[ntp:questions] Re: Configuring a server and clients behind a firewall

Brian Utterback brian.utterback at sun.removeme.com
Tue Feb 1 19:53:55 UTC 2005

Brad Knowles wrote:

>     For a system to be a functioning peer, this has to be defined on 
> both ends.  One machine cannot just "peer" with yours and have yours 
> believe them.  Of course, if they know other machines that you have 
> peered with, they might be able to do some UDP packet spoofing and cause 
> some confusion for your server.  Which is why you want to combine "peer" 
> definitions with some authentication.

Not so. If both systems are configured to peer with each other,
this is "symmetric active" mode. However, one may be configured
to peer with the other, but that one in turn is not configured
to peer with the first. This is "symmetric passive" mode. This
generally requires that the packet be authenticated with a
crypto key, but if such authentication has been turned off,
then the packet requires no authentication at all.

It happens to be the case that some vendors have made the
default to "disable auth", which opens a system up to such
peering without the authentication. Any system that has
disabled auth and does not have restrictions set to prevent
it, is vulnerable to invalid time attacks. In fact, with
virtual interfaces allowing a single system to appear as
many systems, it is possible to adjust the time on such a
server to anything you want. Trust me on this one, I
know 8-).


I voted electronically...I think.
Brian Utterback - OP/N1 RPE, Sun Microsystems, Inc.
Ph:877-259-7345, Em:brian.utterback-at-ess-you-enn-dot-kom

More information about the questions mailing list