Date: Fri, 29 Apr 2016 17:44:28 -0700 (PDT) From: Roger Marquis <marquis@roble.com> To: Charles Swiger <cswiger@mac.com> Cc: freebsd-security <freebsd-security@freebsd.org> Subject: Re: FreeBSD Security Advisory FreeBSD-SA-16:16.ntp In-Reply-To: <28698FCA-CEAB-4A0F-9F12-57FCCD871E1E@mac.com> References: <20160429082953.DB31D1769@freefall.freebsd.org> <9e6342a420259fec7bd21d6222cc6e05@zahemszky.hu> <1461929003.67736.2.camel@yandex.com> <CINIP100NTSBSRqf69a0000002a@cinip100ntsbs.irtnog.net> <BABF8C57A778F04791343E5601659908237051@cinip100ntsbs.irtnog.net> <0O6F002Z65WLUS40@mr28p00im-smtpin028.me.com> <28698FCA-CEAB-4A0F-9F12-57FCCD871E1E@mac.com>
| previous in thread | raw e-mail | index | archive | help
>> Who needs millisecond accuracy anyway? > >Cell phones, cell phone towers, computers handling financial transactions, etc. I manage security for several dozen FreeBSD computers handling financial transactions and they all run openntpd in client-only mode. It was the only way we could avoid an absolute deluge of security incident tickets from corp scanning (mainly Nessus). These hosts, as well as cell phone towers, etc may be reasons for keeping isc ntpd as a port but do not support a case for keeping it in base. >> perhaps, for those sites that need to run ntpd for one of the reasons >> listed above but again, that's a tiny fraction of the installed base. Most >> FreeBSD systems only need to query a timehost, not to be a time server. > > Your data for that? Are you seriously proposing that most FreeBSD installations need to serve as timeservers? > openntpd implements SNTPv4 and not the NTPv4 protocol. The extra sanity checking > in the latter helps detect and mitigate against falsetickers, which is why folks > continue to use NTP and ntpd rather than rdate or SNTP implementations like openntpd. And your data for that? I'd personally be surprised if most devops were familiar with the differences between SNTPv4 and NTPv4. OTOH openntpd's ntpd.conf does provide a "constraints from" directive which will query one or more http/https sites and use the resulting timestamps to reject ntp responses outside of a range near the constraint. This is a nice OOB feature not found in base ntpd. Roger
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?>