Question on Loosely Synchronized Router Clocks
Steven M. Bellovin
smb at cs.columbia.edu
Tue Sep 18 18:10:34 UTC 2007
On Tue, 18 Sep 2007 13:51:55 -0400
Valdis.Kletnieks at vt.edu wrote:
> On Tue, 18 Sep 2007 09:27:32 PDT, Bora Akyol said:
> >
> > It is not dependent on time. You'd like a protocol to be self
> > sufficient if at all possible.
> >
> > Moving the vulnerability of one protocol to another is not highly
> > desirable in general.
>
> The interesting failure mode is, of course, what happens when you're
> not in time sync, so the routing protocol falls over - and due to the
> lack of routing table entries, you become unable to reach your
> timesource.
I've been talking with Xin offline, and raised that exact point. That
said, in some security contexts there's little choice: you have to have
some way to assure that a message is fresh. There are other choices in
some environment, such as monotonically increasing counters and
challenge/response protocols; depending on other decisions and the
particular context, these may be worse or not even possible. For
example, if someone several hops away from the origination needs to
examine a signed *object*, a timestamp is probably better than a
counter, and challenge/response isn't even possible. That doesn't make
timestamps good -- and they do have many disadvantages -- but they may
be the only choice.
--Steve Bellovin, http://www.cs.columbia.edu/~smb
More information about the NANOG
mailing list