[ntp:security] [Bug 3045] Bad authentication demobilizes ephemeral associations

bugzilla-daemon at ntp.org bugzilla-daemon at ntp.org
Fri May 13 09:08:14 UTC 2016


http://bugs.ntp.org/show_bug.cgi?id=3045

--- Comment #3 from Harlan Stenn <stenn at ntp.org> 2016-05-13 09:08:14 UTC ---
Miroslav,

There are several things going on here, and they affect different scenarios.

One is that we're about do install additional timestamp checks in the code to
prevent the bulk of the crypto-NAK forgeries.

The second goes to unpeer_digest_early.  By default, this value is enabled
because under normal conditions calling unpeer() early, ie, upon receipt of a
(valid) crypto-NAK is a good thing - it gets the association re-synched about 8
pool intervals sooner, and without losing those 8 polls.

If you have a machine that is not being frequently "attacked" with spoofed
crypto-NAK packets, the default behavior is best.

If you have a machine that *is* being frequently successfully attacked (this
attack will be more difficult starting with 4.2.8p8) then putting "disable
unpeer_digest_early" is probably best.

-- 
Configure bugmail: http://bugs.ntp.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


More information about the security mailing list