[ntp:hackers] Using authentication

Harlan Stenn stenn at ntp.org
Thu Nov 5 17:55:38 UTC 2015

Brian Utterback writes:
> I would like to understand the current state of affairs regarding 
> setting up authentication in NTP. My understanding is that there is a 
> CVE that was recently published that calls out a vulnerability called 
> "small step/big step", which the next release of NTP will address. 
> However, the change doesn't actually fix the problem it just makes the 
> window of opportunity smaller. The only real fix is to use authentication.

I'm not really sure that's true either.

- use enough NTP servers
- monitor your ntpd instances

> So, the thing is, most people don't authenticate NTP. I'd like to 
> understand why and discuss what we can do about it. Any ideas? Didn't we 
> even talk recently about removing autokey?

NTF is working on implementing the Network Time Security draft
proposal.  That should be done in the next few months' time.  We're all
expecting it will be a decent replacement for autokey.

Otherwise, private/symmetric authentication is available.

Small-step/big-step should be fixed in the next release, due out
"soon".  I finished the fix for that a few days' ago and we've been
testing that fix since then.

I'm trying really hard to make sure that we won't need to make another
release between 4.2.8p5 (as soon as possible before US Thanksgiving
holiday) and early January.

The current holdup has to do with origin timestamp testing for response
packets.  We're testing code there too.

NTF still doesn't have enough resources to pay for additional developer
help and we don't have enough volunteer developer help to make faster
Harlan Stenn <stenn at ntp.org>
http://networktimefoundation.org - be a member!

More information about the hackers mailing list