Re: NTP Md5 or AutoKey?

From: Glen Kent (no email)
Date: Tue Nov 04 2008 - 03:47:26 EST

  • Next message: Lincoln Dale: "RE: NTP Md5 or AutoKey?"

    I dont think this is correct.

    I have seen routing protocol adjacencies going down because of some
    perturbations in NTP. I understand, any router implementation worth
    its salt would not use the NTP clock internally, but i have seen some
    real life issues where OSPF went down because the time moved ahead and
    it thought that it hadnt heard from the neighbor since a long time.

    All such bugs were eventually fixed, but this is just one example.

    There is an emerging need to distribute highly accurate time
    information over IP and over MPLS packet switched networks (PSNs). A
    variety of applications require time information to a precision which
    existing protocols cannot supply. TICTOC is an IETF WG created to
    develop solutions that meet the requirements of such protocols and


    > On Tue, Nov 4, 2008 at 12:22 PM, <> wrote:
    > On Mon, 03 Nov 2008 22:23:07 PST, Paul Ferguson said:
    >> I'm just wondering -- in globak scheme of security issue, is NTP
    >> security a major issue?
    > The biggest problem is that you pretty much have to spoof a server that
    > the client is already configured to be accepting NTP packets from. And *then* you have to
    > remember that your packets can only lie about the time by a very small number
    > of milliseconds or they get tossed out by the NTP packet filter that measures
    > the apparent jitter. Remember, the *real* clock is also sending correct
    > updates. At *best*, you lie like hell, and get the clock thrown out as
    > an "insane" timesource. But at that point, a properly configured clock
    > will go on autopilot till a quorum of sane clocks reappears, so you don't
    > have much chance of wedging in a huge time slew (unless you *really* hit
    > the jackpot, and the client reboots and does an ntpdate and you manage to
    > cram in enough false packets to mis-set the clock then).
    > So in most cases, you can only push the clock around by milliseconds - and
    > that doesn't buy you very much room for a replay attack or similar, because
    > that's under the retransmit timeout for a lost packet. It isn't like you
    > can get away with replaying something from 5 minutes ago.
    > Now, if you wanted to be *dastardly*, you'd figure out where a site's
    > Stratum-1 server(s) have their GPS antennas, and you'd read the recent
    > research on spoofing GPS signals - at *that* point you'd have a good chance
    > of controlling the horizontal and vertical....

  • Next message: Lincoln Dale: "RE: NTP Md5 or AutoKey?"

    Hosted Email Solutions

    Invaluement Anti-Spam DNSBLs

    Powered By FreeBSD   Powered By FreeBSD