Hello everyone,
for unauthenticated peers, there is the restrict nopeer directive that stops
unknown peers to initialize dynamic symmetric associations with an NTP server.
However, from my own tests in my lab (and from NTP documentation), it seems
that nopeer does not pertain to authenticated p
ber anyone ever asking about the peer option before.
Charles Elliott
-Original Message-
From: questions
[mailto:questions-bounces+elliott.ch=comcast@lists.ntp.org] On Behalf Of
Moser, Stefan
Sent: Monday, January 23, 2017 3:53 AM
To: questions@lists.ntp.org
Subject: [ntp:questions] Ca
On 2017-01-23 10:17, Charles Elliott wrote:
>> On Monday, January 23, 2017 3:53 AM, Moser, Stefan wrote:
>> for unauthenticated peers, there is the restrict nopeer directive
>> that stops unknown peers to initialize dynamic symmetric
>> associations with an NTP server. However, from my own tests in
Hello, thanks for your replies!
I think I have to explain the problem in more detail, perhaps with an example:
Let's say that I have a local NTP server, and lots of remote NTP clients
(running ntpd). All clients know my authentication key(s), so they can
successfully authenticate with my local
On Thu, Mar 09, 2017 at 03:16:57PM +, Moser, Stefan wrote:
> Now assume that one of the remote NTP clients turns bad, deliberately
> configures forged
> time, and enters "peer " in its ntp.conf. This
> (correct me
> if I'm wrong) creates a dynamic mobilization with my local NTP server, and m
On Thu, Mar 09, 2017 at 10:56:22AM -0500, Majdi S. Abbas wrote:
> On Thu, Mar 09, 2017 at 03:16:57PM +, Moser, Stefan wrote:
> > Now assume that one of the remote NTP clients turns bad, deliberately
> > configures forged
> > time, and enters "peer " in its ntp.conf. This
> > (correct me
> >
>
>
> Now assume that one of the remote NTP clients turns bad, deliberately
> configures forged time, and enters "peer " in its
> ntp.conf. This (correct me if I'm wrong) creates a dynamic mobilization with
> my local NTP server, and my local NTP server will eventually believe in the
> clien
On Thu, Mar 09, 2017 at 05:24:35PM +0100, Miroslav Lichvar wrote:
> Couldn't the malicious client create a larger number of ephemeral
> associations, using multiple IP addresses, in order to outvote good
> servers?
If it has a bunch of IP addresses, maybe... but you'd have to
be close enou
On Fri, Mar 10, 2017 at 02:34:51AM -0500, Majdi S. Abbas wrote:
> On Thu, Mar 09, 2017 at 05:24:35PM +0100, Miroslav Lichvar wrote:
> > Couldn't the malicious client create a larger number of ephemeral
> > associations, using multiple IP addresses, in order to outvote good
> > servers?
>
> I