[ntp:hackers] A stop-gap authenticated time service

Hal Murray hmurray at megapathdsl.net
Tue Nov 10 21:48:28 UTC 2015

> The optimal outcome is that adding a level of "supervision" makes attacking
> NTP pointless, so we cna milk it for all it can offer, at the cost of
> occasionally looking over our shoulder with HTTPS. 

I think I like that approach.

It looks like a 2 pass algorithm.  The first pass uses authenticated servers 
to establish a sanity-check fence around a region of reasonable time.  
Standard stuff, you need more than one server to catch broken or compromised 

The second pass discards any servers that don't land within that area, then 
uses the traditional logic on what's left.


Has anybody done any timing over TCP?  Suppose you sent NTP "packets" over 
TCP.  After connection setup, if you don't have any retransmissions, it 
should be a single packet in each direction.

These are my opinions.  I hate spam.

More information about the hackers mailing list