Re: NTp config - for the databases :}

[Bret Watson <lists () bwa net>]

> (..)
> > NTP is a udp protocol so prediction is not a problem, you just have to wait
> > for the outgoing request and reply on that request. As this particular site
> > has a single cable going out - its not hard to capture the total traffic.
> (..)
>
> There's your single point of failure. If I manage to block all ntp data
> going *to* your site I can get complete control over the networks notion of
> time by spoofing only **one** of your 18 reference servers. NTP will happily
> follow this one phoney server, as long as it believes the other 17 are dead. 
> I don't even have to be careful with time changes. Now that the phoney server
> is the only reference, NTP will follow it all the way.

That catch is that the stratum2s are also peering to each other, so unless
your spoofed reference is more stable than the combined clock of the three
they will ignore it.
> Add a couple of radio receivers to the lot (radio-to-ntp boxes are available
> for reasonable prices) which gives you in-house stratum-1 servers to
> complement the internet servers. 

Certainly. If you have the budget. This is much much better than an
external ref. Probably the easiest for most of the world (radio/Omega/LORAN
is not always very available in some parts - like here) is to plonk a
trimble GPS in and link the PPS line to the serial port - then use the PPS
driver for xntpd. If you've been told to implement it, but not given the
money for it - then the next best thing IMHO is what I described.

Cheers,

Bret
Technical Incursion Countermeasures 
consulting () bwa net                      http://www.ticm.com/
ph: (+61)(08) 9454 2487(UTC+8 hrs)      fax: (+61)(08) 9454 6042

The Insider - a e'zine on Computer security
http://www.ticm.com/about/insider.html