I think it is mostly "a solution in search of a problem".
When you really (need to) worry that someone in between you and the
network at large is
carefully modifying all time replies in such a way that your local clock
would be considerably
off time without you detecting it (e.g. because it makes a too rapid
change), it is probably better
to get a reference clock in a part of the network that you can trust.
E.g. local or via a VPN.
Have there been observed cases of people actually becoming victim to
such a MITM attack
and it being successful without the NTP client detecting that something
is wrong?
There are more urgent issues in the NTP protocol (especially for
non-cooperating users and
servers like in the NTP pool) to be solved. E.g. a reliable mechanism
for servers to tell
clients to go away and find another server, or to send them an
administrative message that
actually will reach an operator.
Furthermore, it is flawed to trust some information "just because it is
signed using a certificate"
especially when the owner of that certificate has not been carefully
validated. Why would you
trust me to send you correct time? The certificate does not guarantee
that the contacted
server actually serves correct time. So what does it bring? It is like
using a website certificate
to trust a webshop (in the sense that they will ship you the goods when
you sent them the money).
Especially in a volunteer server network like the NTP Pool, what value
does it have to distribute
trust in the pool members when you cannot tell who they even are?
(note that it is trivial to send correct time to all users except the
victim so the monitoring system
would not know you are doing this)
Not a very useful thing to spend time and effort on, IMHO.
Rob
_______________________________________________
pool mailing list
[email protected]
http://lists.ntp.org/listinfo/pool
