NIST NTP servers
mel at beckman.org
Tue May 10 21:14:26 UTC 2016
Boss: So how did a hacker get in and crash our accounting server, break our VPNs, and kill our network performance?
IT guy: He changed our clocks.
Boss: How did he do that?
IT guy: We have an opening in our firewall that permits time clock packets to come from anywhere in the world, under certain conditions.
Boss: Why didn’t you block that?
IT guy: Well, we filtered to only accept clock settings from a trusted source, but the hacker lied and pretended to be that protected source.
Boss: I thought encryption was supposed to prevent that.
IT guy: Time clock packets aren’t encrypted. There is no standard for that.
Boss: Not even a password?
IT guy: Yes, there is a sophisticated authentication mechanism, but it doesn’t work.
Boss: So how could we have prevented this?
IT guy: We could have purchased our own time server synchronized to the U.S. Department of Standards atomic clock via Global Positioning System satellites using a special antenna. Then we wouldn’t need time from the Internet.
Boss: That sounds expensive. How much are we talking?
IT guy: $300
Boss: You’re fired.
On May 10, 2016, at 1:51 PM, Jared Mauch <jared at puck.nether.net<mailto:jared at puck.nether.net>> wrote:
On May 10, 2016, at 4:40 PM, Gary E. Miller <gem at rellim.com<mailto:gem at rellim.com>> wrote:
On Tue, 10 May 2016 16:29:26 -0400
Jared Mauch <jared at puck.nether.net<mailto:jared at puck.nether.net>> wrote:
If you’re using Redhat based systems consider using chrony
instead, even the new beta fedora 24 uses 4.2.6 derived code
Or, new but under heavy development: NTPsec : https://www.ntpsec.org/
It is a fork of classic NTPD, but was not vulnerable to most of the
recent NTPD CVEs.
Yeah, there are some issues here in how the NTP community has implemented
solutions without discussing with each other through the community splits.
The NTPWG at IETF has been in a bit of stasis for years now because the
various aspects of how it works, and those who present sometimes don’t
output in the most organized fashion requiring a lot of effort on the
There’s also a very narrow universe of people who actually care about the
implementations and details, with people like Majdi, Harlan and Miroslav
understanding the needs more than I’ve seen anyone from the ntpsec/cisco
funded side grasp the nuances of.
As a general statement, we are well served by having diverse and robust
implementations, but as we’ve seen in the (mostly) router space that NANOG
community cares about.. there are far more BGP implementations than NTP.
This isn’t good if the community wants to move to a model of certificate based
routing and the dependent infrastructure is weak.
I would suggest moving parts of this discussion to either the NTP Pool or the
NTPWG mailing lists.
More information about the NANOG