NTP Md5 or AutoKey?
nanog at daork.net
Tue Nov 4 00:30:48 CST 2008
On 4/11/2008, at 7:23 PM, Paul Ferguson wrote:
> On Mon, Nov 3, 2008 at 10:15 PM, Glen Kent <glen.kent at gmail.com>
>> I was wondering what most folks use for NTP security?
>> Do they use the low cost, light weight symmetric key cryptographic
>> protection method using MD5 or do folks go in for full digital
>> signatures and X.509 certificates (AutoKey Security)?
> I'm just wondering -- in globak scheme of security issue, is NTP
> security a major issue?
> Just curious.
Out of sync time was a big deal in James Bond 18 (Tomorrow Never Dies).
Anyway, pushing time out of sync seems an interesting way to break
services that require stuff to be synced up. Kerberos is one such
Push a KDC out of sync from it's clients, and auth wouldn't happen
anymore. Seems like a simple way to kick router admins out of their
equipment if you're causing trouble, or at least, slow them down.
Of course, this only really works if your network has 3 reliable
+secure time sources + 1 for redundancy. I'm not sure that .*pool\.ntp
\.org would class as reliable+secure if you're concerned about NTP
More information about the NANOG