[ntp:questions] Re: server's address in ntp payload?
mayer at ntp.isc.org
Tue Nov 22 19:46:14 UTC 2005
David Schwartz wrote:
> "Danny Mayer" <mayer at gis.net> wrote in message
> news:4380AF66.1080007 at gis.net...
>>David Schwartz wrote:
>>>"Danny Mayer" <mayer at gis.net> wrote in message
>>>news:437D4371.2090004 at gis.net...
>>>>No it is not a flaw in the protocol design. It would be if it were put
>>>>in. The address doesn't belong there, it belongs in the IP header which
>>>>the receiving server always gets.
>>> It is a flaw. Its absence requires the receiver to assume that the
>>>origin address of the UDP packet received is the IP address of the
>>>server. This assumption may or may not be correct. But if the address
>>>in there, the assumption would not be needed.
>>Absolutely not. That would be a layering violation.
> What would be a layering violation? Assuming that the source address of
> a UDP packet is the address of the machine that sent it?
No, adding the source address to the NTP packet.
>>Verification is done
>>through key exchange and the MAC section in the NTP packet.
> That's nice but has nothing to do with how you tell whether two packets
> with different source UDP addresses came from the same server or not.
> Consider a simple case. We have a simple server that is not using
> authentication. It's on a LAN where a lot of machines have both public and
> private IP addresses. We recognize our local and internal LANs by their IP
> range and don't need to authenticate because spoof protection is done at the
> boundaries. We are talking to both 192.168.32.23 and 220.127.116.11, the
> question is, are they the same machine or not?
You cannot tell from the outside, nor should you usually care. However,
with all the stateful firewalls now in place if the response to a packet
request gets sent from a different address than the address to which the
packet was originally sent, the firewall will drop it as unmatched to
the address and the requestor will never receive a response.
More information about the questions