Richard, You may have misunderstood what the enable/disable auth does. It has nothing to do with the autentication method or lack of it. If the switch is enabled (enable auth), then associations cannot be mobilized unless authentication parameters have been configured and the symmetric active or broadcast client is correctly authenticated. If it is disabled (disable auth), then mobilization is allowed without requiring authentication. This is very bad and apparently led to what evidently is a memory clogging attack.
All users: Don't put "disable auth" in your configuration file unless you understand the resulting vulnerability and your network cannot be connected to the public Internet under any circumstances. Also, make sure the Linux and FreeBSD and others do not provide NTP software with that switch disabled. Explicit statements on the interplay between the various option is at line 516 et seq in the ntp_proto.c file in the current distribution. Dave Richard B. Gilbert wrote: > David L. Mills wrote: > >> Dennis, >> >> I checked and rechecked, both in the current code and by actual >> experiment. Authentication is enabled by default and associations >> cannot be mobilized unless cryptographically authenticated. If no >> authentication parameters have been configured, then mobilization is >> not possible at all. This is the case in the software that leaves here >> (ntp.org), which is why I insist the "official" distribution comes >> directly from here and is not staged anywhere else. > > > David, > > Something is very wrong here else I fail completely to understand what > you just said! I have never used authentication yet I have managed to > operate a stratum 1 server with a GPS reference clock, and five > upstream internet servers. I have peered this server with another > stratum 1 server I operate using a Traconex WWV receiver as a reference. > I never bothered with authentication. I have had no problem mobilizing > a symmetric association (peer) nor the normal client server associations > with my internet servers. I have not disabled authentication but I have > never configured it between any of my local systems or between my local > systems and my upstream servers. _______________________________________________ questions mailing list [email protected] https://lists.ntp.isc.org/mailman/listinfo/questions
