[ntp:security] NOEPEER patch

Harlan Stenn stenn at nwtime.org
Mon Jul 30 08:41:47 UTC 2018

Hi Martin,

On 7/30/2018 1:26 AM, Martin Burnicki wrote:
> Hi Harlan,
> I'm back at the office right now. We had the NOEPEER patch you sent me
> applied to the ntpd that is shipped with our latest LANTIME firmware
> version. This basically works as expected, but ...

I'm glad to hear you're feeling better.

> We have some customers with a huge number of Windows clients running
> w32time, and by default these machines still send "symmetric active"
> packets (without proper authentication, of course) to the configured NTP
> server. :-(

I did see this code branch when making the patch, and I did my best to
avoid changing anything there, as I haven't been able to test this case.

> Without the NOEPEER patch these clients got a reply from ntpd running on
> our LANTIMEs, but with the NOEPEER patch these clients don't receive a
> reply at all, if the NOEPEER keyword is used (and of course we *do* want
> to use it), so they don't synchronize to our LANTIMEs if the customers
> upgrade the firmware.
> Of course it is possible to configure w32time such that it sends
> "client" requests instead of "symmetric active" requests by using the
> following command on the Windows machine:
>   w32tm /configure /manualpeerlist:"pool.ntp.org,0x8" \
>         /syncfromflags:MANUAL /update
> The important thing here is the ",0x8" flag. Anyway, it is quite
> cumbersome to reconfigure a huge number of clients in a financial
> network where each configuration change of the client needs to be
> tested, documented, and certified.


> The same problem has already been discussed in 2008, where DLM said ntpd
> should just send a "symmetric passive" reply back to such clients, but
> should *not* mobilize an association:
> https://groups.google.com/d/msg/comp.protocols.time.ntp/b1fYqZ1VEio/7_HSCBt-sAEJ
> As I've mentioned in a reply to DLM's post in that thread, the problem
> had even been mentioned by DLM back in 2002:
> https://groups.google.com/d/msg/comp.protocols.time.ntp/WlClEg_IB4w/vnyhqB0_llEJ
> and in another post DLM said he had implemented a workaround in ntpd:
> https://groups.google.com/d/msg/comp.protocols.time.ntp/WlClEg_IB4w/p6nFlsoymRkJ
> So ntpd would send a reply to the client, but would not mobilize an
> association for the remote peer unless the remote peer properly
> authenticates.
> This sounds absolutely reasonable to me, and I wonder why, when and for
> which reasons the ntpd code was obviously changed to accept such
> unauthenticated "symmetric active" requests, and mobilize an ephemeral
> peer association in such case, so that and extra NOEPEER keyword is
> needed to avoid this.
> With DLM's original solution there was no security problem, no need for
> an extra NOEPEER keyword, and this worked just like I'd expect it to.

I don't think I was involved in that discussion or coding.

I'm assuming it's not that important that we find out who was involved,
it's more important that we fix this ASAP.

Similarly, it's too bad that we didn't know about this before I released
the proposed tarball.  But we're past that now.

> With the latest NOEPEER patch such "symmetric active" requests are
> simply dropped, but IMO it would be good to get the behavior back that
> was initially implemented by DLM, i.e. send a "symmetric passive" reply
> back, but don't mobilize an association, unless authenticated.
> Do you think we can modify the patch so that we get this behavior back
> in p12? It shouldn't be too hard to get it.

Yes, I'm happy to find a solution to this and include it in p12.

Do you know if the Windows client will be upset if it gets back a mode 4
(server) response instead of a mode 2 (passive symmetric) response?

Harlan Stenn, Network Time Foundation
http://nwtime.org - be a Member!

More information about the security mailing list