On Mon, 3 Apr 1995, Richard Threadgill wrote:
> This is the strongest reason to not run ntp on your firewall router.
> Why do you consider the incoming ntp stream trustworthy?
The widely used xntpd implementation supports DES and MD5
authentication of timestamps, even over unencrypted links.
Cisco's ntp implementation supports MD5 authentication.
It's not quite that simple. The authentication just protects your
association with that time source; it doesn't say anything about
their source of time. See
@inproceedings{Bishop-ntp,
author = {Bishop, Matt},
title = "A Security Analysis of the {NTP} Protocol",
booktitle = {Sixth Annual Computer Security Conference Proceedings},
address = {Tuscon, AZ},
pages = {20--29},
year = 1990,
month = {December},
annote = {Available for ftp from louie.udel.edu
as /pub/ntp/doc/bishop.ps.Z.
}
> An atomic or radio clock on your premises is fairly unlikely to be
> compromised; an external ntp clock is not so blessed.
Quite so. But you don't need an atomic clock in every
branch office; you can have a trusted clock at headquarters
and distribute authenticated chime from there. Use several
trusted clocks in different locations for higher reliability.
Good idea, in light of the risks.
|
|
