Bret Watson wrote:
> XNTPD can be set up to be safe.
> i. fully utilise the voting system - find at least 6 NTP servers
> (secondaries or above) that are geographically distant - I use one in
> france, in in Switzerland, one in Aust, one in NZ and one in Japan.
> ii. if you can get a DES library and rebuild XNTPD with it - there is a
> setting for it to use DES to authenticate - the auth is quite strong as it
> is effectively a one-time pad system. Most primaries will permit DES auth
> and some secondaries.
> The first item makes it very hard to spoof the packets, the second makes it
Note that if somebody wants to attack you, it could first try to attack
your ISP. In this case, it could spoof all your NTP servers at the same
time, wherever they are.
I don't know the NTP authentication system, but probably it isn't a real
one time pad (probably it will eventually cicle).
It could nevertheless be an adequate protection.