On 24/02/2014 13:52, Poul-Henning Kamp wrote:
In message <530b2dee.3030...@rewt.org.uk>, Joe Holden writes:
The other point I should make here is that if you care that much about
time security you shouldn't be contacting ntp servers over 3rd party
networks anyway, at least not without some IP-level
encryption/authentication, or use a source that can't easily be used as
an attack surface, such as GPS/MSF etc.
Please check how NTP is authenticated before giving bad advice,
it's all in the RFC.
v3 or v4? It is an optional part of the spec in both cases and again
isn't required for 99% of people using ntpd as a client, which was the
entire point of this exercise in the first place. If the argument is
that X feature is missing then we may as well replace sendmail with exim
as it has even more features, for example.
But most importantly, explain how it was bad advice? There are
provisions for integrity checking (not authentication) and autokey. My
point was that if you need to authenticate ntp to avoid mitm-style
attacks then perhaps the setup you have is wrong. If there is something
huge I have missed then feel free to correct me!
_______________________________________________
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"