[pkg-ntp-maintainers] Bug#687166: ntp: NTP security vulnerability because not using authentication by default
Nico Golde
nion at debian.org
Mon Sep 10 16:18:42 UTC 2012
Hi,
* Ask Bjørn Hansen <ask at ntppool.org> [2012-09-10 18:03]:
> On Sep 10, 2012, at 8:13, Nico Golde <nion at debian.org> wrote:
> [Adding NTP authentication]
>
> We could setup a set of servers with authentication, but that'd be a much
> smaller list of servers (for better and worse). It wouldn't be like the
> current NTP Pool at all.
>
> Next would be to add DNSSEC to the DNS (which is non-trivial with the
> current zone and the current resources; at peaks the DNS servers get 20-30k
> qps and each response is different so you have to sign in "real-time".).
>
> If there's a need and resources, I could run a zone with DNSSEC and with
> autokey configured, but it'd not be possible in the "open source"/"everyone
> volunteers a resource or two" scheme.
Wouldn't it still make sense to have a zone configured with autokey even
without DNSSEC? Or is an active attacker bombarding the victim with faked NTP
responses without spoofed DNS not an issue at all, so all this matters *only*
if DNS is spoofed?
Kind regards
Nico
P.S: I'm all but an NTP expert :)
--
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0xA0A0AAAA
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-ntp-maintainers/attachments/20120910/fd580c41/attachment.pgp>
More information about the pkg-ntp-maintainers
mailing list