[ntp:questions] Re: NTP sync

Brad Knowles brad.knowles at skynet.be
Tue Sep 23 16:04:12 UTC 2003


At 5:07 AM -0700 2003/09/23, Michael Sierchio wrote:

>  How do ISAKMP messages get through?  UDP traffic on port 500
>  isn't tunneled.  How would NTP traffic get through?  An exercise
>  left to the reader.

	Good questions.  I was assuming that all IP traffic would be 
tunneled over IPSec, so it shouldn't be an issue.

>  Another thing -- if you regard NTP to be a critical service, and
>  are concerned with security and avoiding potential threats, it's
>  better for any number of reasons to use the built-in auth methods.

	Additional authentication at the NTP level would obviously be 
very attractive, but would not interfere with doing the transaction 
over IPSec, nor would be precluded.  The two are largely independent 
of each other, although I'm sure IPSec adds some "interesting" 
characteristics to the perceived network latency, etc....

>  How, for example, does an application running on a host verify that
>  a VPN tunnel is in force?  It can't.  Validating messages makes
>  sense, all the more so because NTP uses UDP.

	Running the connection over an encrypted tunnel doesn't change 
any of these factors.

-- 
Brad Knowles, <brad.knowles at skynet.be>

"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
     -Benjamin Franklin, Historical Review of Pennsylvania.

GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E-(---) W+++(--) N+
!w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++)
tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)



More information about the questions mailing list