[ntp:questions] pool.ntp.org and authentication

Harlan Stenn stenn at ntp.org
Tue Dec 16 12:36:39 UTC 2014

Miroslav Lichvar writes:
> On Tue, Dec 16, 2014 at 05:43:59AM +0000, Harlan Stenn wrote:
> > d_anderson writes:
> > > Thanks! I quickly skimmed through the document, and I think I am
> > > asking the wrong questions..
> > 
> > I've been trying to think of good reasons to authenticate pool servers
> > and I haven't come up with any good ones yet.
> Protection against MITM attacks?

Not sure how that would help, with the current autokey mechanism.

> Of course, with a public pool like pool.ntp.org an attacker could join
> it with a number of his NTP servers, get their certificates signed and
> serve whatever he wants, no need for a MITM. Even if DNS was secure
> and all clients were configured to use four pool servers, the pool DNS
> server would not likely be able to prevent some clients getting three
> bad servers outvoting the fourth server.
> But I think it would still be a significant improvement in security.
> The NTS draft says the scheme is not applicable to pools. I'm
> wondering what would be needed to make it applicable.

I expect autokey will be deprecated when NTS is deployed.

The "pool" directive will get more than 4 servers, which makes it much
harder for "bad guys" to outvote other pool servers.

If folks are that concerned about bad actors in the pool it's easy
and inexpensive enough to get GPS puck as a local timeserver, for
additional sanity checking.

The only way I currently see to get something working with the pool
mechanism would be to use DNSSEC and do a lookup based on the IP.
Harlan Stenn <stenn at ntp.org>
http://networktimefoundation.org - be a member!

More information about the questions mailing list