[ntp:questions] Re: server's address in ntp payload?

Danny Mayer mayer at ntp.isc.org
Tue Nov 22 19:46:14 UTC 2005


David Schwartz wrote:
> "Danny Mayer" <mayer at gis.net> wrote in message 
> news:4380AF66.1080007 at gis.net...
> 
> 
>>David Schwartz wrote:
> 
> 
>>>"Danny Mayer" <mayer at gis.net> wrote in message
>>>news:437D4371.2090004 at gis.net...
> 
> 
>>>>No it is not a flaw in the protocol design. It would be if it were put
>>>>in. The address doesn't belong there, it belongs in the IP header which
>>>>the receiving server always gets.
> 
> 
>>>    It is a flaw. Its absence requires the receiver to assume that the
>>>origin address of the UDP packet received is the IP address of the 
>>>sending
>>>server. This assumption may or may not be correct. But if the address 
>>>were
>>>in there, the assumption would not be needed.
> 
> 
>>Absolutely not. That would be a layering violation.
> 
> 
>     What would be a layering violation? Assuming that the source address of 
> a UDP packet is the address of the machine that sent it?
> 

No, adding the source address to the NTP packet.
> 
>>Verification is done
>>through key exchange and the MAC section in the NTP packet.
> 
> 
>     That's nice but has nothing to do with how you tell whether two packets 
> with different source UDP addresses came from the same server or not.
> 
>     Consider a simple case. We have a simple server that is not using 
> authentication. It's on a LAN where a lot of machines have both public and 
> private IP addresses. We recognize our local and internal LANs by their IP 
> range and don't need to authenticate because spoof protection is done at the 
> boundaries. We are talking to both 192.168.32.23 and 216.105.54.22, the 
> question is, are they the same machine or not?
> 

You cannot tell from the outside, nor should you usually care. However,
with all the stateful firewalls now in place if the response to a packet
request gets sent from a different address than the address to which the
packet was originally sent, the firewall will drop it as unmatched to
the address and the requestor will never receive a response.

Danny



More information about the questions mailing list