[ntp:hackers] Autokey identity keys

TS Glassey tglassey at earthlink.net
Mon Nov 5 16:11:15 UTC 2007


Gentlemen this is easily solved...

----- Original Message ----- 
From: "Brian Utterback" <Brian.Utterback at Sun.COM>
To: <hackers at ntp.org>
Cc: "Danny Mayer" <mayer at ntp.isc.org>; "David L. Mills" <mills at udel.edu>
Sent: Sunday, November 04, 2007 7:07 PM
Subject: Re: [ntp:hackers] Autokey identity keys


> Rob Neal wrote:
>>
>>  Say, for arguments sake, changes are made to ntpd that allow
>>  one to specify the external nat address for autokey in place
>>  of the 192.168.x.y at the endpoint.
>>
>>  1) What happens if somebody *else* behind your NAT box
>>     tries to do the same thing to the same (external) server? boom...
>>
>
> What happens now if two different clients or servers behind a NAT try to
> connect to the same upstream
> system? I think indeed boom either way.  This is one reason I have
> always argued against IP address
> as an authentication mechanism.

This is why a Key/Certificated Identity is necessary to also denote the 
actual application running on that IP Address or to allow separate systems 
requests through a common tunnel to be handled - i.e. through a NAT Gateway.

This allows two types of uses securely including one which would allow the 
combination of the IP Address and the AutoKEY identity to identity the 
requesting party/SW image.

>
>>  2) Changes such as the above would seem to make masquerade all
>>     too easy for evildoers, or the terminally confused.
>>
>
> It doesn't make it any easier in the grand scheme of things. How long do
> you think it would take me to
> hack that into the source? All you have done by not doing it is changed
> from "a simple matter of
> configuration" to "a simple matter of programming".


>>  3) Wanna explain this one to the auditors? In certain environments,
>>     this could be a killer for trying to maintain traceability.
>>
>
> Don't see how. Auditing on which end? If you are talking about his end,
> then the IP addresses are
> different. Same at the NAT. At the other end there has to be a way to
> tell which is which in any
> other scheme that might be used.
>
> Consider, NTP also requires that port 123 be used in many instances.
> Again, how would you allow
> two local addresses to use the same NAT'ed address and port 123 at the
> same time?
>>
>> Rob
>> _______________________________________________
>> hackers mailing list
>> hackers at lists.ntp.org
>> https://lists.ntp.org/mailman/listinfo/hackers
>>
> Brian Utterback
> _______________________________________________
> hackers mailing list
> hackers at lists.ntp.org
> https://lists.ntp.org/mailman/listinfo/hackers 



More information about the hackers mailing list