[ntp:questions] Secure NTP

jimp at specsol.spam.sux.com jimp at specsol.spam.sux.com
Fri Mar 25 04:59:28 UTC 2011


Chris Albertson <albertson.chris at gmail.com> wrote:
> On Thu, Mar 24, 2011 at 4:18 PM,  <jimp at specsol.spam.sux.com> wrote:
>> Hal Murray <hal-usenet at ip-64-139-1-69.sjc.megapath.net> wrote:
>>> In article <ghps58-1a.ln1 at mail.specsol.com>,
>>> jimp at specsol.spam.sux.com writes:
>>>
>>>>When I see questions like this my first response is "Why all the bother?".
>>>>
>>>>There is nothing secret or proprietary about the time of day.
>>>>
>>>>Since all NTP servers provide UTC, the service reveals nothing about the
>>>>machine other than the fact that the clock is correct.
>>>>
>>>>If you don't want your resources utilized by outsiders, you just block
>>>>access to the NTP port for everyone but your own clients as a blocked
>>>>port uses less resources than denying an unsucessful authorization does.
>>>>
>>>>Am I missing something??
>>>
>>> Yes.  The encryption also verifies that you are talking to the
>>> server you think you are talking to rather than an imposter.
>>
>> If you specify the server by IP address, how does that happen and who
>> would bother to do it?
> 
> The most obvious and easy way is that I cut the wire that goes from
> your house to your ISP and place a computer (and modems)  at the cut
> point.  It can change any bit in any packet.  I would not bother with
> your house but a bank, maybe.

Childish fantasy that shows zero understanding of how such things work.

> If I could make transactions that were backdated I could make a lot of
> money even if only slightly back dated by 10 seconds.

Yeah, if you could do that, but you can't.

>> IP hijacking will disrupt a lot more than just NTP.
> 
> It can but,  that is up to the hijacker.   A "man in the middle"
> attack can filter network packets and change only the bits he wants
> changed

Yeah, right, like the time in NTP packets.

>> If your server and its clients are on a corporate network, which is the
>> usual case for having one's own server, how does this happen?
> 
> Outsider has taken control of a computer that lives inside your network

If that happens you have a lot more to worry about then the time on some
client machines, like your total lack of competence.

> In general your arguments follows a common mistake.  It is equivalent
> to  "I can't figure it out so therefor it can't happen".   It is never
> valid to argue "it's imposable because I can't figure any way to....".
>   To claim something is imposable you need something that is very
> much like a mathematical proof.

I never claimed it is "impossible" to disrupt an NTP server.
 
My arguement is that if the correct time is important it is trival
to ensure that with a proper setup and without jumping through hoops.
 

-- 
Jim Pennino

Remove .spam.sux to reply.




More information about the questions mailing list