NTP Md5 or AutoKey?

Deepak Jain deepak at ai.net
Wed Nov 5 15:20:24 CST 2008


Of course, this only really works if your network has 3 reliable
+secure time sources + 1 for redundancy. I'm not sure that .*pool\.ntp
\.org would class as reliable+secure if you're concerned about NTP
security.

It's important to recognize that "secure" NTP has nothing to do with real
World time, and everything to do with all your secure systems being on
*the same* time, whatever that is. It really doesn't matter (much) if your
secure NTP cluster gets its time from an inconsistent source [provided it won't
allow changes of too great a magnitude at a time] but as long as they are all on the *same* time, you can maintain your security.

>From an SPs point-of-view, security is very odd. It doesn't matter how well your
"internal" systems are if you are sending mail with the wrong time (say some
future date) and MTAs at your customers are rejecting them.

Deepak




More information about the NANOG mailing list