[ntp:questions] Re: NTP sync

Brad Knowles brad.knowles at skynet.be
Mon Sep 22 16:26:08 UTC 2003


At 1:04 PM +0000 2003/09/22, David L. Mills wrote:

>  Your plan runs contrary to the NTP security model, which is designed to
>  operate in the open and unencumbered by tunnel latencies. Security is
>  maintained end-to-end by public key signatures, cryptographic identity
>  schemes and crafted agreement algorithms. You don't need or want tunnels
>  of any kind.

	Interesting.  This does bring up a slightly different question -- 
what if I'm across an IPSec tunnel, and I want to sync my clock?  How 
does NTP interact in an environment where you have no choice?


	For example, doing wireless 802.11b/g networking with WEP 
encryption is known to be weak, even if you do all the various things 
you're supposed to do to help keep it as secure as can reasonably be 
done.

	The path to real security is to ignore WEP, put the wireless base 
station outside your firewall, and then only allow IPSec-encrypted 
tunnel traffic through the firewall.  This also usually results in a 
significant speedup, because most cards can't do WEP encryption at 
full speed.


	So, what if you're on a wireless network, and the only way to get 
anywhere at all is over an IPSec tunnel?

-- 
Brad Knowles, <brad.knowles at skynet.be>

"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
     -Benjamin Franklin, Historical Review of Pennsylvania.

GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E-(---) W+++(--) N+
!w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++)
tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)



More information about the questions mailing list