[ntp:questions] Iff replaced by TC
alain.bartholome at eads.com
Wed May 13 08:16:30 UTC 2009
Suppose the following configuration is running, with IFF for each host.
Trusted_1 (group 1)
Trusted_2 (group 2)
Suppose server3 is replaced by a spoofer, server3_spoofer which has the
client group2 key and has not the server group2 key.
Server3_spoofer restarts, iff is supported on its association with
Until client1 restarts or until the new server authentication occurs,
Server3_spoofer does not have the cookie so it will not synchronize client1.
If client1 restarts, TC instead of IFF will be used, and client1 will be
synchronized by Server3_spoofer.
The need here is to prevent any time synchronization if TC is used instead
As IFF cannot be enforced with ntp configuration, the ntpq flags must be
checked at least after each restart?
EADS Defence and Security
1 Boulevard Jean Moulin
78996 ELANCOURT CEDEX
More information about the questions