[ntp:questions] Will AutoKey setup work on a NAT host behind a firewall?

Harry simonsharry at gmail.com
Tue Nov 9 06:10:54 UTC 2010


Hello,

I want to employ the AutoKey method of securing NTP.

Basically, I want one host that would act as an NTP client of an
external NTP server, talking AutoKey. This NTP client is to become the
NTP server for other hosts on the intranet. All these hosts are behind
a corporate firewall and are very likely using NAT / IP masquerading
as well. (I can tell NAT / IP masquerading is in use in our
environment because all hosts report the same IP address at
http://www.whatismyipaddress.com.)

I ask this question because I ran into a circa 2004 link (http://
www.ecsirt.net/tools/crypto-ntp.html) that says,
    Be Aware!
    Before we start building ntpd, one important notice:
    NTP with Autokey does not work from a host that is behind a
masquerading or NAT host!

Is this a conceptual / fundamental limitation, or something related to
NTP version? If latter, I'm hoping that it would probably have been
fixed by now.

If  AutoKey and NAT don't go together conceptually, what would be my
next best option of securing NTP? Though MD5 method is there but it is
symmetric cryptography and prone to man-in-the-middle attacks... which
is why btw I was hoping to be able to employ AutoKey.

Many thanks,
/HS




More information about the questions mailing list