[ntp:questions] Re: Can you test my server please.
David L. Mills
mills at udel.edu
Wed Dec 1 04:02:25 UTC 2004
Public key authentication would not be practical for a busy server to
authenticate any significant population of clients, as the server would
have to obtain certificates, run identity schemes, etc., and the server
would be vulnerable to clogging attacks on processor cycles to run
However, symmetric key authentication would work, as the server checks
the key and returns a crypto-NAK if it doesn't correctly authenticate.
The only mode where this would work is symmetric, and I'm not sure a
suspicious server would want to do that and incur the hazard that some
terrorist might try to hijack a rogue association.
NTP authentication was never intended for the server to authenticate the
client; that's what access control is for.
Danny Mayer wrote:
> Brad Knowles <brad at stop.mail-abuse.org> wrote in message news:<mailman.37.1101808483.54146.questions at lists.ntp.isc.org>...
>>At 9:41 AM -0800 2004-11-29, Danny Mayer wrote:
>>> Why do people want to reinvent something that's already in NTP 4?
>>> Just use the authentication scheme to authenticate the clients to
>>> the server just like servers are authenticated to the clients today.
>> I'm not aware of any client authentication code anywhere in NTP.
>>Moreover, how do you propose to authenticate millions of clients
>>around the world to a small set of pool.ntp.org servers, many of
>>which are behind personal DSL lines?
> I'm not saying that. I'm saying the the protocol already supports
> the transfer of authentication packets so it's just a matter of
> extending things on both ends to get the server to authenticate
> the client.
> This has nothing to do with pool. The server shouldn't be in the
> pool if it requires client authentication. In any case the NTP
> authentication is NOT a function of the IP addresses. The MAC
> section of the NTP packet is what is used to transfer authentication
More information about the questions