[ntp:questions] Re: server's address in ntp payload?

Danny Mayer mayer at gis.net
Fri Nov 25 20:10:58 UTC 2005


Brian Utterback wrote:
> Danny Mayer wrote:
> 
>> We follow the rule: "Be liberal about what you receive, be strict
>> about what you return." The same goes for "how." The IP address is
>> not an authentication token at all. If you want a really in depth
>> discussion of the difference between identifiers and IP address,
>> look at the discussion currently raging in int-area at ietf.org. You
>> may find it illuminating.
>> 
> 
> Okay, I have read the discussion, and it appears to me to argue even 
> more for what I am talking about. The base NTP protocol has neither 
> identifiers nor locators, relying on the IP address for both. Even
> when an identifier is added via the crypto functions, it is still
> tied up with the IP locator.
> 

There is an identifier: the refid. Unfortunately it's not unique in that
it currently depends on the IP address being used to send the NTP
packet. I should be unique in order to accomplish its purpose of loop
prevention. The refid however can be trivially spoofed, at least without
the MAC section. I don't know what you mean by locator.

> 
>> Because there is no way of knowing otherwise. If there is an
>> identifier in the protocol, there is no guarantee that it hasn't
>> been spoofed by an attacker. Normally configured systems will
>> always send out on the same address. If they are not normally
>> configured you should authenticate on the new address as well.
>> Otherwise it may be a MIM attack.
> 
> 
> I agree. If the response IP changes, then that is an indicator that
> the system should be re-authenticated.
> 
> 
> My point is that NTP should not require the binding of all addresses.
>  As I have elsewhere stated, it is not necessary from a security
> point of view, i.e. to prevent other processes from stealing the
> port. It is sometimes necessary in order to obtain the destination
> address of a packet, but that in itself should not be necessary and
> wouldn't be if NTP had transaction ID's and/or system ID's.
> 

There are two totally separate issues here: 1) security and why it's
worthwhile binding all the addresses; and 2) whether or not binding all
addresses is a useful thing. I have stated that security requires it and
I won't repeat the arguments and also that binding all addresses are
useful for a variety of tasks involving the sockets and that it is
useful to send back on the same address as the one it was received on.

> Let's say we were designing NTP protocol V5. I would include a 
> transaction id. Mr. Schwartz would include a system ID. I would 
> include an "extensions included" flag and make each extension have a
> "type" and "length" prefix to get away from the whole "if it this 
> size then it is a V3 MAC, if it is that size it must be a multiple of
>  this many bytes" nonsense that we have now.

Transaction ID's are only useful to match responses to requests if you
don't otherwise know what the original request was. However, NTP doesn't
need it since the NTP packet already contains all of the information
required and it's not passing on the information to a third system.
System ID's are only useful for loop prevention and the refid fulfils
that role.

Danny





More information about the questions mailing list