North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: NTP Md5 or AutoKey?

  • From: Nathan Ward
  • Date: Tue Nov 04 01:31:47 2008
On 4/11/2008, at 7:23 PM, Paul Ferguson wrote:

On Mon, Nov 3, 2008 at 10:15 PM, Glen Kent <[email protected]> wrote:

Hi,

I was wondering what most folks use for NTP security?

Do they use the low cost, light weight symmetric key cryptographic
protection method using MD5 or do folks go in for full digital
signatures and X.509 certificates (AutoKey Security)?


I'm just wondering -- in globak scheme of security issue, is NTP
security a major issue?

Just curious.


Out of sync time was a big deal in James Bond 18 (Tomorrow Never Dies).

Anyway, pushing time out of sync seems an interesting way to break services that require stuff to be synced up. Kerberos is one such example.

Push a KDC out of sync from it's clients, and auth wouldn't happen anymore. Seems like a simple way to kick router admins out of their equipment if you're causing trouble, or at least, slow them down.

Of course, this only really works if your network has 3 reliable +secure time sources + 1 for redundancy. I'm not sure that .*pool\.ntp \.org would class as reliable+secure if you're concerned about NTP security.

--
Nathan Ward