[ntp:questions] Re: restrict lines

Brad Knowles brad at stop.mail-abuse.org
Mon Mar 14 22:44:28 UTC 2005

At 2:17 PM -0800 2005-03-14, David Schwartz wrote:

>      Yes, exactly. You can't fix this problem anywhere but at its source. You
>  might as well argue that we should never use domain names in any situation
>  with any security implications.

	Okay, go fix the entire Internet, then.  Please report back when 
you're done.

	Meanwhile, the rest of the world has been learning the lesson 
over the past decade that name-based security is one of the stupidest 
ideas ever invented.

>      On the contrary, it's if you depend upon IPs for your security that you
>  get into trouble if things change.

	Yup, that's a problem.  That's why you use public-key crypto. 
BIND learned this lesson years ago.

>                                      If you really believed the argument you
>  are making, you would have to object to the existence of pool.ntp.org, since
>  it does the very thing you are complaining about.

	No, pool.ntp.org has nothing to do with security.  That's a 
one-way name-to-IP address mapping, and there is no implied security 
that is claimed to be provided.  In those situations, if your DNS 
cache is poisoned and you get sent to the wrong servers, then that's 
your problem.

	As soon as you try to apply some security to this problem, you 
run into the fact that most members of pool.ntp.org do not have 
control over their reverse DNS, so they cannot change what name 
should be claimed for their IP address.  You also run into the 
load-balancing and system monitoring problem, whereby an address that 
was in pool.ntp.org five minutes ago, is no longer in the pool.

	If you want to secure this, your *only* effective choice is to 
use public-key crypto.

>      Is it your position that name-based security is worse than no security
>  at all?

	In this case, yes.  It gives you a sense of false security, and 
you feel comfortable staying there instead of working on the real 
security problem.

>          Or would it be your position that NTP should be modified to make it
>  impossible to configure it with no security at all?

	NTP already understands the concept of cryptographic 
authentication.  That technique needs to be extended.

Brad Knowles, <brad at stop.mail-abuse.org>

"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."

     -- Benjamin Franklin (1706-1790), reply of the Pennsylvania
     Assembly to the Governor, November 11, 1755

   SAGE member since 1995.  See <http://www.sage.org/> for more info.

More information about the questions mailing list