[109122] in North American Network Operators' Group
RE: NTP Md5 or AutoKey?
daemon@ATHENA.MIT.EDU (Deepak Jain)
Wed Nov 5 16:20:52 2008
From: Deepak Jain <deepak@ai.net>
To: Nathan Ward <nanog@daork.net>, north American Noise and Off-topic Gripes
<nanog@merit.edu>
Date: Wed, 5 Nov 2008 16:20:24 -0500
In-Reply-To: <ED736B98-9B9F-42CD-B3C3-807C2735B30E@daork.net>
Errors-To: nanog-bounces@nanog.org
Of course, this only really works if your network has 3 reliable
+secure time sources + 1 for redundancy. I'm not sure that .*pool\.ntp
\.org would class as reliable+secure if you're concerned about NTP
security.
It's important to recognize that "secure" NTP has nothing to do with real
World time, and everything to do with all your secure systems being on
*the same* time, whatever that is. It really doesn't matter (much) if your
secure NTP cluster gets its time from an inconsistent source [provided it w=
on't
allow changes of too great a magnitude at a time] but as long as they are a=
ll on the *same* time, you can maintain your security.
>From an SPs point-of-view, security is very odd. It doesn't matter how well=
your
"internal" systems are if you are sending mail with the wrong time (say som=
e
future date) and MTAs at your customers are rejecting them.
Deepak
