[ntp:hackers] Autokey identity keys
David L. Mills
mills at udel.edu
Sun Nov 4 15:11:09 UTC 2007
Hal,
Problem is, at least with my FIOS connection, the inside address is a
192.168 thing. I would assume the router box translates that to a
routable address to reveal outside. A workasude might be an extended
cookie included with every packet.
Dave
Hal Murray wrote:
>> The scheme is very easy to use; the directions are in the
>> Authentication Options and ntp-keygen documentation pages. The group
>> name for pogo.udel.edu is pogo and for rackety.udel.edu is rackety.
>
>
>> The key dissemination scheme is preliminary and might be refined in
>> future. I would be much interested in conmments and bug reports.
>
>
> authopt.html says:
> Autokey authenticates individual packets using cookies bound to the IP
> source and destination addresses. The cookies must have the same
> addresses at both the server and client. For this reason operation
> with network address translation schemes is not possible. This
> reflects the intended robust security model where government and
> corporate NTP servers are operated outside firewall perimeters.
>
> My home DSL "modem" includes a NAT box. I think that's reasonably common.
> It probably also covers many small businesses.
>
>
> If ntpd knew the IP Address of the outside of the NAT box (say via the
> config
> file), could it use that when computing the autokey cookies?
>
>
>
More information about the hackers
mailing list