David Schwartz wrote: > "Danny Mayer" <[EMAIL PROTECTED]> wrote in message > news:[EMAIL PROTECTED] > > >>David Schwartz wrote: > > >>>"Danny Mayer" <[EMAIL PROTECTED]> wrote in message >>>news:[EMAIL PROTECTED] > > >>>>No it is not a flaw in the protocol design. It would be if it were put >>>>in. The address doesn't belong there, it belongs in the IP header which >>>>the receiving server always gets. > > >>> It is a flaw. Its absence requires the receiver to assume that the >>>origin address of the UDP packet received is the IP address of the >>>sending >>>server. This assumption may or may not be correct. But if the address >>>were >>>in there, the assumption would not be needed. > > >>Absolutely not. That would be a layering violation. > > > What would be a layering violation? Assuming that the source address of > a UDP packet is the address of the machine that sent it? >
No, adding the source address to the NTP packet. > >>Verification is done >>through key exchange and the MAC section in the NTP packet. > > > That's nice but has nothing to do with how you tell whether two packets > with different source UDP addresses came from the same server or not. > > Consider a simple case. We have a simple server that is not using > authentication. It's on a LAN where a lot of machines have both public and > private IP addresses. We recognize our local and internal LANs by their IP > range and don't need to authenticate because spoof protection is done at the > boundaries. We are talking to both 192.168.32.23 and 216.105.54.22, the > question is, are they the same machine or not? > You cannot tell from the outside, nor should you usually care. However, with all the stateful firewalls now in place if the response to a packet request gets sent from a different address than the address to which the packet was originally sent, the firewall will drop it as unmatched to the address and the requestor will never receive a response. Danny _______________________________________________ questions mailing list [email protected] https://lists.ntp.isc.org/mailman/listinfo/questions
