[ntp:questions] Iff replaced by TC
Bartholome, Alain
alain.bartholome at eads.com
Wed May 13 08:16:30 UTC 2009
Hi,
Suppose the following configuration is running, with IFF for each host.
Trusted_1 (group 1)
|
Server 1
|
Server2
|
Trusted_2 (group 2)
|
Server3
|
Client1
Suppose server3 is replaced by a spoofer, server3_spoofer which has the
client group2 key and has not the server group2 key.
Server3_spoofer restarts, iff is supported on its association with
trusted_2.
Until client1 restarts or until the new server authentication occurs,
Server3_spoofer does not have the cookie so it will not synchronize client1.
If client1 restarts, TC instead of IFF will be used, and client1 will be
synchronized by Server3_spoofer.
The need here is to prevent any time synchronization if TC is used instead
of IFF.
As IFF cannot be enforced with ntp configuration, the ntpq flags must be
checked at least after each restart?
Regards,
Alain.
Alain BARTHOLOMÉ
EADS Defence and Security
MetaPole
1 Boulevard Jean Moulin
CS 40001
78996 ELANCOURT CEDEX
More information about the questions
mailing list