From owner-freebsd-stable  Sat Aug 11  8:41:10 2001
Delivered-To: freebsd-stable@freebsd.org
Received: from whizzo.transsys.com (whizzo.TransSys.COM [144.202.42.10])
	by hub.freebsd.org (Postfix) with ESMTP id 0765837B405
	for <freebsd-stable@FreeBSD.ORG>; Sat, 11 Aug 2001 08:41:07 -0700 (PDT)
	(envelope-from louie@whizzo.transsys.com)
Received: from whizzo.transsys.com (#6@localhost.transsys.com [127.0.0.1])
	by whizzo.transsys.com (8.11.4/8.11.4) with ESMTP id f7BFewn01097;
	Sat, 11 Aug 2001 11:40:58 -0400 (EDT)
	(envelope-from louie@whizzo.transsys.com)
Message-Id: <200108111540.f7BFewn01097@whizzo.transsys.com>
X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4
To: "Brandon S. Allbery KF8NH" <allbery@ece.cmu.edu>
Cc: Lamont Granquist <lamont@scriptkiddie.org>,
	"'freebsd-stable@freebsd.org'" <freebsd-stable@FreeBSD.ORG>
X-Image-URL: http://www.transsys.com/louie/images/louie-mail.jpg
From: "Louis A. Mamakos" <louie@TransSys.COM>
Subject: Re: (OT) Re: NTPD in upcoming release? 
References: <20010810221054.F26163-100000@coredump.scriptkiddie.org> <13790000.997536561@vpn48.ece.cmu.edu> 
In-reply-to: Your message of "Sat, 11 Aug 2001 09:29:21 EDT."
             <13790000.997536561@vpn48.ece.cmu.edu> 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Sat, 11 Aug 2001 11:40:58 -0400
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

> On Friday, August 10, 2001 22:22:05 -0700, Lamont Granquist 
> <lamont@scriptkiddie.org> wrote:
> +-----
> | Its an ugly, ugly, ugly hack that needs to be replaced with something much
> | more robust.  I agree.  But you know tomorrow you could have security
> | holes in both IIS and ntp released, and some asshole could adapt code red
> | to it with a secondary payload that attacked ntpd servers and executed "rm
> | -rf /"  That'd probably really suck.
> +--->8
> 
> In a sense, the real hack is syncing time over the Internet.  The "correct" 
> fix is to sync to commonly available and inexpensive GPS clocks, use NTP 
> only within an internal network, and block NTP packets from outside the 
> network completely (if ntpd's own code isn't trusted for this, stick a 
> hosts_access() call immediately after the packet receive).

No, what NTP does is set the time of your system to the *correct* time,
and not just synchronized to some other clock.  There's an advantage to
peering with multiple clocks so that you can detect an insane/broken
clock, even one based on using a GPS receiver that you might own.  The
algorithms for peer selection are every bit as important at the ones
which determine offset and delay times.

louie

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message