Re: ntpd replacement (Was: Re: Import of DragonFly Mail Agent)

On 24/02/2014 13:52, Poul-Henning Kamp wrote:
> In message <530B2DEE.3030808@rewt.org.uk>, Joe Holden writes:
>
>> The other point I should make here is that if you care that much about
>> time security you shouldn't be contacting ntp servers over 3rd party
>> networks anyway, at least not without some IP-level
>> encryption/authentication, or use a source that can't easily be used as
>> an attack surface, such as GPS/MSF etc.
>
> Please check how NTP is authenticated before giving bad advice,
> it's all in the RFC.
>
v3 or v4? It is an optional part of the spec in both cases and again 
isn't required for 99% of people using ntpd as a client, which was the 
entire point of this exercise in the first place.  If the argument is 
that X feature is missing then we may as well replace sendmail with exim 
as it has even more features, for example.

But most importantly, explain how it was bad advice?  There are 
provisions for integrity checking (not authentication) and autokey.  My 
point was that if you need to authenticate ntp to avoid mitm-style 
attacks then perhaps the setup you have is wrong.  If there is something 
huge I have missed then feel free to correct me!
_______________________________________________
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"