[ntp:security] NOEPEER patch

Harlan Stenn stenn at nwtime.org
Fri Aug 3 05:51:04 UTC 2018

OK, I had a talk with Dave today.

This gets more fascinating to me, and more intricate.

First, Dave says that the response to a symmetric mode request should
always be a symmetric mode response.  No big surprise here, but I was
thinking about some aspects of the windows client thing.

Next, we talked about crypto-NAKs.

If a valid crypto-NAK is received, it really doesn't matter:

- what mode it is (although it should be appropriate to the request)
- what ANY of the content values are (LI bits, timestamps, etc,
  other than the stamps to show it is a valid response packet)

because EVERY client that receives a valid crypto-NAK should squawk and
then drop the packet.  There is NO CASE where the crypto-NAK packet
should be expected to contain valid response data.

So we're back to:

- why did a crypto-NAK get sent?
- why did the receiving system think the crypto-NAK was invalid?

Harlan Stenn, Network Time Foundation
http://nwtime.org - be a Member!

More information about the security mailing list