[ntp:questions] Will AutoKey setup work on a NAT host behind a firewall?

Steve Kostecke kostecke at ntp.org
Wed Nov 10 16:36:05 UTC 2010


On 2010-11-10, Harry <simonsharry at gmail.com> wrote:

> 1. What, then, would be the next best way (MD5-based symmetric key
> mode?) to syncing up a behind-NAT NTP client from an external NTP
> server in a tamper-proof manner? I'm not competent/powerful enough to
> advise the powers what be in my organization to have an Autokey NTP
> client outside our NAT/Firewall; most likely, I'll be told to continue
> to operate from behind the NAT/Firewall.

Which associations are you attempting to "secure"? LAN client to LAN
server? LAN server to remote time server?

> 2. What physical/network setup should Autokey-desiring NTP clients
> follow? Is it OK, e.g., to have a Autokey client host (AkH)

To keep your terminology consistent with the documentation:

s/Autokey client host/Trust Group Server/

> outside one's NAT network and have all the hosts inside the NAT
> network use AkH as a NTP server?

An NTP Trust Group using AutoKey can not span NAT. So your local NTP
server has to have an interface "inside" the NAT if the Trust Group is
your NTP server and LAN clients.

Your local NTP server must have an interface outside the NAT if the
Trust Group is your NTP server and a remote time server.

Here's Dr. Mills' PowerPoint slides describing the NTP Security Model:

http://www.ece.udel.edu/~mills/database/brief/autokey/autokey.ppt

-- 
Steve Kostecke <kostecke at ntp.org>
NTP Public Services Project - http://support.ntp.org/




More information about the questions mailing list