[ntp:questions] Re: sendto(1.2.3.4): Invalid argument

Danny Mayer mayer at gis.net
Sun Aug 14 00:40:44 UTC 2005


Edrusb wrote:
> David Woolley wrote:
> 
>> In article <hmvidd.pdc.ln at barnabe.home.fr>, Edrusb <edrusba at free.fr> 
>> wrote:
>>
>>
>>> - What is the use of this wildcard UDP socket (it does not seems used)?
>>
>>
>>
>> Handles incoming requests?
> 

The wildcard addresses are not used for anything except to prevent other
applications grabbing the addresses and ports.

> 
> Yes probably, it is too bad the same socket has not been used to send 
> data too, just leting the system put the appropriate Source IP and 
> select the adequate output interface according to system's routing 
> decision. This way there would not have any need to scan available 
> network interfaces for changes.
> 

No, we need to send out responses with the correct IP address to ensure
that it can be authenticated. You cannot do this with the wildcard port
as you have no control over the address it will used.

>  >>- Why does ntpd uses theses UDP specific interfaces sockets, while the
>  >>configuration file does not specify any interface to listen on or to not
>  >>listen on?
>  >
>  >
>  > I believe this is because the security features require the origin
>  > address to be known by the sender (possibly only for servers).
> 
> the outgoing IP packets have their IP source field set by the system in 
> any way I guess, even when sending from a wildcard socket.
> 

No. If you send from the wildcard port the system will choose which
address to use. We need to control that. If you send a request to
address A and got a response from address B, it will be assumed to be an
invalid response to the request to address A.

Danny
> 
>>
> [...]
> 
>>
>>> Any help is (very) welcome. :-)
>>
>>
>>
>> As noted elsewhere, you can do IP address masquerading down stream so 
>> that
>> ntpd sees a fixed address.
> 
> 
> Thanks for the idea, but public servers still have static IP address :-) 
> masquerading them would not help :-/
> 

No, it's your server that is being protected from changes not the public
servers.

Danny




More information about the questions mailing list