[ntp:questions] Secure NTP

jimp at specsol.spam.sux.com jimp at specsol.spam.sux.com
Sun Mar 27 21:43:04 UTC 2011

Richard B. Gilbert <rgilbert88 at comcast.net> wrote:
> On 3/25/2011 11:40 AM, jimp at specsol.spam.sux.com wrote:
>> Uwe Klein<uwe_klein_habertwedt at t-online.de>  wrote:
>>> jimp at specsol.spam.sux.com wrote:
>>>> If you specify the server by IP address, how does that happen and who
>>>> would bother to do it?
>>> The $something trading solutions that require exact timematch
>>> ( remember the recent rush of ntp users
>>>    requiring u-second global time match )
>>> over a set of widely distributed hosts allow fraud in
>>> various ways if you can manipulate the time for some select host.
>> One more time, if time is critical to your operation you do NOT have one
>> and only one NTP server.
>> You have serveral servers with local GPS and CDMA NTP boxes.
>> Let's see you spoof the Internet, GPS, and CDMA all at the same time.
> Any two would be sufficient!

Nope, Assuming you had three independant sources of NTP information, you
would have to spoof two of them identically, which is virtually impossible
for anything less than a government, or two of the three would just appear
to be "failed".

Jim Pennino

Remove .spam.sux to reply.

More information about the questions mailing list