[99340] in North American Network Operators' Group
Re: Question on Loosely Synchronized Router Clocks
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Tue Sep 18 14:11:34 2007
Date: Tue, 18 Sep 2007 14:10:34 -0400
From: "Steven M. Bellovin" <smb@cs.columbia.edu>
To: Valdis.Kletnieks@vt.edu
Cc: Bora Akyol <bora.akyol@aprius.com>, Xin Liu <smilerliu@gmail.com>,
nanog@merit.edu
In-Reply-To: <20796.1190137915@turing-police.cc.vt.edu>
Errors-To: owner-nanog@merit.edu
On Tue, 18 Sep 2007 13:51:55 -0400
Valdis.Kletnieks@vt.edu wrote:
> On Tue, 18 Sep 2007 09:27:32 PDT, Bora Akyol said:
> >
> > It is not dependent on time. You'd like a protocol to be self
> > sufficient if at all possible.
> >
> > Moving the vulnerability of one protocol to another is not highly
> > desirable in general.
>
> The interesting failure mode is, of course, what happens when you're
> not in time sync, so the routing protocol falls over - and due to the
> lack of routing table entries, you become unable to reach your
> timesource.
I've been talking with Xin offline, and raised that exact point. That
said, in some security contexts there's little choice: you have to have
some way to assure that a message is fresh. There are other choices in
some environment, such as monotonically increasing counters and
challenge/response protocols; depending on other decisions and the
particular context, these may be worse or not even possible. For
example, if someone several hops away from the origination needs to
examine a signed *object*, a timestamp is probably better than a
counter, and challenge/response isn't even possible. That doesn't make
timestamps good -- and they do have many disadvantages -- but they may
be the only choice.
--Steve Bellovin, http://www.cs.columbia.edu/~smb
