[ntp:hackers] Re: NTP and leap-seconds
David L. Mills
mills at udel.edu
Mon Jul 3 05:30:58 UTC 2006
Having come this far, what is your security model for the leapsecond
table? Is it more or less secure than the symmetric/public key
cryptographic model? This is not to blow off your suggestion, just to
suggest the security model needs to be addressed.
Tim Shoppa wrote:
> "David L. Mills" <mills at udel.edu> wrote:
>> The usual behavior is that servers do not realize a leapsecond is
>> pending, either because they have not been told using ntpdc or the
>> radios or drivers do not implement the warning. So the code sifts from
>> among the (usually) three survivors of the mitigation algorithms and
>> sets the leap if one or more show leap. You suggestion would change that
>> to require two out of the three to set the leap. What if there are only
>> two survivors?
> Now, if we have four stratum 2 server that each get time from 4
> of 16 independent stratum 1's, and a hundred stratum 3 servers that
> each get time from the four stratum 2's, AND a single stratum 1
> mistakenly gives a leapsecond pending for a while, then a single stratum
> 2 will get "infected" and then you can end
> up with a hundred stratum 3's thinking that there's a leapsecond pending
> as a result of a single mistaken stratum 1.
>> The most reliable and secure solution to the false alarm problem is to
>> run Autokey and use the leapsecond table as distributed from the primary
> It may be profitable to distribute this table without having to resort
> to Autokey etc. Not that Autokey is bad or even difficult but it's not
> commonly set up.
More information about the hackers