"Danny Mayer" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]
> David Schwartz wrote: >> "Danny Mayer" <[EMAIL PROTECTED]> wrote in message >> news:[EMAIL PROTECTED] >>>No it is not a flaw in the protocol design. It would be if it were put >>>in. The address doesn't belong there, it belongs in the IP header which >>>the receiving server always gets. >> It is a flaw. Its absence requires the receiver to assume that the >> origin address of the UDP packet received is the IP address of the >> sending >> server. This assumption may or may not be correct. But if the address >> were >> in there, the assumption would not be needed. > Absolutely not. That would be a layering violation. What would be a layering violation? Assuming that the source address of a UDP packet is the address of the machine that sent it? > Verification is done > through key exchange and the MAC section in the NTP packet. That's nice but has nothing to do with how you tell whether two packets with different source UDP addresses came from the same server or not. Consider a simple case. We have a simple server that is not using authentication. It's on a LAN where a lot of machines have both public and private IP addresses. We recognize our local and internal LANs by their IP range and don't need to authenticate because spoof protection is done at the boundaries. We are talking to both 192.168.32.23 and 216.105.54.22, the question is, are they the same machine or not? DS _______________________________________________ questions mailing list [email protected] https://lists.ntp.isc.org/mailman/listinfo/questions
