[ntp:security] [Bug 2901] Clients that receive a KoD should validate the origin timestamp field.

bugzilla-daemon at ntp.org bugzilla-daemon at ntp.org
Wed Aug 26 05:10:20 UTC 2015


Harlan Stenn <stenn at ntp.org> changed:

           What    |Removed                     |Added
             Status|UNCONFIRMED                 |CONFIRMED
     Ever Confirmed|0                           |1

--- Comment #4 from Harlan Stenn <stenn at ntp.org> 2015-08-26 05:10:20 UTC ---
There are clearly problems with any choice here.

Majdi is right, it's possible to launch a DOS attack against a server by
sending it a properly-chosen set of packets designed to throw off the clock and
then send KoD packets to prevent the target from acquiring correct time from
good servers.

I'm now wondering about the situation where if the association is
authenticated, we'd only believe a KoD packet from the server if it was
similarly authenticated.

There are potential problems no matter what we do here.

There are conflicting/complementary mechanism choices here.  We need to let
folks make local policy choices.

Configure bugmail: http://bugs.ntp.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

More information about the security mailing list