nanog mailing list archives
Re: NTP Md5 or AutoKey?
From: Nathan Ward <nanog () daork net>
Date: Tue, 4 Nov 2008 19:30:48 +1300
On 4/11/2008, at 7:23 PM, Paul Ferguson wrote:
On Mon, Nov 3, 2008 at 10:15 PM, Glen Kent <glen.kent () gmail com> wrote:Hi, I was wondering what most folks use for NTP security? Do they use the low cost, light weight symmetric key cryptographic protection method using MD5 or do folks go in for full digital signatures and X.509 certificates (AutoKey Security)?I'm just wondering -- in globak scheme of security issue, is NTP security a major issue? Just curious.
Out of sync time was a big deal in James Bond 18 (Tomorrow Never Dies).Anyway, pushing time out of sync seems an interesting way to break services that require stuff to be synced up. Kerberos is one such example.
Push a KDC out of sync from it's clients, and auth wouldn't happen anymore. Seems like a simple way to kick router admins out of their equipment if you're causing trouble, or at least, slow them down.
Of course, this only really works if your network has 3 reliable +secure time sources + 1 for redundancy. I'm not sure that .*pool\.ntp \.org would class as reliable+secure if you're concerned about NTP security.
-- Nathan Ward
Current thread:
- NTP Md5 or AutoKey? Glen Kent (Nov 03)
- Re: NTP Md5 or AutoKey? Paul Ferguson (Nov 03)
- Re: NTP Md5 or AutoKey? Kevin Oberman (Nov 03)
- Re: NTP Md5 or AutoKey? Glen Kent (Nov 04)
- Re: NTP Md5 or AutoKey? Nathan Ward (Nov 03)
- Re: NTP Md5 or AutoKey? Roland Dobbins (Nov 03)
- RE: NTP Md5 or AutoKey? Deepak Jain (Nov 05)
- Re: NTP Md5 or AutoKey? Valdis . Kletnieks (Nov 03)
- Re: NTP Md5 or AutoKey? Glen Kent (Nov 04)
- RE: NTP Md5 or AutoKey? Lincoln Dale (Nov 04)
- RE: NTP Md5 or AutoKey? Tony Finch (Nov 04)
- Re: NTP Md5 or AutoKey? Kurt Erik Lindqvist (Nov 06)
- Re: NTP Md5 or AutoKey? Kevin Oberman (Nov 03)
- Re: NTP Md5 or AutoKey? Steven M. Bellovin (Nov 04)
- Re: NTP Md5 or AutoKey? Paul Ferguson (Nov 03)
- Re: NTP Md5 or AutoKey? bmanning (Nov 04)
- Re: NTP Md5 or AutoKey? Glen Kent (Nov 04)