[ntp:hackers] Autokey identity keys
Danny Mayer
mayer at ntp.isc.org
Mon Nov 5 03:32:36 UTC 2007
Hal Murray wrote:
>>> If so, then just using the external IP address of the NAT box
>>> rather than the IP address of the ntpd system when doing the
>>> calculations would construct a packet that will pass inspection
>>> when it gets to the other end or verify as good when a valid
>>> packet arrives.
>
>> Well yes, but what does that buy you?
>
> It allows people behind a NAT box to use Autokey.
>
>
>> It's not really a cookie but it does use the source address at each
>> end. In the case of a NAT it ends up using the source address of
>> the NAT rather than the sending client.
>
> The idea I had in mind was an addition to the config file to specify
> the external IP address of the NAT box so ntpd could use it for the
> crypto calculations wherever it would have used the local IP address.
>
>
> That assumes a static IP Address on the external side of the NAT box.
>
That's an invalid assumption. It's known to be false.
>> I'm not sure what you mean by the it that does the right thing
>> here. For that matter I don't know where you are going with this
>> since NAT breaks the Autokey protocol among many other protocols.
>
> Sorry. What I meant by "it" was the code in my NAT box. It seems to
> handle everything I have tried.
>
Except not muck with your source IP address. That's the one thing it
must *not* do and that's what NAT does.
> I'm not trying to defend NAT, but it is in wide use.
I'm aware of that but we are talking about something that is fundamental
to the way that NAT works.
> It might be
> worth some kludgery to ntpd in order to make autokey work when ntpd
> is behind a NAT box.
>
No, a kludge means that it can be spoofed. That's just not acceptable.
> If I understand things, no changes are required in the protocol.
Umm, it probably will *break* the protocol.
Danny
More information about the hackers
mailing list