NTP Md5 or AutoKey?

Glen Kent glen.kent at gmail.com
Tue Nov 4 08:47:26 UTC 2008

I dont think this is correct.

I have seen routing protocol adjacencies going down because of some
perturbations in NTP. I understand, any router implementation worth
its salt would not use the NTP clock internally, but i have seen some
real life issues where OSPF went down because the time moved ahead and
it thought that it hadnt heard from the neighbor since a long time.

All such bugs were eventually fixed, but this is just one example.

There is an emerging need to distribute highly accurate time
information over IP and over MPLS packet switched networks (PSNs).  A
variety of applications require time information to a precision which
existing protocols cannot supply. TICTOC is an IETF WG created to
develop solutions that meet the requirements of such protocols and


> On Tue, Nov 4, 2008 at 12:22 PM,  <Valdis.Kletnieks at vt.edu> wrote:
> On Mon, 03 Nov 2008 22:23:07 PST, Paul Ferguson said:
>> I'm just wondering -- in globak scheme of security issue, is NTP
>> security a major issue?
> The biggest problem is that you pretty much have to spoof a server that
> the client is already configured to be accepting NTP packets from.  And *then* you have to
> remember that your packets can only lie about the time by a very small number
> of milliseconds or they get tossed out by the NTP packet filter that measures
> the apparent jitter. Remember, the *real* clock is also sending correct
> updates.  At *best*, you lie like hell, and get the clock thrown out as
> an "insane" timesource.  But at that point, a properly configured clock
> will go on autopilot till a quorum of sane clocks reappears, so you don't
> have much chance of wedging in a huge time slew (unless you *really* hit
> the jackpot, and the client reboots and does an ntpdate and you manage to
> cram in enough false packets to mis-set the clock then).
> So in most cases, you can only push the clock around by milliseconds - and
> that doesn't buy you very much room for a replay attack or similar, because
> that's under the retransmit timeout for a lost packet.  It isn't like you
> can get away with replaying something from 5 minutes ago.
> Now, if you wanted to be *dastardly*, you'd figure out where a site's
> Stratum-1 server(s) have their GPS antennas, and you'd read the recent
> research on spoofing GPS signals - at *that* point you'd have a good chance
> of controlling the horizontal and vertical....

More information about the NANOG mailing list