[ntp:questions] Windows Time with NTPv4

David L. Mills mills at udel.edu
Sat Mar 8 18:18:48 UTC 2008


Folks,

I just poked around and discovered something interesting that affects 
Windows clients, both XP and Vista.

Microsoft has broken the NTP specification in that the client sends a 
request in symmetric active mode instead of client mode. According to 
the NTP spec, both ancient and modern, this causes the server to launch 
a symmetric passive association, which would be a serious security 
vulnerability.

The NTPv4 servers, including those at USNO and NIST, have specific means 
to protect against this vulnerability, so as you might have noticed, 
synchronizing XP or Vista clients to those servers fails.

However, I jimmied the code so that, while it will not launch an 
association if denied, it will reply in symmetric passive mode. In other 
words, the server behaves in the same way as with an ordinary 
client/server mode. With this change, now in the development branch, 
Windows XP and Vista now work correctly.

I'm not happy about this. I thought Microsoft had fixed this long ago in 
a service pack. Now at least folks with 400 PCs don't all have to light 
up Windows NTP.

Dave




More information about the questions mailing list