[ntp:questions] Re: NTP sync
brad.knowles at skynet.be
Mon Sep 22 16:26:08 UTC 2003
At 1:04 PM +0000 2003/09/22, David L. Mills wrote:
> Your plan runs contrary to the NTP security model, which is designed to
> operate in the open and unencumbered by tunnel latencies. Security is
> maintained end-to-end by public key signatures, cryptographic identity
> schemes and crafted agreement algorithms. You don't need or want tunnels
> of any kind.
Interesting. This does bring up a slightly different question --
what if I'm across an IPSec tunnel, and I want to sync my clock? How
does NTP interact in an environment where you have no choice?
For example, doing wireless 802.11b/g networking with WEP
encryption is known to be weak, even if you do all the various things
you're supposed to do to help keep it as secure as can reasonably be
The path to real security is to ignore WEP, put the wireless base
station outside your firewall, and then only allow IPSec-encrypted
tunnel traffic through the firewall. This also usually results in a
significant speedup, because most cards can't do WEP encryption at
So, what if you're on a wireless network, and the only way to get
anywhere at all is over an IPSec tunnel?
Brad Knowles, <brad.knowles at skynet.be>
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-Benjamin Franklin, Historical Review of Pennsylvania.
GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E-(---) W+++(--) N+
!w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++)
tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)
More information about the questions