[ntp:questions] Re: Can you test my server please.

David L. Mills mills at udel.edu
Wed Dec 1 04:02:25 UTC 2004


Danny,

Public key authentication would not be practical for a busy server to 
authenticate any significant population of clients, as the server would 
have to obtain certificates, run identity schemes, etc., and the server 
would be vulnerable to clogging attacks on processor cycles to run 
crypto routines.

However, symmetric key authentication would work, as the server checks 
the key and returns a crypto-NAK if it doesn't correctly authenticate. 
The only mode where this would work is symmetric, and I'm not sure a 
suspicious server would want to do that and incur the hazard that some 
terrorist might try to hijack a rogue association.

NTP authentication was never intended for the server to authenticate the 
  client; that's what access control is for.

Dave

Danny Mayer wrote:
> Brad Knowles <brad at stop.mail-abuse.org> wrote in message news:<mailman.37.1101808483.54146.questions at lists.ntp.isc.org>...
> 
>>At 9:41 AM -0800 2004-11-29, Danny Mayer wrote:
>>
>>
>>> Why do people want to reinvent something that's already in NTP 4?
>>> Just use the authentication scheme to authenticate the clients to
>>> the server just like servers are authenticated to the clients today.
>>
>>	I'm not aware of any client authentication code anywhere in NTP. 
>>Moreover, how do you propose to authenticate millions of clients 
>>around the world to a small set of pool.ntp.org servers, many of 
>>which are behind personal DSL lines?
>>
> 
> 
> I'm not saying that. I'm saying the the protocol already supports
> the transfer of authentication packets so it's just a matter of
> extending things on both ends to get the server to authenticate
> the client.
> 
> This has nothing to do with pool. The server shouldn't be in the
> pool if it requires client authentication. In any case the NTP
> authentication is NOT a function of the IP addresses. The MAC
> section of the NTP packet is what is used to transfer authentication
> information.
> 
> Danny




More information about the questions mailing list