NTP Md5 or AutoKey?

Nathan Ward nanog at daork.net
Tue Nov 4 06:30:48 UTC 2008


On 4/11/2008, at 7:23 PM, Paul Ferguson wrote:

> On Mon, Nov 3, 2008 at 10:15 PM, Glen Kent <glen.kent at gmail.com>  
> wrote:
>
>> Hi,
>>
>> I was wondering what most folks use for NTP security?
>>
>> Do they use the low cost, light weight symmetric key cryptographic
>> protection method using MD5 or do folks go in for full digital
>> signatures and X.509 certificates (AutoKey Security)?
>>
>
> I'm just wondering -- in globak scheme of security issue, is NTP
> security a major issue?
>
> Just curious.


Out of sync time was a big deal in James Bond 18 (Tomorrow Never Dies).

Anyway, pushing time out of sync seems an interesting way to break  
services that require stuff to be synced up. Kerberos is one such  
example.

Push a KDC out of sync from it's clients, and auth wouldn't happen  
anymore. Seems like a simple way to kick router admins out of their  
equipment if you're causing trouble, or at least, slow them down.

Of course, this only really works if your network has 3 reliable 
+secure time sources + 1 for redundancy. I'm not sure that .*pool\.ntp 
\.org would class as reliable+secure if you're concerned about NTP  
security.

--
Nathan Ward








More information about the NANOG mailing list