[ntp:questions] Re: Can you test my server please.

Wolfgang S. Rupprecht wolfgang+gnus20041129T141732 at dailyplanet.dontspam.wsrcc.com
Mon Nov 29 22:31:48 UTC 2004


Brad Knowles <brad at stop.mail-abuse.org> writes:
> At 12:52 AM +0000 2004-11-25, Wolfgang S. Rupprecht wrote:
> 
> >  How about this idea: have each client announce it's name and version
> >  number in every request packet.  Unapproved clients get
> >  ignored/kod-ed/sent-the-wrong-time.  For a client to be approved for
> >  serving at pools.ntp.org someone at pools.ntp.org needs to audit and
> >  give their stamp of approval.  Obvious crap code gets laughed at.
> >  Code that later misbehaves even though it looks like it should work
> >  gets its certification pulled.
> 
> 	You're talking about significant changes to the NTP protocol.
> I think that's a non-starter.

Isn't there an optional extension field that could be used to carry a
software name and version string?

> 	Moreover, all claimed version information could be spoofed
> with trivial ease.  If you're going to try to go this route, a better
> way would be to authenticate the clients to the server, but then
> you're talking about a very significant additional load being placed
> on the server -- and more NTP protocol changes.

Yes, it is certainly spoofable.  So is the label on the back of my
jeans.

In order for someone to bother spoofing the version string, there has
a be a reason.  The only one I can think of off the top of my head is
that the code is so hopelessly broken that the author just basically
throws up their hands in disgust and admits defeat.  Code that comes
distributed with a spoofed version string already built in should
raise a lot of people's eyebrows.

I'm just trying to raise the bar a bit and make it easier to identify
who's codebase is broken and make it easier to get in touch with the
author so they can fix it.

-wolfgang
-- 
Wolfgang S. Rupprecht                http://www.wsrcc.com/wolfgang/
	 When you talk to musicians about pirates they think
		   you are talking about the RIAA.



More information about the questions mailing list