[ntp:questions] Re: FYI - IPv6 Increasingly Requires Close Clock Synchronization ...

mayer at gis.net mayer at gis.net
Mon Jan 31 17:47:31 UTC 2005

John Spence, CCSI, CCNA, CISSP wrote:
> Just an FYI.
> IPv6 will soon have a new RFC (currently awaiting IESG approval) from
> Securing Neighbor Discovery (SEND) working group, now concluded,
> how link-local nodes may enable authentication to improve on-link
> This addresses many of the same attacks common in IPv4 ARP, where
> nodes can cause other nodes to change their ARP cache information and
> misdirect packets.  SEND also includes authentication for router
> advertisements.
> One mechanism used is to send some Neighbor Discovery messages with a
> "Timestamp" option, to guard against replay attacks.  This will
> close (while not perfect) synchronization between all nodes using
SEND on a
> link.
> So, at least for highly secure IPv6 environments, NTP synchronization
> clients, servers, and routers will all be important to proper
> operation.

The issue here is that such protocols need to look at the limits of
the time-difference. For most protocols that I have seen, TSIG in DNS,
Kerberos, etc. the allowed limit for the difference is 5 minutes
(300 seconds) which from NTP's point of view is a huge error.

The only protocol where there is an interaction with NTP that NTP
must care about is DNS since you can enter DNS names in the
configuration. There may also be some issues with DNSSEC that
may have to be addressed if the system is using a secure resolver,
as was pointed out to us by Rob.

I don't think we need to get involved with all of the new protocols
being created, but those protocols need to pay attention to issues
of time accuracy.


> ----------------------------------------------------
> John Spence, CCSI, CCNA, CISSP
> Native6, Inc.
> IPv6 Training and Consulting
> jspence at native6.com
> www.native6.com
> ----------------------------------------------------

More information about the questions mailing list