Date: Mon, 22 Dec 2014 11:10:19 -0800 From: jungle Boogie <jungleboogie0@gmail.com> To: Mark Felder <feld@freebsd.org> Cc: freebsd-security@freebsd.org Subject: Re: ntpd vulnerabilities Message-ID: <CAKE2PDvvtHWYkN%2B4O0us%2BNc227mYVJMz=_DeHR14VRRYgETfhA@mail.gmail.com> In-Reply-To: <1419274938.916478.205831685.0E7433EA@webmail.messagingengine.com> References: <252350272.1812596.1419241828431.JavaMail.zimbra@cleverbridge.com> <B6AF154A-FE22-4357-9031-91D661FD7E57@localhost.lu> <F7FACD2F-3AFE-4717-B4B9-B54A6FC70458@localhost.lu> <201412221745.KAA28186@mail.lariat.net> <1419274938.916478.205831685.0E7433EA@webmail.messagingengine.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Mark, On 22 December 2014 at 11:02, Mark Felder <feld@freebsd.org> wrote: > On Mon, Dec 22, 2014, at 11:39, Brett Glass wrote: >> I'd like to propose that FreeBSD move to OpenNTPD, which appears to >> have none of the >> fixed or unfixed (!) vulnerabilities that are present in ntpd. >> There's already a port. >> > > Historically OpenNTPD has been dismissed as a candidate because of its > reduced accuracy and missing security features. For example, it doesn't > implement the NTPv4 functionality or authentication. > > Quite literally the OpenNTPD is vulnerable to a MITM attack because of > the lack of authentication. Their stance has been that you should trust > your NTP servers and suggest using a VPN for the NTP traffic. Probably > not a bad idea, honestly. Would you say a MITM attack is similar to a forged ntp reply? If so, have you seen this: http://quigon.bsws.de/papers/opencon04/ntpd/mgp00018.html > > I don't have a qualified opinion, but that should get you on the right > track if you want to research further. -- ------- inum: 883510009027723 sip: jungleboogie@sip2sip.info xmpp: jungle-boogie@jit.si
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAKE2PDvvtHWYkN%2B4O0us%2BNc227mYVJMz=_DeHR14VRRYgETfhA>