Re: NTP Md5 or AutoKey?

From: Steven M. Bellovin (no email)
Date: Tue Nov 04 2008 - 04:39:41 EST

  • Next message: (no name): "Re: NTP Md5 or AutoKey?"

    On Tue, 04 Nov 2008 01:52:05 -0500

    > On Mon, 03 Nov 2008 22:23:07 PST, Paul Ferguson said:
    > > I'm just wondering -- in globak scheme of security issue, is NTP
    > > security a major issue?
    > The biggest problem is that you pretty much have to spoof a server
    > that the client is already configured to be accepting NTP packets
    > from. And *then* you have to remember that your packets can only lie
    > about the time by a very small number of milliseconds or they get
    > tossed out by the NTP packet filter that measures the apparent
    > jitter. Remember, the *real* clock is also sending correct updates.
    > At *best*, you lie like hell, and get the clock thrown out as an
    > "insane" timesource. But at that point, a properly configured clock
    > will go on autopilot till a quorum of sane clocks reappears, so you
    > don't have much chance of wedging in a huge time slew (unless you
    > *really* hit the jackpot, and the client reboots and does an ntpdate
    > and you manage to cram in enough false packets to mis-set the clock
    > then).
    > So in most cases, you can only push the clock around by milliseconds
    > - and that doesn't buy you very much room for a replay attack or
    > similar, because that's under the retransmit timeout for a lost
    > packet. It isn't like you can get away with replaying something from
    > 5 minutes ago.
    > Now, if you wanted to be *dastardly*, you'd figure out where a site's
    > Stratum-1 server(s) have their GPS antennas, and you'd read the recent
    > research on spoofing GPS signals - at *that* point you'd have a good
    > chance of controlling the horizontal and vertical....
    > is old but does
    have a good analysis of the problem.

                    --Steve Bellovin,

  • Next message: (no name): "Re: NTP Md5 or AutoKey?"

    Hosted Email Solutions

    Invaluement Anti-Spam DNSBLs

    Powered By FreeBSD   Powered By FreeBSD