[ntp:security] NOEPEER patch
stenn at nwtime.org
Fri Aug 3 05:51:04 UTC 2018
OK, I had a talk with Dave today.
This gets more fascinating to me, and more intricate.
First, Dave says that the response to a symmetric mode request should
always be a symmetric mode response. No big surprise here, but I was
thinking about some aspects of the windows client thing.
Next, we talked about crypto-NAKs.
If a valid crypto-NAK is received, it really doesn't matter:
- what mode it is (although it should be appropriate to the request)
- what ANY of the content values are (LI bits, timestamps, etc,
other than the stamps to show it is a valid response packet)
because EVERY client that receives a valid crypto-NAK should squawk and
then drop the packet. There is NO CASE where the crypto-NAK packet
should be expected to contain valid response data.
So we're back to:
- why did a crypto-NAK get sent?
- why did the receiving system think the crypto-NAK was invalid?
Harlan Stenn, Network Time Foundation
http://nwtime.org - be a Member!
More information about the security