Carrier class email security recommendation
John Kristoff
jtk at cymru.com
Mon Apr 12 15:24:19 UTC 2010
On Mon, 12 Apr 2010 07:09:12 -0700
todd glassey <tglassey at earthlink.net> wrote:
> Alex there are many email systems out there - but make sure that
> whatever you buy can support NTPv4 and not SNTP or unauthenticated NTP
> since this is how the GW is going to be able to put time-marks on
> receipts which must have legal authority.
Hi Todd,
I think this is the first I've heard that only authenticated NTP (and
maybe even NTPv4?) is sufficient for legal authority. Can you say a
bit more about this? Perhaps, what sorts of issues you've run into or
seen when this is not implemented?
> So that means any appliance system provider must have at least NTPv4
> tested with both Autokey and symmetric-key and the new interface
> specific ACL's in the 4.2.6 versions of NTP. Further the issues of the
> ECC/Parity memory become important here because time is moved over UDP
> and is subject to single-bit errors all over the place.
Authentication support for SNTP does exist in the protocol and I've
seen documentation where some gear supports it, though I suspect its
very rarely used in practice.
And 4.2.6p1 was released 3 days ago and 4.2.6 in December. Might be
a tall order if you want it now. :-)
I haven't work out the math, but I would have thought the UDP checksum,
coupled with a rigorous implementation (e.g. validates the originate and
transmit timestamps) and the various robustness mechanisms built into
the protocol should limit the effect of single-bit errors significantly.
I'd be interested in hearing or reading about experience that says
otherwise.
Nevertheless there are no doubt incorrect clocks all over the place.
As a simple example, for the open NTP servers we know about, here is
the top five most popular stratums by percent:
stratum %
3 43
4 18
2 16
16 14
5 5
The overall accuracy of all those stratum 16 clocks is likely going
to be poor.
John
More information about the NANOG
mailing list