[ntp:hackers] A stop-gap authenticated time service
Miroslav Lichvar
mlichvar at redhat.com
Mon Nov 9 10:51:02 UTC 2015
On Sun, Nov 08, 2015 at 04:15:40PM +0000, Poul-Henning Kamp wrote:
> http://phk.freebsd.dk/time/20151108.html
>
> If anybody else wants to implement this in other NTP programs I
> kindly ask that you get in touch with me: We may eventually need
> to issue an RFC about this, and we should not make that harder
> for anybody than it needs to.
As mentioned earlier, openntpd already does something like that, maybe
except the trick working around the one-second resolution in the
retrieved date.
I understand that you want to have something implemented quickly,
easily, and if possible without any new security issues. I want that
for the NTP implementation I'm maintaing too.
But I'm not sure this approach scales well. Consider how expensive TLS
is and how many clients a single server could handle when compared to
the plain NTP or NTP+NTS. To me it looks like a band-aid that will
need to be ripped off when NTS or something else is readily available
in NTP.
Also, there is apparently a SHM refclock that can retrieve the date
over HTTPS [1]. If it passed the delay of the measurement over SHM (as
precision for instance) and an NTP implementation that supports SHM
could be configured to always trust and require the source, I think it
would basiscally be the same as the suggested approach.
[1] https://www.vanheusden.com/time/omnisync/
--
Miroslav Lichvar
More information about the hackers
mailing list