> On Fri, 4 Apr 1997, Arley Carter wrote:
On the inadvisabilty of passing udp through a firewall
On Mon, 7 Apr 1997, Todd Graham Lewis wrote:
> Agreed. If you're super-paranoid, then you can shell out the US$200 for a
> GPS receiver and make yourself into a stratum-1 server. (If you do this,
> you should do it outside the firewall, offer stratum-1 services to others,
> and make your firewall a stratum-2 server, using ntp's builtin
> cryptographic authentication.)
> And to whoever said that you shouldn't use time-based cryptography, there
> are well-respected cryptosystems which rely on accurate time info on both
> client and server to eliminate replay attacks and other time-based hacks.
> To dismiss them merely because they require accurate time info is silly.
>From ac @
hawkTue Apr 8 09:46:48 1997
Date: Mon, 7 Apr 1997 16:09:01 -0400 (EDT")
From: Arley Carter <ac @
To: "Button, Dave" <Dave .
Subject: RE: UDP considered harmful? (was: xntpd and gauntlet 3.2)
On Mon, 7 Apr 1997, Button, Dave wrote:
> The quote was specific to OUR situation, though I understand that UDP
> may be dangerous in situations where RPC is used. More specifically, I
> was concerned about spoofing attacks that would negate having accurate
> time, and the problems with relying on outside servers providing
> claimed stratum 1 accuracy. We are in the certification authority
> business and so we must avoid the apperance of evil as well as evil
This brings up an interesting question about the xnptd protocol. As I
understand the algorithm xntp uses, it chooses the "best" time from one
of all the servers selected. This is based upon dispersion around a
mean time. Outlyers's are discarded.
So: Let's assume you pick 6 external servers at random, ( 3 is the
recommended minimum.) To serve bogus time to your xtnpd daemon and have
it believed, the attacker would have to corrupt the time servers for a
majority of your servers that you have chosen at random. Otherwise, the
attacker's time stamps would be thrown out of the time selection process
because it is a divergent time.
I would say then that the possiblity of an attacker being able to launch
a successful attack using this method is therefore is quite small.
If someone can demonstrate this in not true, please chime in.
Tradewinds Technologies, Inc.
Winston-Salem, NC USA
email: ac @