[ntp:questions] IFF autokey issue

Steve Kostecke kostecke at ntp.isc.org
Mon May 7 21:57:14 UTC 2007


On 2007-05-07, David L. Mills <mills at udel.edu> wrote:

> Steve Kostecke wrote:
>> On 2007-05-07, Vladimir Smotlacha <vs at cesnet.cz> wrote:
>> 
>>>I setup up an IFF identity scheme  at my labs NTP server and client.
>>>I did it exactly according to available documentation and it worked O.K.
>>>However, I tried it once more with new keys and certficates but without
>>>copying IFF parameters to the client (i.e. the client did not know IFF
>>>parameters). I expected that the authentication fails but it was
>>>successful again.

<snip>

>>>What profit has client from knowledge of the IFF params and key?
>> 
>> I'll let someone else answer that.
>
> The ntpkey_IFF_ file contains both the server and client keys; the 
> ntpkey_IFFkey_ contains only the client key. Be sure to copy the correct 
> one.

The problem here is _not_ which file to copy.

What has happened is that Vladimir has discovered the fact the Autokey
will "degrade" to TC in the event that parameters for no other Identity
Scheme are present. So he is asking "what's the point" of IFF (and, by
extension, GQ and MV) if the Authentication will succeed just on the
strength of the host parameters.

-- 
Steve Kostecke <kostecke at ntp.isc.org>
NTP Public Services Project - http://ntp.isc.org/




More information about the questions mailing list