Dirk Nerling wrote;
>>I plan to update the time of our internal net from
>>an Internet Time Server on a regular basis. Does
>>anbody of you know something about the xntpd?
>Any intrusion listed? What do the experts suggest?
NTP relies on receiving time information via UDP from (usually) about
three stratum-1 time servers. The basic service is vulnerable to
spoofing and denial-of-service attacks. This is somewhat mitigated by
the availability of an authenticated mode in which a MAC (Message
Authentication Code) is appended. This requires that you share a DES key
with the stratum-1 provider. I'm not even sure this is available outside
the US and Canada as Dr. Mills now has an export version of xntpd,
presumably sans DES.
It was questions like this that led us at GTE to create our own
redundant stratum-1 time servers within our intranet and behind our
firewall. The hosts for the time servers host other security
applications, so the cost was not great, and the system has been very
The only problem, and this is true regardless of where your stratum-1
servers are, is that the Selective Availability channel of GPS, which is
the only channel we civilians are allowed to use, is itself vulnerable
to certain denial-of-service-attacks. Given that, use a GPS receiver
that features a really good oscillator that is capable of riding out
long periods of signal loss.
"The Box said Win '95 or better - So I used a Macintosh!"
-Harold Herbert Tessman