourcePortIdentity from the Delay_Req message.
+
+ o Upon receiving the Delay_Resp message, the slave identifies the
+ path using the destination IP address and the
+ requestingPortIdentity [IEEE1588]. The slave can then compute the
+ corresponding path delay and the offset from the master.
+
+ o The slave combines the information from all negotiated paths.
+
+5.2.2. Single-Ended MPNTP Synchronization Message Exchange
+
+ The single-ended MPNTP message exchange procedure is as follows.
+
+ o A single-ended MPNTP client has N separate identities, i.e., N IP
+ addresses. The assumption is that the server information,
+ including its IP address, is known to the NTP clients. This is a
+ fair assumption, as typically the address(es) of the NTP server(s)
+ is provided to the NTP client by configuration.
+
+ o A single-ended MPNTP client initiates NTP with an NTP server
+ N times, using each of its N identities.
+
+ o NTP is maintained between the server and each of the N client
+ identities.
+
+
+
+Shpiner, et al. Experimental [Page 9]
+
+RFC 8039 Multipath Time Synchronization December 2016
+
+
+ o The client sends NTP messages to the master using each of its
+ N identities.
+
+ o The server responds to the client's NTP messages using the IP
+ address from the received NTP packet.
+
+ o The client, upon receiving an NTP packet, uses the IP destination
+ address to identify the path through which it came, and it uses
+ the time information accordingly.
+
+ o The client combines the information from all paths.
+
+5.3. Dual-Ended Multipath Synchronization
+
+ In dual-ended multipath synchronization, each clock has N IP
+ addresses. Time synchronization messages are exchanged between some
+ of the combinations of {master IP, slave IP} addresses, allowing
+ multiple paths between the master and slave. Note that the actual
+ number of paths between the master and slave may be less than the
+ number of chosen {master IP, slave IP} address pairs.
+
+ Once the multiple two-way connections are established, a separate
+ synchronization protocol exchange instance is run through each
+ of them.
+
+5.3.1. Dual-Ended MPPTP Synchronization Message Exchange
+
+ The dual-ended MPPTP message exchange procedure is as follows.
+
+ o Every clock has N IP addresses but uses a single clockIdentity.
+
+ o The BMC algorithm at each clock determines the master. The master
+ is identified by its clockIdentity, allowing other clocks to know
+ the multiple IP addresses it uses.
+
+ o When a clock sends an Announce message, it sends it from each of
+ its IP addresses with its clockIdentity.
+
+ o A dual-ended MPPTP port that is in the 'slave' state uses unicast
+ negotiation to request the master to transmit unicast messages to
+ some or all of its N_s IP addresses. This negotiation is done
+ individually between a slave IP address and the corresponding
+ master IP address with which the slave desires a connection. The
+ slave port periodically sends Signaling messages to the master,
+ using some or all of its N_s IP addresses as the source, to the
+ corresponding master's N_m IP addresses. The Signaling message
+ includes the REQUEST_UNICAST_TRANSMISSION TLV [IEEE1588].
+
+
+
+
+Shpiner, et al. Experimental [Page 10]
+
+RFC 8039 Multipath Time Synchronization December 2016
+
+
+ ('N_s' and 'N_m' indicate the number of IP addresses of the slave
+ and master, respectively.)
+
+ o The master periodically sends unicast Sync messages from each of
+ its IP addresses to the corresponding slave IP addresses for which
+ a unicast connection was negotiated.
+
+ o The slave, upon receiving a Sync message, identifies its path
+ according to the {source IP, destination IP} addresses. The slave
+ sends a Delay_Req unicast message, swapping the source and
+ destination IP addresses from the Sync message. Note that the
+ rate of Delay_Req messages may be lower than the Sync message
+ rate, and thus a Sync message is not necessarily followed by a
+ Delay_Req.
+
+ o The master, in response to a Delay_Req message from the slave,
+ responds with a Delay_Resp message using the sourcePortIdentity
+ from the Delay_Req message and swapping the IP addresses from the
+ Delay_Req.
+
+ o Upon receiving the Delay_Resp message, the slave identifies the
+ path using the {source IP, destination IP} address pair. The
+ slave can then compute the corresponding path delay and the offset
+ from the master.
+
+ o The slave combines the information from all negotiated paths.
+
+5.3.2. Dual-Ended MPNTP Synchronization Message Exchange
+
+ The MPNTP message exchange procedure is as follows.
+
+ o Each NTP clock has a set of N IP addresses. The assumption is
+ that the server information, including its multiple IP addresses,
+ is known to the NTP clients.
+
+ o The MPNTP client chooses N_svr server IP addresses and N_c client
+ IP addresses and initiates the N_svr*N_c instances of the
+ protocol, one for each {server IP, client IP} address pair,
+ allowing the client to combine the information from the N_s*N_c
+ paths.
+
+ ('N_svr' and 'N_c' indicate the number of IP addresses of the
+ server and client, respectively, with which a client chooses to
+ connect.)
+
+ o The client sends NTP messages to the master using each of the
+ source-destination address combinations.
+
+
+
+
+Shpiner, et al. Experimental [Page 11]
+
+RFC 8039 Multipath Time Synchronization December 2016
+
+
+ o The server responds to the client's NTP messages using the IP
+ address combination from the received NTP packet.
+
+ o Using the {source IP, destination IP} address pair in the received
+ packets, the client identifies the path and performs its
+ computations for each of the paths accordingly.
+
+ o The client combines the information from all paths.
+
+5.4. Using Traceroute for Path Discovery
+
+ The approach described thus far uses multiple IP addresses in a
+ single clock to create multiple paths. However, although each
+ two-way path is defined by a different {master IP, slave IP} address
+ pair, some of the IP address pairs may traverse exactly the same
+ network path, making them redundant.
+
+ Traceroute-based path discovery can be used for filtering only the IP
+ addresses that obtain diverse paths. 'Paris traceroute' [PARIS] and
+ 'TraceFlow' [TRACEFLOW] are examples of tools that discover the paths
+ between two points in the network. It should be noted that this
+ filtering approach is effective only if the Traceroute implementation
+ uses the same IP addresses and UDP ports as the synchronization
+ protocol packets. Since some Traceroute implementations vary the UDP
+ ports, they may not be effective in identifying and filtering
+ redundant paths in synchronization protocols.
+
+ Traceroute-based filtering can be implemented by both master and
+ slave nodes, or it can be restricted to run only on slave nodes to
+ reduce the overhead on the master. For networks that guarantee that
+ the path of the timing packets in the forward and reverse directions
+ are the same, path discovery should only be performed at the slave.
+
+ Since network routes change over time, path discovery and redundant
+ path filtering should be performed periodically. Two {master IP,
+ slave IP} address pairs that produce two diverse paths may be
+ rerouted to use the same paths. Thus, the set of addresses that are
+ used by each clock should be reassessed regularly.
+
+
+
+
+
+
+
+
+
+
+
+
+
+Shpiner, et al. Experimental [Page 12]
+
+RFC 8039 Multipath Time Synchronization December 2016
+
+
+5.5. Using Unicast Discovery for MPPTP
+
+ As presented above, MPPTP uses Announce messages and the BMC
+ algorithm to discover the master. The unicast discovery option of
+ PTP can be used as an alternative.
+
+ When using unicast discovery, the MPPTP slave ports maintain a list
+ of the IP addresses of the master. The slave port uses unicast
+ negotiation to request unicast service from the master as follows:
+
+ o In single-ended MPPTP, the slave uses unicast negotiation from
+ each of its identities to the master's (only) identity.
+
+ o In dual-ended MPPTP, the slave uses unicast negotiation from its
+ IP addresses, each to a corresponding master IP address, to
+ request unicast synchronization messages.
+
+ Afterwards, the message exchange continues as described in
+ Sections 5.2.1 and 5.3.1.
+
+ The unicast discovery option can be used in networks that do not
+ support multicast or in networks in which the master clocks are known
+ in advance. In particular, unicast discovery avoids multicasting
+ Announce messages.
+
+6. Combining Algorithm
+
+ Previous sections discussed the methods of creating the multiple
+ paths and obtaining the time information required by the slave
+ algorithm. Once the time information is received through each of the
+ paths, the slave should use a combining algorithm, which consolidates
+ the information from the different paths into a single clock.
+ Various methods have been suggested for combining information from
+ different paths or from different clocks, e.g., [NTP] [SLAVEDIV]
+ [HIGH-AVAI] [KALMAN]. The choice of the combining algorithm is local
+ to the slave and does not affect interoperability. Hence, this
+ document does not define a specific method to be used by the slave.
+ The combining algorithm should be chosen carefully based on the
+ system properties, as different combining algorithms provide
+ different advantages. For example, some combining algorithms (e.g.,
+ [NTP] [DELAY-ATT]) are intended to be robust in the face of security
+ attacks, while other combining algorithms (e.g., [KALMAN]) are more
+ resilient to random delay variation.
+
+
+
+
+
+
+
+
+Shpiner, et al. Experimental [Page 13]
+
+RFC 8039 Multipath Time Synchronization December 2016
+
+
+7. Security Considerations
+
+ The security aspects of time synchronization protocols are discussed
+ in detail in [RFC7384]. The methods described in this document
+ propose to run a time synchronization protocol through redundant
+ paths and thus allow the detection and mitigation of
+ man-in-the-middle attacks, as described in [DELAY-ATT].
+ Specifically, multipath synchronization can mitigate the following
+ threats (as per [RFC7384]):
+
+ o Packet manipulation (Section 3.2.1 of [RFC7384]).
+
+ o Packet interception and removal (Section 3.2.5 of [RFC7384]).
+
+ o Packet delay manipulation (Section 3.2.6 of [RFC7384]).
+
+ It should be noted that when using multiple paths, these paths may
+ partially overlap, and thus an attack that takes place in a common
+ segment of these paths is not mitigated by the redundancy. Moreover,
+ an on-path attacker may in some cases have access to more than one
+ router or may be able to migrate from one router to another.
+ Therefore, when using multiple paths, it is important for the paths
+ to be as diverse and as independent as possible, making the
+ redundancy scheme more tolerant to on-path attacks.
+
+ It should be noted that the multipath approach requires the master
+ (or NTP server) to dedicate more resources to each slave (client)
+ than the conventional single-path approach. Hence, well-known
+ Distributed Denial-of-Service (DDoS) attacks may potentially be
+ amplified when the multipath approach is enabled.
+
+8. Scope of the Experiment
+
+ This memo is published as an Experimental RFC. The purpose of the
+ experimental period is to allow the community to analyze and to
+ verify the methods defined in this document. An experimental
+ evaluation of some of these methods has been published in [MULTI].
+ It is expected that the experimental period will allow the methods to
+ be further investigated and verified by the community. The duration
+ of the experiment is expected to be no less than two years from the
+ publication of this document.
+
+
+
+
+
+
+
+
+
+
+Shpiner, et al. Experimental [Page 14]
+
+RFC 8039 Multipath Time Synchronization December 2016
+
+
+9. References
+
+9.1. Normative References
+
+ [IEEE1588] IEEE Instrumentation and Measurement Society, "IEEE
+ Standard for a Precision Clock Synchronization Protocol
+ for Networked Measurement and Control Systems", IEEE
+ Std 1588-2008, DOI 10.1109/IEEESTD.2008.4579760.
+
+ [NTP] Mills, D., Martin, J., Ed., Burbank, J., and W. Kasch,
+ "Network Time Protocol Version 4: Protocol and Algorithms
+ Specification", RFC 5905, DOI 10.17487/RFC5905, June 2010,
+ <http://www.rfc-editor.org/info/rfc5905>.
+
+9.2. Informative References
+
+ [ASYMMETRY]
+ He, Y., Faloutsos, M., Krishnamurthy, S., and B. Huffaker,
+ "On routing asymmetry in the Internet", IEEE GLOBECOM,
+ DOI 10.1109/GLOCOM.2005.1577769, December 2005.
+
+ [ASYMMETRY2]
+ Pathak, A., Pucha, H., Zhang, Y., Hu, C., and Z. Mao, "A
+ measurement study of internet delay asymmetry",
+ International Conference on Passive and Active Network
+ Measurement 2008, DOI 10.1007/978-3-540-79232-1_19,
+ April 2008.
+
+ [DELAY-ATT]
+ Mizrahi, T., "A Game Theoretic Analysis of Delay Attacks
+ against Time Synchronization Protocols", IEEE
+ International Symposium on Precision Clock Synchronization
+ for Measurement, Control and Communication (ISPCS),
+ DOI 10.1109/ISPCS.2012.6336612, September 2012.
+
+ [HIGH-AVAI]
+ Ferrari, P., Flammini, A., Rinaldi, S., and G. Prytz,
+ "High availability IEEE 1588 nodes over IEEE 802.1 aq
+ Shortest Path Bridging networks", IEEE International
+ Symposium on Precision Clock Synchronization for
+ Measurement, Control and Communication (ISPCS),
+ DOI 10.1109/ISPCS.2013.6644760, September 2013.
+
+ [KALMAN] Giorgi, G. and C. Narduzzi, "Kalman filtering for
+ multi-path network synchronization", IEEE International
+ Symposium on Precision Clock Synchronization for
+ Measurement, Control and Communication (ISPCS),
+ DOI 10.1109/ISPCS.2014.6948693, September 2014.
+
+
+
+Shpiner, et al. Experimental [Page 15]
+
+RFC 8039 Multipath Time Synchronization December 2016
+
+
+ [MIF] Blanchet, M. and P. Seite, "Multiple Interfaces and
+ Provisioning Domains Problem Statement", RFC 6418,
+ DOI 10.17487/RFC6418, November 2011,
+ <http://www.rfc-editor.org/info/rfc6418>.
+
+ [MPTCP] Ford, A., Raiciu, C., Handley, M., and O. Bonaventure,
+ "TCP Extensions for Multipath Operation with Multiple
+ Addresses", RFC 6824, DOI 10.17487/RFC6824, January 2013,
+ <http://www.rfc-editor.org/info/rfc6824>.
+
+ [MULTI] Shpiner, A., Revah, Y., and T. Mizrahi, "Multi-path Time
+ Protocols", IEEE International Symposium on Precision
+ Clock Synchronization for Measurement, Control and
+ Communication (ISPCS), DOI 10.1109/ISPCS.2013.6644754,
+ September 2013.
+
+ [PARIS] Augustin, B., Friedman, T., and R. Teixeira, "Measuring
+ Load-balanced Paths in the Internet", 7th ACM SIGCOMM
+ conference on Internet measurement (IMC '07),
+ DOI 10.1145/1298306.1298329, October 2007.
+
+ [PARIS2] Augustin, B., Friedman, T., and R. Teixeira, "Measuring
+ Multipath Routing in the Internet", IEEE/ACM Transactions
+ on Networking, 19(3), pp. 830-840,
+ DOI 10.1109/TNET.2010.2096232, June 2011.
+
+ [RFC7384] Mizrahi, T., "Security Requirements of Time Protocols in
+ Packet Switched Networks", RFC 7384, DOI 10.17487/RFC7384,
+ October 2014, <http://www.rfc-editor.org/info/rfc7384>.
+
+ [SLAVEDIV] Mizrahi, T., "Slave Diversity: Using Multiple Paths to
+ Improve the Accuracy of Clock Synchronization Protocols",
+ IEEE International Symposium on Precision Clock
+ Synchronization for Measurement, Control and Communication
+ (ISPCS), DOI 10.1109/ISPCS.2012.6336621, September 2012.
+
+ [TRACEFLOW]
+ Narasimhan, J., Venkataswami, B., Groves, R., and P.
+ Hoose, "Traceflow", Work in Progress,
+ draft-janapath-intarea-traceflow-00, January 2012.
+
+
+
+
+
+
+
+
+
+
+
+Shpiner, et al. Experimental [Page 16]
+
+RFC 8039 Multipath Time Synchronization December 2016
+
+
+Acknowledgments
+
+ The authors would like to thank Yoram Revah for his contribution to
+ this work. The authors also gratefully acknowledge the useful
+ comments provided by Peter Meyer, Doug Arnold, Joe Abley, Zhen Cao,
+ Watson Ladd, and Mirja Kuehlewind, as well as other comments received
+ from the TICTOC working group participants.
+
+Authors' Addresses
+
+ Alex Shpiner
+ Mellanox Technologies, Ltd.
+ Hakidma 26
+ Ofer Industrial Park
+ Yokneam, 2069200
+ Israel
+
+ Email: alexshp@mellanox.com
+
+
+ Richard Tse
+ Microsemi
+ 8555 Baxter Place
+ Burnaby, BC V5A 4V7
+ Canada
+
+ Email: Richard.Tse@microsemi.com
+
+
+ Craig Schelp
+ Oracle
+
+ Email: craig.schelp@oracle.com
+
+
+ Tal Mizrahi
+ Marvell
+ 6 Hamada St.
+ Yokneam, 2066721
+ Israel
+
+ Email: talmi@marvell.com
+
+
+
+
+
+
+
+
+
+Shpiner, et al. Experimental [Page 17]
+