[ntp:questions] Windows Time with NTPv4

Martin Burnicki martin.burnicki at meinberg.de
Mon Mar 10 10:01:37 UTC 2008


David L. Mills wrote:
> Folks,
> I just poked around and discovered something interesting that affects
> Windows clients, both XP and Vista.
> Microsoft has broken the NTP specification in that the client sends a
> request in symmetric active mode instead of client mode. According to
> the NTP spec, both ancient and modern, this causes the server to launch
> a symmetric passive association, which would be a serious security
> vulnerability.
> The NTPv4 servers, including those at USNO and NIST, have specific means
> to protect against this vulnerability, so as you might have noticed,
> synchronizing XP or Vista clients to those servers fails.
> However, I jimmied the code so that, while it will not launch an
> association if denied, it will reply in symmetric passive mode. In other
> words, the server behaves in the same way as with an ordinary
> client/server mode. With this change, now in the development branch,
> Windows XP and Vista now work correctly.
> I'm not happy about this. I thought Microsoft had fixed this long ago in
> a service pack. Now at least folks with 400 PCs don't all have to light
> up Windows NTP.

Huh? This has already been discussed back in 2002, and you had already
introduced a workaround which should (and obviously did) work similar to
what you write now.

See your own posts from August 4, 2002:

Had this workaround been removed intentionally or unintentionally in the
mean time, or why should the current -dev version refuse to respond to the
requests of those broken clients?

BTW, there's a Meinberg FAQ which tells how to fix those brokeen Windows
clients and let them send normal peer requests instead of symmetric active

"Why does my Windows Time Service (w32time) not synchronize with my NTP

Martin Burnicki

Meinberg Funkuhren
Bad Pyrmont

More information about the questions mailing list