> One of the advantages
> that routers have over UNIX hosts is that they don't come with so many
> capabilities, each of which have to be considered for security implications
> and protected or turned off as necessary.
Synchronizing a firewalled net with the Internet requires running NTP
*somewhere*, whether it's on the routers themselves (assuming a screened-
network configuration) or on a Unix bastion. So the question isn't whether
adding NTP to the router makes it less secure, the question is whether a
router with NTP is less secure than a Unix box with NTP. And it's a
question that I'm not going to try to answer, no way.
There are some other issues....
A router isn't such a simple thing that NTP is a big increase in
complexity. It's already likely to be running multiple routing processes
redistributing routes between themselves and into the routing table, it may
have an SNMP server, telnet server, finger server, telnet client, tftp
client, and probably lots more stuff that I can't think of. Due to this,
it's already got a scheduler, memory manager and maybe even a protected
memory system, which will certainly help a lot in keeping NTP bugs from
opening holes in code unrelated to NTP. If the router software is
architected right, then something like NTP should be no big deal.
On the other hand, it's easier to trust a Unix box built from sources,
running NTP built from source. Do we *know* that some router's software is
architected to keep processes out of each other's data?
Now I'm going to kill off my previous points... while Ciscos can run NTP,
there's no reason for them to. I don't agree with the point that routers
should do NTP because they're on every subnet anyway; you're much better
off having a single Unix server using directed broadcasts to flood the time
onto all the subnets where it's useful. Then, all you need are routers
that can forward directed broadcasts, and one central host. There's no need
to have to modify all your router configurations just because you want to
change the NTP topology.
Tom Fitzgerald 1-508-967-5278 Wang Labs, Lowell MA, USA fitz @