[ntp:questions] notrust alternative?

David L. Mills mills at udel.edu
Sun Nov 5 18:06:06 UTC 2006


Richard,

As I said, the auth switch is enabled by default. See the documentation 
for the definition of ephemeral association and persistent association. 
Persistent associations are mobilized from the configuration file and 
are not affected by the auth swithc. Ephemeral associations are 
mobilized upon arrival of a broadcast or symmetric mode message and are 
affected by the auth switch.

See the documentatino on the symmetric key and public key cryptography. 
Symmetric key cryptography is not affected by address translation. 
Public key cryptography requires the server and client to have the same 
(interchanged) addresses.

I say again with emphasis. With the default configuration (no disable 
auth) ephemeral associations cannot be mobilized unless authenticated, 
symmetric or public. Earlier on this thread such associations were in 
fact mobilized without authentication, suggesting somebody tampered with 
the default auth setting. It is extremely important that the source of 
this insult be identified; it represents a serious denial of service 
vulnerability.

Dave

Richard B. Gilbert wrote:
> David L. Mills wrote:
> 
>> Richard,
>>
>> You may have misunderstood what the enable/disable auth does. It has 
>> nothing to do with the autentication method or lack of it. If the 
>> switch is enabled (enable auth), then associations cannot be mobilized 
>> unless authentication parameters have been configured and the 
>> symmetric active or broadcast client is correctly authenticated.
> 
> 
> I think I'm still missing something!  I don't have disable auth nor 
> enable auth.  Therefore it defaults to "enable auth".
> 
> Correct so far?
> 
> I have an NTP keys file with symmetric keys that I use only to access 
> the privileged functions of ntpq and ntpdc.  I do not authenticate any 
> server! I am, apparently, able to mobilize associations!  But if I 
> understand you, I should not be able to mobilize associations. "sunblok" 
> and "sunburn" are two servers on my local network.  On "sunblok" I can 
> say "peer sunburn" and on "sunburn" I can say "peer sunblok".  It works!
> 
> Since I am behind a NAT router/firewall on an RFC-1918 private network, 
> my understanding is that your public key authentication scheme cannot be 
> used because the IP address of my machine is not the address seen 
> externally and the IP address of the machine is part of the 
> authentication scheme.
> 
> <snip>




More information about the questions mailing list