[ntp:questions] IA approved COTS NTP servers question

unruh unruh at wormhole.physics.ubc.ca
Tue Jun 8 18:24:47 UTC 2010


On 2010-06-08, Rob <nomail at example.com> wrote:
> Terje Mathisen <"terje.mathisen at tmsw.no"> wrote:
>> Running everything directly on the protocol's recommended platform, and 
>> with source code for everything, would make it very easy to document 
>> that the server is on spec.
>
> I wonder if they would consider the presence of source code (and the
> implied possibility of hand-checking all of it to make sure it is secure)
> would be sufficient.  It would probably fit in some bureaucratic
> ruleset, but we all know that security issues *are* found in open source
> products.  Even with only port 123 open, there could always be some
> as of yet unknown security issue in ntpd.  It would certainly not be
> very easy to prove, using the source code, that there is none.

That depends on what use is made of port 123. If it is simple enough
then proving security  at least of the handling of net input should not be hard. 
To prove that ntpd exactly follows spec for all its operation would be
hard. 




More information about the questions mailing list