[ntp:hackers] Autokey identity keys

Danny Mayer mayer at ntp.isc.org
Mon Nov 5 03:32:36 UTC 2007


Hal Murray wrote:
>>> If so, then just using the external IP address of the NAT box
>>> rather than the IP address of the ntpd system when doing the
>>> calculations would construct a packet that will pass inspection
>>> when it gets to the other end or verify as good when a valid
>>> packet arrives.
> 
>> Well yes, but what does that buy you?
> 
> It allows people behind a NAT box to use Autokey.
> 
> 
>> It's not really a cookie but it does use the source address at each
>>  end. In the case of a NAT it ends up using the source address of
>> the NAT rather than the sending client.
> 
> The idea I had in mind was an addition to the config file to specify
> the external IP address of the NAT box so ntpd could use it for the
> crypto calculations wherever it would have used the local IP address.
> 
> 
> That assumes a static IP Address on the external side of the NAT box.
> 

That's an invalid assumption. It's known to be false.

>> I'm not sure what you mean by the it that does the right thing
>> here. For that matter I don't know where you are going with this
>> since NAT breaks the Autokey protocol among many other protocols.
> 
> Sorry.  What I meant by "it" was the code in my NAT box.  It seems to
> handle everything I have tried.
> 

Except not muck with your source IP address. That's the one thing it
must *not* do and that's what NAT does.

> I'm not trying to defend NAT, but it is in wide use.

I'm aware of that but we are talking about something that is fundamental
to the way that NAT works.

>  It might be
> worth some kludgery to ntpd in order to make autokey work when ntpd
> is behind a NAT box.
> 
No, a kludge means that it can be spoofed. That's just not acceptable.

> If I understand things, no changes are required in the protocol.

Umm, it probably will *break* the protocol.

Danny


More information about the hackers mailing list