[ntp:questions] Iff replaced by TC

David Mills mills at udel.edu
Wed May 13 19:34:57 UTC 2009


Alain,

I don't know what you mean by spoofer, unless you assume it does not 
have the group2 server keys. In any case, upon restart it rolls a new 
private value and the client will retrieve the new cookie via the 
protocol. Since this is a signed exchange, the client could not complete 
the exchange unless the spoofer had the original private sign key. Note 
that, to insure cookie freshness, the server intenionally generates a 
new private value about once per day, forcing its clients to obtain a 
fresh signed cookie.

See the cryptotypes table in the authentication options page. Note that 
it is up to the client whether or not to require an identity exchange. 
If the client has the group parameters, it will attempt the identity 
exchange; otherwise, it is happy with TC. As it says on the page, there 
can be some goofy configureations where a client may have the paramters 
for one group and not for a second one, in which case authentication 
succeeds for both groups, one with IFF the other wirh TC.

Dave

Bartholome, Alain wrote:

>Hi,
>
> 
>
>Suppose the following configuration  is running, with IFF for each host.
>
> 
>
>Trusted_1 (group 1)
>
>    |
>
>Server 1
>
>    |
>
>Server2
>
>    |
>
>Trusted_2 (group 2)
>
>    |
>
>Server3
>
>    |
>
>Client1
>
> 
>
> 
>
>Suppose server3 is replaced by a spoofer, server3_spoofer which has the
>client group2 key  and has not the server group2 key.
>
>Server3_spoofer restarts, iff is supported on its association with
>trusted_2.
>
> 
>
>Until client1 restarts or until the new server authentication occurs,
>Server3_spoofer does not have the cookie so it will not synchronize client1.
>
> 
>
>If client1 restarts, TC instead of IFF will be used, and client1 will be
>synchronized by Server3_spoofer.
>
> 
>
> 
>
> 
>
>The need here is to prevent  any time synchronization if TC is used instead
>of  IFF. 
>
>As IFF cannot be enforced with ntp configuration, the ntpq flags must be
>checked at least after each restart?
>
> 
>
> 
>
> 
>
>Regards,
>
>Alain. 
>
> 
>
>Alain BARTHOLOMÉ
>
>EADS Defence and Security
>
>MetaPole
>
>1 Boulevard Jean Moulin
>
>CS 40001
>
>78996 ELANCOURT CEDEX
>
> 
>
>_______________________________________________
>questions mailing list
>questions at lists.ntp.org
>https://lists.ntp.org/mailman/listinfo/questions
>  
>





More information about the questions mailing list