[ntp:questions] notrust alternative?
David L. Mills
mills at udel.edu
Sun Nov 5 18:06:06 UTC 2006
Richard,
As I said, the auth switch is enabled by default. See the documentation
for the definition of ephemeral association and persistent association.
Persistent associations are mobilized from the configuration file and
are not affected by the auth swithc. Ephemeral associations are
mobilized upon arrival of a broadcast or symmetric mode message and are
affected by the auth switch.
See the documentatino on the symmetric key and public key cryptography.
Symmetric key cryptography is not affected by address translation.
Public key cryptography requires the server and client to have the same
(interchanged) addresses.
I say again with emphasis. With the default configuration (no disable
auth) ephemeral associations cannot be mobilized unless authenticated,
symmetric or public. Earlier on this thread such associations were in
fact mobilized without authentication, suggesting somebody tampered with
the default auth setting. It is extremely important that the source of
this insult be identified; it represents a serious denial of service
vulnerability.
Dave
Richard B. Gilbert wrote:
> David L. Mills wrote:
>
>> Richard,
>>
>> You may have misunderstood what the enable/disable auth does. It has
>> nothing to do with the autentication method or lack of it. If the
>> switch is enabled (enable auth), then associations cannot be mobilized
>> unless authentication parameters have been configured and the
>> symmetric active or broadcast client is correctly authenticated.
>
>
> I think I'm still missing something! I don't have disable auth nor
> enable auth. Therefore it defaults to "enable auth".
>
> Correct so far?
>
> I have an NTP keys file with symmetric keys that I use only to access
> the privileged functions of ntpq and ntpdc. I do not authenticate any
> server! I am, apparently, able to mobilize associations! But if I
> understand you, I should not be able to mobilize associations. "sunblok"
> and "sunburn" are two servers on my local network. On "sunblok" I can
> say "peer sunburn" and on "sunburn" I can say "peer sunblok". It works!
>
> Since I am behind a NAT router/firewall on an RFC-1918 private network,
> my understanding is that your public key authentication scheme cannot be
> used because the IP address of my machine is not the address seen
> externally and the IP address of the machine is part of the
> authentication scheme.
>
> <snip>
More information about the questions
mailing list