[ntp:questions] Can I stop authenticated peers from mobilizing symmetric associations

Majdi S. Abbas msa at latt.net
Fri Mar 10 07:34:51 UTC 2017

On Thu, Mar 09, 2017 at 05:24:35PM +0100, Miroslav Lichvar wrote:
> Couldn't the malicious client create a larger number of ephemeral
> associations, using multiple IP addresses, in order to outvote good
> servers?

	If it has a bunch of IP addresses, maybe... but you'd have to
be close enough to the existing clock to capture the peer.. (read:
close/low latency and jitter path, and serve better time than the
configured servers for a while).

	...and that assumes you aren't using prefer on your chosen servers.

	So someone on a network near you, with a bunch of resources,
who already has your credentials, serves you good time, and then slowly
walks you away from it.  Too fast, you'll just hop back to your former
associations and throw the lot out.

	They'll have to maintain state (crypto, peer, refid, etc.) for
each session and each IP needs to have a very good connection to you.

	So they wouldn't be able to move the clock very far very 
quickly in practice (maybe a few ms per hour) and they need access to 
a network very close to you (possibly yours.)

	For you not to notice this means you're not monitoring your
servers, either, at least not in a very comprehensive fashion.

	This doesn't strike me as a particularly likely threat.  Anyone
that close to you who already has your credentials has them because
they're in control of your systems and network anyway, at which point
NTP is not your biggest problem.  If they get away with it, it's because
you weren't monitoring for a very long period of time... so I'm not
going to lose any sleep over this one.

	If you're really that worried about it, acquire local reference
clocks of high quality and attach them to your hosts.


More information about the questions mailing list