[ntp:hackers] Autokey identity keys

Hal Murray hmurray at megapathdsl.net
Sun Nov 4 22:35:37 UTC 2007


> Problem is, at least with my FIOS connection, the inside address is a
> 192.168 thing. I would assume the router box translates that to a
> routable address to reveal outside. A workasude might be an extended
> cookie included with every packet. 

I'm pretty sure this is roughly what my NAT box does:

  For a packet going out:
    Check for an existing connection.
      If none, assign a new port number and create a connection.
      (That port number goes with the external IP address of the NAT box.)
    Patch the source IP address and port from the connection.
    Forward the modified packet.

  For a packet coming in:
    Check for an existing connection.
      If none, drop or send ICMP no-such-port
    Patch the destination IP address and port from the connection.
    Forward the modified packet.

Thus the local IP Address and port are the only changes between the external and internal versions of the packet.

I was assuming that the "cookie" was a cryptographic hash using:
    session key
    source IP Address
    dest IP addresses
    NTP payload (packet type, 4 time stamps, ...)

If so, then just using the external IP address of the NAT box rather than the IP address of the ntpd system when doing the calculations would construct a packet that will pass inspection when it gets to the other end or verify as good when a valid packet arrives.

I am assuming that the port numbers are not used for security.


The above NAT description only covers the typical client case where the local machine sends the first packet.

The server case where first packet comes from the outside, requires a configuration table that assigns a local IP Address to be the server for anything that arrives on a specified port number.  I haven't thought much about the fine print, but it seems to do the right thing in all the cases I've tried.  (It may be a simple as check the server table and setup a connection on the drop or ICMP path above.)





-- 
These are my opinions, not necessarily my employer's.  I hate spam.





More information about the hackers mailing list