Date: Mon, 24 Feb 2014 15:34:02 +0000 From: Joe Holden <lists@rewt.org.uk> To: freebsd-current@freebsd.org Subject: Re: ntpd replacement (Was: Re: Import of DragonFly Mail Agent) Message-ID: <530B666A.1000800@rewt.org.uk> In-Reply-To: <45248.1393249947@critter.freebsd.dk> References: <20140223211155.GS1699@ithaqua.etoilebsd.net> <CAFY7cWBh0ThajQpK4wZYj0wPrhTL608wtNDQNvOLnryjp4_jCg@mail.gmail.com> <530B13CA.6000005@rewt.org.uk> <33612.1393235765@critter.freebsd.dk> <20140224100036.GA1699@ithaqua.etoilebsd.net> <530B2500.5030608@rewt.org.uk> <37319.1393239415@critter.freebsd.dk> <530B2750.3050200@rewt.org.uk> <20140224110842.GA83610@ithaqua.etoilebsd.net> <530B2953.3030901@rewt.org.uk> <20140224111745.GA13864@roberto-aw.eurocontrol.fr> <530B2C7E.3050208@rewt.org.uk> <530B2DEE.3030808@rewt.org.uk> <45248.1393249947@critter.freebsd.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
On 24/02/2014 13:52, Poul-Henning Kamp wrote: > In message <530B2DEE.3030808@rewt.org.uk>, Joe Holden writes: > >> The other point I should make here is that if you care that much about >> time security you shouldn't be contacting ntp servers over 3rd party >> networks anyway, at least not without some IP-level >> encryption/authentication, or use a source that can't easily be used as >> an attack surface, such as GPS/MSF etc. > > Please check how NTP is authenticated before giving bad advice, > it's all in the RFC. > v3 or v4? It is an optional part of the spec in both cases and again isn't required for 99% of people using ntpd as a client, which was the entire point of this exercise in the first place. If the argument is that X feature is missing then we may as well replace sendmail with exim as it has even more features, for example. But most importantly, explain how it was bad advice? There are provisions for integrity checking (not authentication) and autokey. My point was that if you need to authenticate ntp to avoid mitm-style attacks then perhaps the setup you have is wrong. If there is something huge I have missed then feel free to correct me!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?530B666A.1000800>