[ntp:hackers] Re: NTP and leap-seconds
David L. Mills
mills at udel.edu
Tue Jul 4 05:19:31 UTC 2006
Gov't security has nothing to do with my agenda, even if I spent ten
years as Beltway Bandit with CIA and NSA contracts. As with DNS,
consider the case where some twerp is able to torque the time two days
in the future and the DNS caches all expire. The traffic to reload the
caches might well poison the Internet. So was the argument when I was
called to the White House meeting on possible hazards when the
Millennium rolled over.
Start from first principles. Assume time is a fangible quantity and
examine the inner workings of every service on the planet. A determined
terrorist might well find some purchase. I conclude you can't trust the
DNS; the first thing you have to trust is the time.
Tim Shoppa wrote:
> "David L. Mills" <mills at udel.edu> wrote:
>> Having come this far, what is your security model for the leapsecond
>> table? Is it more or less secure than the symmetric/public key
>> cryptographic model? This is not to blow off your suggestion, just to
>> suggest the security model needs to be addressed.
> David -
> I have often wondered about the somewhat ponderous Autokey model
> for NTP crypto. While it's not the most onerous thing to set up
> it is not as easy as just putting in 3 or 4 nameservers into ntp.conf
> and letting it run.
> It seems to me that the non-crypto DNS root zone file distribution
> methods are less top-heavy (if less secure) and seem to work good
> In fact if we could distribute the leapsecond table via DNS
> it seems like it'd kill multiple birds with one stone.
> I also realize that crypto is now intertwined into DNS in at least
> some installations. And also that system time (and thus NTP) is
> itself used to seed some crypto methods. Makes for a pretty tangled
> knot if I think too hard!
> Dave, would I be too far off to guess that most of the Autokey
> stuff was added to satisfy some mil or gov't requirement?
More information about the hackers