[ntp:questions] Can I stop authenticated peers from mobilizing symmetric associations
Majdi S. Abbas
msa at latt.net
Thu Mar 9 15:56:22 UTC 2017
On Thu, Mar 09, 2017 at 03:16:57PM +0000, Moser, Stefan wrote:
> Now assume that one of the remote NTP clients turns bad, deliberately configures forged
> time, and enters "peer <IP_of_my_local_NTP_server>" in its ntp.conf. This (correct me
> if I'm wrong) creates a dynamic mobilization with my local NTP server, and my local
> NTP server will eventually believe in the client's (now it's a peering server....) time.
Ahh, now I understand the problem. You are misunderestimating NTP.
Simply being authenticated allows you to establish the symmetric
association -- it does not mean ntpd will select that peer to
provide time to it. If it provides time that differs from the
servers it has configured (even if unauthenticated), the selection
and filter algorithms will ignore the symmetric association.
The peer, even if authenticated and malacious, needs to pass all
the filtering and selection algorithms any source of time does.
Authentication authenticates the peer and the the timestamps -- it does
not assure quality of the time provided, and ntpd does not make that
> I think that this a potential security problem, and I'm looking for a parameter
> which I can use to r e j e c t dynamic mobilizations of a u t h e n t i c a t e d
> remote servers with my local server. For *un*authenticated servers, 'nopeer' is
> the parameter for doing this. But 'nopeer' does only work for unauthenticated connections.
You can always use "notrust" forcing the clients to authenticate
even if you're simply a server to them. There's nothing that says you
must use authentication with symmetric mode; they are orthagonal to each
other (although, you should authenticate symmetric peers as a best
practice -- but you may also authenticate simple clients.)
More information about the questions