[ntp:security] NOEPEER patch

Harlan Stenn stenn at nwtime.org
Mon Jul 30 09:05:40 UTC 2018



On 7/30/2018 1:56 AM, Martin Burnicki wrote:
> Harlan Stenn wrote:
> [...]
>> I don't think I was involved in that discussion or coding.
> 
> At least you haven't commented in those threads. ;-)
> 
>> I'm assuming it's not that important that we find out who was involved,
>> it's more important that we fix this ASAP.
> 
> Yes.
> 
>> Similarly, it's too bad that we didn't know about this before I released
>> the proposed tarball.  But we're past that now.
> 
> Yes.
> 
>>> With the latest NOEPEER patch such "symmetric active" requests are
>>> simply dropped, but IMO it would be good to get the behavior back that
>>> was initially implemented by DLM, i.e. send a "symmetric passive" reply
>>> back, but don't mobilize an association, unless authenticated.
>>>
>>> Do you think we can modify the patch so that we get this behavior back
>>> in p12? It shouldn't be too hard to get it.
>>
>> Yes, I'm happy to find a solution to this and include it in p12.
> 
> That would be really good.
> 
>> Do you know if the Windows client will be upset if it gets back a mode 4
>> (server) response instead of a mode 2 (passive symmetric) response?
> 
> I haven't tried this, yet, but I'm going to investigate.

Thanks - while it probably doesn't matter to *us* if we reply with a
mode 4 or a mode 2 packet, it might matter to the windows client, and
that response is the key issue here.

> Would this be easier or more straightforward? With sending a passive
> symmetric response it should work anyway ...

What we send back to the windows client is no problem either way.

The "hole" you found is from where we originally delayed the NOEPEER
check, and when I looked at that code I saw how we could avoid the
problem completely.  Unfortunately, I didn't realize that this was a
code path for the broken windows clients as well.

It's after 0200 here, and I'll look at this for as long as I can tonight.

-- 
Harlan Stenn, Network Time Foundation
http://nwtime.org - be a Member!


More information about the security mailing list