[ntp:questions] Iff replaced by TC

Bartholome, Alain alain.bartholome at eads.com
Wed May 13 08:16:30 UTC 2009


Hi,

 

Suppose the following configuration  is running, with IFF for each host.

 

Trusted_1 (group 1)

    |

Server 1

    |

Server2

    |

Trusted_2 (group 2)

    |

Server3

    |

Client1

 

 

Suppose server3 is replaced by a spoofer, server3_spoofer which has the
client group2 key  and has not the server group2 key.

Server3_spoofer restarts, iff is supported on its association with
trusted_2.

 

Until client1 restarts or until the new server authentication occurs,
Server3_spoofer does not have the cookie so it will not synchronize client1.

 

If client1 restarts, TC instead of IFF will be used, and client1 will be
synchronized by Server3_spoofer.

 

 

 

The need here is to prevent  any time synchronization if TC is used instead
of  IFF. 

As IFF cannot be enforced with ntp configuration, the ntpq flags must be
checked at least after each restart?

 

 

 

Regards,

Alain. 

 

Alain BARTHOLOMÉ

EADS Defence and Security

MetaPole

1 Boulevard Jean Moulin

CS 40001

78996 ELANCOURT CEDEX

 




More information about the questions mailing list