[ntp:hackers] Autokey identity keys

Brian Utterback brian.utterback at sun.com
Fri Nov 9 17:25:37 UTC 2007


No it won't because the addresses will match.

The problem with the proposed scheme is not that it won't work,
it's that it isn't reliable. There is general purpose, reliable
programmatic way for the ntpd to know what the apparent IP
address after NAT is, so it must be hand configured. But if
your NAT box is also a DHCP client (as is the case with most home
routers) then the external IP address could change, requiring
a change in the configuration of ntpd. So, it will work until it
fails, and then it will fail until it is noticed and reconfigured.

Of course, there are probably many setups where the external address
is static or very nearly so, in which case the proposed change
is certainly useful.

To make this easier to understand, if the ntpd daemon knows the
external address, then it is a "simple matter or programming" to
get it to produce the exact same bits it would have if the system
it is on actually had that IP address. There is no denying that,
the system can be made to work if we want to do it.

Danny Mayer wrote:
> Matthias Urlichs wrote:
>> Hi,
>>
>> timelord at horizon.com:
>>> The feature request is to allow ntpd to act as a back-end for
>>> such a NAT box.  But clients of the NAT box don't have to know
>>> anything about that.
>> Right.
>>
>> This should not be more involved than a "for purposes of AutoKey
>> generation, pretend that your public IP address is 10.1.2.3"
>> configuration option.
>>
> 
> At which point your Autokey will fail as the server will expect it to
> match the actually address sending the packet and since NAT is likely to
> result in giving you different adddresses and not just port numbers, the
> authentication will fail.
> 
> Danny
> _______________________________________________
> hackers mailing list
> hackers at lists.ntp.org
> https://lists.ntp.org/mailman/listinfo/hackers

-- 
blu

"You've added a new disk. Do you want to replace your current
drive, protect your data from a drive failure or expand your
storage capacity?" - Disk management as it should be.
----------------------------------------------------------------------
Brian Utterback - Solaris RPE, Sun Microsystems, Inc.
Ph:877-259-7345, Em:brian.utterback-at-ess-you-enn-dot-kom


More information about the hackers mailing list