Firewalls: Re: Feeping Creaturism in routers (was Re: Response to Satan)

Firewalls
(April 1995)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Feeping Creaturism in routers (was Re: Response to Satan)
From:	Alan Barrett <barrett @ daisy . ee . und . ac . za>
Date:	Tue, 4 Apr 1995 10:58:02 +0200 (GMT+0200)
To:	Richard Threadgill <richardt @ remarque . berkeley . edu>
Cc:	firewalls @ greatcircle . com
In-reply-to:	<9790 . 796942264 @ remarque . berkeley . edu>

On Mon, 3 Apr 1995, Richard Threadgill wrote:
> This is the strongest reason to not run ntp on your firewall router.
> Why do you consider the incoming ntp stream trustworthy?

The widely used xntpd implementation supports DES and MD5 authentication
of timestamps, even over unencrypted links.  Cisco's ntp implementation
supports MD5 authentication. 

> An atomic or radio clock on your premises is fairly unlikely to be
> compromised; an external ntp clock is not so blessed.

Quite so.  But you don't need an atomic clock in every branch office;  you
can have a trusted clock at headquarters and distribute authenticated
chime from there.  Use several trusted clocks in different locations for
higher reliability. 

--apb (Alan Barrett)

References:

Re: Feeping Creaturism in routers (was Re: Response to Satan)
From: Richard Threadgill <richardt @ remarque . berkeley . edu>

Indexed By Date	Previous:	help: .Z format docs From: x . gosselin . rea0803 @ oasis . icl . co . uk
Indexed By Date	Next:	Firewall on Sun/Solaris From: pc @ sunbim . be (Philippe Cayphas)
Indexed By Thread	Previous:	Re: Feeping Creaturism in routers (was Re: Response to Satan) From: Earl Stutes <estutes @ eas . westend . frus . com>
Indexed By Thread	Next:	Re: Feeping Creaturism in routers (was Re: Response to Satan) From: lavondes @ tidtest . total . fr (Michel Lavondes)