Question on Loosely Synchronized Router Clocks

Steven M. Bellovin smb at
Tue Sep 18 18:10:34 UTC 2007

On Tue, 18 Sep 2007 13:51:55 -0400
Valdis.Kletnieks at wrote:

> On Tue, 18 Sep 2007 09:27:32 PDT, Bora Akyol said:
> > 
> > It is not dependent on time. You'd like a protocol to be self
> > sufficient if at all possible.
> > 
> > Moving the vulnerability of one protocol to another is not highly
> > desirable in general.
> The interesting failure mode is, of course, what happens when you're
> not in time sync, so the routing protocol falls over - and due to the
> lack of routing table entries, you become unable to reach your
> timesource.

I've been talking with Xin offline, and raised that exact point.  That
said, in some security contexts there's little choice: you have to have
some way to assure that a message is fresh.  There are other choices in
some environment, such as monotonically increasing counters and
challenge/response protocols; depending on other decisions and the
particular context, these may be worse or not even possible.  For
example, if someone several hops away from the origination needs to
examine a signed *object*, a timestamp is probably better than a
counter, and challenge/response isn't even possible.  That doesn't make
timestamps good -- and they do have many disadvantages -- but they may
be the only choice.

		--Steve Bellovin,

More information about the NANOG mailing list