[ntp:questions] Windows Time with NTPv4
David L. Mills
mills at udel.edu
Sat Mar 8 18:18:48 UTC 2008
Folks,
I just poked around and discovered something interesting that affects
Windows clients, both XP and Vista.
Microsoft has broken the NTP specification in that the client sends a
request in symmetric active mode instead of client mode. According to
the NTP spec, both ancient and modern, this causes the server to launch
a symmetric passive association, which would be a serious security
vulnerability.
The NTPv4 servers, including those at USNO and NIST, have specific means
to protect against this vulnerability, so as you might have noticed,
synchronizing XP or Vista clients to those servers fails.
However, I jimmied the code so that, while it will not launch an
association if denied, it will reply in symmetric passive mode. In other
words, the server behaves in the same way as with an ordinary
client/server mode. With this change, now in the development branch,
Windows XP and Vista now work correctly.
I'm not happy about this. I thought Microsoft had fixed this long ago in
a service pack. Now at least folks with 400 PCs don't all have to light
up Windows NTP.
Dave
More information about the questions
mailing list