[ntp:hackers] Autokey identity keys

David L. Mills mills at udel.edu
Sun Nov 4 15:11:09 UTC 2007


Hal,

Problem is, at least with my FIOS connection, the inside address is a 
192.168 thing. I would assume the router box translates that to a 
routable address to reveal outside. A workasude might be an extended 
cookie included with every packet.

Dave

Hal Murray wrote:

>> The scheme is very easy to use; the directions are in the
>> Authentication Options and ntp-keygen documentation pages. The group
>> name for pogo.udel.edu is pogo and for rackety.udel.edu is rackety.
>
>
>> The key dissemination scheme is preliminary and might be refined in
>> future. I would be much interested in conmments and bug reports.
>
>
> authopt.html says:
> Autokey authenticates individual packets using cookies bound to the IP
> source and destination addresses. The cookies must have the same
> addresses at both the server and client. For this reason operation
> with network address translation schemes is not possible. This
> reflects the intended robust security model where government and
> corporate NTP servers are operated outside firewall perimeters.
>
> My home DSL "modem" includes a NAT box. I think that's reasonably common.
> It probably also covers many small businesses.
>
>
> If ntpd knew the IP Address of the outside of the NAT box (say via the 
> config
> file), could it use that when computing the autokey cookies?
>
>
>



More information about the hackers mailing list