[ntp:questions] Re: Can you test my server please.

Steve Kostecke kostecke at ntp.isc.org
Mon Nov 29 20:11:24 UTC 2004


On 2004-11-29, Danny Mayer <mayer at gis.net> wrote:

> "Wolfgang S. Rupprecht"
> <wolfgang+gnus20041124T155740 at dailyplanet.dontspam.wsrcc.com> wrote in
> message news:<x7fz2ykavr.fsf at bonnet.wsrcc.com>...
>
>> Brad Knowles <brad at stop.mail-abuse.org> writes:
>>
>>>  So, the pool.ntp.org project needs another way to get these people
>>> to stop abusing the servers, and the method being proposed by Simon
>>> is that we give them an "obvious" bogus time reference,
>>
>> How about this idea: have each client announce it's name and
>> version number in every request packet. Unapproved clients get
>> ignored/kod-ed/sent-the-wrong-time.

Trivially spoofable because we dont't have (so-called) trusted operating
systems which provide secure remote client attestation.

>>For a client to be approved for serving at pools.ntp.org someone at
>>pools.ntp.org needs to audit and give their stamp of approval.

There is nothing to prevent a bad actor from modifying previously
approved code.

>> This wont stop someone willfully beating on a pools server with
>> homegrown code, but then nothing will. We are talking about udp
>> after all. The best pools.ntp.org can do is get the attention of the
>> developers up front in a way that the developers can't ignore.
>
> Why do people want to reinvent something that's already in NTP 4?
> Just use the authentication scheme to authenticate the clients to the
> server just like servers are authenticated to the clients today.

Authenticating clients to the server would require that the server
maintain some state for each client as well as a considerable amount of
server-side authentication work. As I understand it this would
negatively affect time service on busy servers.

-- 
Steve Kostecke <kostecke at ntp.isc.org>
NTP Public Services Project - http://ntp.isc.org/



More information about the questions mailing list