[ntp:hackers] Autokey identity keys
TS Glassey
tglassey at earthlink.net
Mon Nov 5 16:11:15 UTC 2007
Gentlemen this is easily solved...
----- Original Message -----
From: "Brian Utterback" <Brian.Utterback at Sun.COM>
To: <hackers at ntp.org>
Cc: "Danny Mayer" <mayer at ntp.isc.org>; "David L. Mills" <mills at udel.edu>
Sent: Sunday, November 04, 2007 7:07 PM
Subject: Re: [ntp:hackers] Autokey identity keys
> Rob Neal wrote:
>>
>> Say, for arguments sake, changes are made to ntpd that allow
>> one to specify the external nat address for autokey in place
>> of the 192.168.x.y at the endpoint.
>>
>> 1) What happens if somebody *else* behind your NAT box
>> tries to do the same thing to the same (external) server? boom...
>>
>
> What happens now if two different clients or servers behind a NAT try to
> connect to the same upstream
> system? I think indeed boom either way. This is one reason I have
> always argued against IP address
> as an authentication mechanism.
This is why a Key/Certificated Identity is necessary to also denote the
actual application running on that IP Address or to allow separate systems
requests through a common tunnel to be handled - i.e. through a NAT Gateway.
This allows two types of uses securely including one which would allow the
combination of the IP Address and the AutoKEY identity to identity the
requesting party/SW image.
>
>> 2) Changes such as the above would seem to make masquerade all
>> too easy for evildoers, or the terminally confused.
>>
>
> It doesn't make it any easier in the grand scheme of things. How long do
> you think it would take me to
> hack that into the source? All you have done by not doing it is changed
> from "a simple matter of
> configuration" to "a simple matter of programming".
>> 3) Wanna explain this one to the auditors? In certain environments,
>> this could be a killer for trying to maintain traceability.
>>
>
> Don't see how. Auditing on which end? If you are talking about his end,
> then the IP addresses are
> different. Same at the NAT. At the other end there has to be a way to
> tell which is which in any
> other scheme that might be used.
>
> Consider, NTP also requires that port 123 be used in many instances.
> Again, how would you allow
> two local addresses to use the same NAT'ed address and port 123 at the
> same time?
>>
>> Rob
>> _______________________________________________
>> hackers mailing list
>> hackers at lists.ntp.org
>> https://lists.ntp.org/mailman/listinfo/hackers
>>
> Brian Utterback
> _______________________________________________
> hackers mailing list
> hackers at lists.ntp.org
> https://lists.ntp.org/mailman/listinfo/hackers
More information about the hackers
mailing list