[ntp:hackers] Autokey identity keys

Brian Utterback Brian.Utterback at Sun.COM
Mon Nov 5 03:07:50 UTC 2007


Rob Neal wrote:
>
>  Say, for arguments sake, changes are made to ntpd that allow
>  one to specify the external nat address for autokey in place
>  of the 192.168.x.y at the endpoint.
>
>  1) What happens if somebody *else* behind your NAT box
>     tries to do the same thing to the same (external) server? boom...
>   

What happens now if two different clients or servers behind a NAT try to 
connect to the same upstream
system? I think indeed boom either way.  This is one reason I have 
always argued against IP address
as an authentication mechanism.

>  2) Changes such as the above would seem to make masquerade all
>     too easy for evildoers, or the terminally confused.
>   

It doesn't make it any easier in the grand scheme of things. How long do 
you think it would take me to
hack that into the source? All you have done by not doing it is changed 
from "a simple matter of
configuration" to "a simple matter of programming".
>  3) Wanna explain this one to the auditors? In certain environments,
>     this could be a killer for trying to maintain traceability.
>   

Don't see how. Auditing on which end? If you are talking about his end, 
then the IP addresses are
different. Same at the NAT. At the other end there has to be a way to 
tell which is which in any
other scheme that might be used.

Consider, NTP also requires that port 123 be used in many instances. 
Again, how would you allow
two local addresses to use the same NAT'ed address and port 123 at the 
same time?
>
> Rob
> _______________________________________________
> hackers mailing list
> hackers at lists.ntp.org
> https://lists.ntp.org/mailman/listinfo/hackers
>   
Brian Utterback


More information about the hackers mailing list