[ntp:hackers] A stop-gap authenticated time service

Harlan Stenn stenn at ntp.org
Mon Nov 16 01:54:23 UTC 2015

Terje Mathisen writes:
> Poul-Henning Kamp wrote:
> > Here is a summary of the very crude proof-of-concept experiment
> > I left simmering the last week:
> >
> > 	http://phk.freebsd.dk/time/20151115.html
> To me this seems like an invitation to advocate bare-bones HTTPS
> service on as many pool servers as possible, the cheapest way to
> achieve this would be to make the pool a CA, i.e. avoiding the cost of
> normal Verisign etc certificates.
> This ntp CA would of course be compiled in to our code so that it
> would be valid for this special form of sanity checking.

On the one hand I'd be happy to explore seeing NTF help with this, if
that's the right way to go.

On the other hand, this may also be something that letsencrypt.org may
be good for.

> OTOH, what's wrong with just doing the same thing for authenticating
> normal ntp requests.

I am still expecting well have the replacement for autokey ready in the
next few months' time.  It will be able to authenticate both clients and

> If we limit the certificates we issue to hosts that have been part of 
> the pool for at least N months and behaved well during that period, it 
> would make it extremely hard to take over a plurality of the selected 
> sources.

Situations include:

- (long-term) good server that is still good
- (long-term) good server that gets hacked
- bad server

There are probably other categories, and I'm curious how useful it will
be to explore them.  I figure we should dig in to these enough to know
that we have a comprehensive solution.

> (This obviously requires pool.ntp.org to support DNSSEC!)

And DNSSEC requires accurate time.

> Terje
Harlan Stenn <stenn at ntp.org>
http://networktimefoundation.org - be a member!

More information about the hackers mailing list