nanog mailing list archives
Re: well-known NTP?
From: "Edward B. DREGER" <eddy+public+spam () noc everquick net>
Date: Tue, 11 Apr 2006 23:25:58 +0000 (GMT)
LL> Date: Wed, 12 Apr 2006 01:10:09 +0200 LL> From: Lars-Johan Liman LL> [I just happened to see this, browsing at high speed, so please LL> forgive me, if I'm out of context.] I was primarily referring to taking the load away from DIX. :-) However, as long as you raise a few points... LL> If you create a disparate anycast system of NTP server, you run into a LL> security issue, since many security protocols have "accurate time" as LL> an important parameter, and a rouge anycast NTP server could create LL> substantial amounts of harm from security and other standpoints by LL> giving out incorrect time. A rogue server can cause trouble regardless of whether it's anycasted [by design]. The "blast radius" might be smaller (which can complicate troubleshooting but helps contain damage). Of course, more systems means more chance for failure. Furthermore, "unicast by design" does nothing to prevent a rogue route from changing that. Panix was just a recent victim of this. LL> Nope, you want your NTP to come from an appropriate source ... LL> preferrably with signatures. Time to query multiple NTP sources, utilize GPS, and limit time adjustment deltas. I'll concede that multi-provider anycast presents an obvious problem for sharing the key with "only the good guys". However, I think all the little D-Link critters can live with unsigned stratum-9 answers by default. Eddy -- Everquick Internet - http://www.everquick.net/ A division of Brotsman & Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita ________________________________________________________________________ DO NOT send mail to the following addresses: davidc () brics com -*- jfconmaapaq () intc net -*- sam () everquick net Sending mail to spambait addresses is a great way to get blocked. Ditto for broken OOO autoresponders and foolish AV software backscatter.
Current thread:
- Re: Open Letter to D-Link about their NTP vandalism, (continued)
- Re: Open Letter to D-Link about their NTP vandalism Edward B. DREGER (Apr 14)
- Re: Open Letter to D-Link about their NTP vandalism Stephen Sprunk (Apr 13)
- Re: Open Letter to D-Link about their NTP vandalism Michael . Dillon (Apr 13)
- Re: Open Letter to D-Link about their NTP vandalism Robert Bonomi (Apr 11)
- Re: Open Letter to D-Link about their NTP vandalism Niels Bakker (Apr 11)
- Re: Open Letter to D-Link about their NTP vandalism Valdis . Kletnieks (Apr 11)
- Re: Open Letter to D-Link about their NTP vandalism Alain Hebert (Apr 11)
- Re: Open Letter to D-Link about their NTP vandalism Hank Nussbacher (Apr 11)
- well-known NTP? (Re: Open Letter to D-Link about their NTP vandalism) Edward B. DREGER (Apr 11)
- Re: well-known NTP? Lars-Johan Liman (Apr 11)
- Re: well-known NTP? Edward B. DREGER (Apr 11)
- Re: well-known NTP? (Re: Open Letter to D-Link about their NTP vandalism) Stephane Bortzmeyer (Apr 12)
- Re: well-known NTP? (Re: Open Letter to D-Link about their NTP vandalism) Peter Dambier (Apr 12)
- Re: well-known NTP? (Re: Open Letter to D-Link about their NTP vandalism) Peter Dambier (Apr 12)
- Re: well-known NTP? (Re: Open Letter to D-Link about their NTP vandalism) Peter Dambier (Apr 12)
- Re: well-known NTP? (Re: Open Letter to D-Link about their NTP vandalism) Tony Finch (Apr 12)
- Re: Open Letter to D-Link about their NTP vandalism Martin Hannigan (Apr 11)
- Re: Open Letter to D-Link about their NTP vandalism Edward B. DREGER (Apr 11)