[109051] in North American Network Operators' Group
Re: NTP Md5 or AutoKey?
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Tue Nov 4 01:52:18 2008
To: Paul Ferguson <fergdawgster@gmail.com>
In-Reply-To: Your message of "Mon, 03 Nov 2008 22:23:07 PST."
<6cd462c00811032223m701e736i89684f8aceeba62@mail.gmail.com>
From: Valdis.Kletnieks@vt.edu
Date: Tue, 04 Nov 2008 01:52:05 -0500
Cc: nanog@merit.edu
Errors-To: nanog-bounces@nanog.org
--==_Exmh_1225781525_3531P
Content-Type: text/plain; charset=us-ascii
On Mon, 03 Nov 2008 22:23:07 PST, Paul Ferguson said:
> I'm just wondering -- in globak scheme of security issue, is NTP
> security a major issue?
The biggest problem is that you pretty much have to spoof a server that
the client is already configured to be accepting NTP packets from. And *then* you have to
remember that your packets can only lie about the time by a very small number
of milliseconds or they get tossed out by the NTP packet filter that measures
the apparent jitter. Remember, the *real* clock is also sending correct
updates. At *best*, you lie like hell, and get the clock thrown out as
an "insane" timesource. But at that point, a properly configured clock
will go on autopilot till a quorum of sane clocks reappears, so you don't
have much chance of wedging in a huge time slew (unless you *really* hit
the jackpot, and the client reboots and does an ntpdate and you manage to
cram in enough false packets to mis-set the clock then).
So in most cases, you can only push the clock around by milliseconds - and
that doesn't buy you very much room for a replay attack or similar, because
that's under the retransmit timeout for a lost packet. It isn't like you
can get away with replaying something from 5 minutes ago.
Now, if you wanted to be *dastardly*, you'd figure out where a site's
Stratum-1 server(s) have their GPS antennas, and you'd read the recent
research on spoofing GPS signals - at *that* point you'd have a good chance
of controlling the horizontal and vertical....
--==_Exmh_1225781525_3531P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFJD/EVcC3lWbTT17ARAigwAKCZJC0YhFpjmFXnNDlkM53XM4LVmACgiG/X
rDcDEg25TbnWugB3XW3l4qU=
=fck1
-----END PGP SIGNATURE-----
--==_Exmh_1225781525_3531P--
