[ntp:questions] pool.ntp.org and authentication

Harlan Stenn stenn at ntp.org
Sun Dec 14 00:22:05 UTC 2014


d_anderson writes:
> Hi all
> 
> I was wondering if it makes sense to set up Autokey authentication on
> a client for when it wants to sync time from *.pool.npt.org. My goal
> is to encrypt communication between client and server and to make sure
> the server is really the one it claims to be. Can this be even done
> with pools?

Not with the current technology.

First, autokey is about to become deprecated in favor of NTS - Network
Time Security:

 https://tools.ietf.org/html/draft-ietf-ntp-network-time-security-05

If that wasn't the case, autokey (which was designed a long time ago)
needs the server to have a unique key.  For pool servers, every pool
server would have to share the same private key.  That would make the
security provided almost nonexistent.  If we changed the protocol to use
some other mechanism to get the server's key (probably based on the IP)
we'd need to change the autokey protocol.  That would not appear to be a
worthwhile exercise given that we intend to deprecate autokey in favor
of NTS "soon".

H


More information about the questions mailing list