[ntp:questions] Will AutoKey setup work on a NAT host behind a firewall?

David L. Mills mills at udel.edu
Wed Nov 10 15:05:50 UTC 2010


Harry,

Symmetric key cryptography works fine behind a NAT box. See the 
Authentication Support page in the official NTP documentation on 
ntp.org. As I said, the intended Autokey model is for the server and 
client to live on the Internet side of the NAT box and have it serve 
time to the internal network via a separate interface.

Dave

Harry wrote:

>On Nov 10, 2:59 am, "David L. Mills" <mi... at udel.edu> wrote:
>  
>
>>Harry,
>>
>>Autokey is not designed to work behind NAT boxes. The Autokey server and
>>client must have the same (reversed) IP addresses. The intended model is
>>using two interfaces, one for the Internet side running Autokey, the
>>other for the inside net on the other side of the NAT box.
>>
>>Dave
>>
>>Harry wrote:
>>    
>>
>>>Hello,
>>>      
>>>
>>>I want to employ the AutoKey method of securing NTP.
>>>      
>>>
>>>Basically, I want one host that would act as an NTP client of an
>>>external NTP server, talking AutoKey. This NTP client is to become the
>>>NTP server for other hosts on the intranet. All these hosts are behind
>>>a corporate firewall and are very likely using NAT / IP masquerading
>>>as well. (I can tell NAT / IP masquerading is in use in our
>>>environment because all hosts report the same IP address at
>>>http://www.whatismyipaddress.com.)
>>>      
>>>
>>>I ask this question because I ran into a circa 2004 link (http://
>>>www.ecsirt.net/tools/crypto-ntp.html) that says,
>>>   Be Aware!
>>>   Before we start building ntpd, one important notice:
>>>   NTP with Autokey does not work from a host that is behind a
>>>masquerading or NAT host!
>>>      
>>>
>>>Is this a conceptual / fundamental limitation, or something related to
>>>NTP version? If latter, I'm hoping that it would probably have been
>>>fixed by now.
>>>      
>>>
>>>If  AutoKey and NAT don't go together conceptually, what would be my
>>>next best option of securing NTP? Though MD5 method is there but it is
>>>symmetric cryptography and prone to man-in-the-middle attacks... which
>>>is why btw I was hoping to be able to employ AutoKey.
>>>      
>>>
>>>Many thanks,
>>>/HS
>>>      
>>>
>>>_______________________________________________
>>>questions mailing list
>>>questi... at lists.ntp.org
>>>http://lists.ntp.org/listinfo/questions
>>>      
>>>
>>    
>>
>
>Dave, I really appreciate your response to my newbie question.
>
>May I ask (you or other users of this forum)...
>
>1. What, then, would be the next best way (MD5-based symmetric key
>mode?) to syncing up a behind-NAT NTP client from an external NTP
>server in a tamper-proof manner? I'm not competent/powerful enough to
>advise the powers what be in my organization to have an Autokey NTP
>client outside our NAT/Firewall; most likely, I'll be told to continue
>to operate from behind the NAT/Firewall.
>
>2. What physical/network setup should Autokey-desiring NTP clients
>follow? Is it OK, e.g., to have a Autokey client host (AkH) outside
>one's NAT network and have all the hosts inside the NAT network use
>AkH as a NTP server?
>
>
>I also skimmed thru your (excellent) book on NTP. I was hoping to find
>a mention of NAT in Chapter 9, but didnt. Not complaining, just humbly/
>respectfully bringing it up. So, please do elaborate here if you can
>on this issue.
>
>Many thanks in advance,
>/HS
>
>_______________________________________________
>questions mailing list
>questions at lists.ntp.org
>http://lists.ntp.org/listinfo/questions
>  
>




More information about the questions mailing list