On 2010-11-10, Harry <[email protected]> wrote: > 1. What, then, would be the next best way (MD5-based symmetric key > mode?) to syncing up a behind-NAT NTP client from an external NTP > server in a tamper-proof manner? I'm not competent/powerful enough to > advise the powers what be in my organization to have an Autokey NTP > client outside our NAT/Firewall; most likely, I'll be told to continue > to operate from behind the NAT/Firewall.
Which associations are you attempting to "secure"? LAN client to LAN server? LAN server to remote time server? > 2. What physical/network setup should Autokey-desiring NTP clients > follow? Is it OK, e.g., to have a Autokey client host (AkH) To keep your terminology consistent with the documentation: s/Autokey client host/Trust Group Server/ > outside one's NAT network and have all the hosts inside the NAT > network use AkH as a NTP server? An NTP Trust Group using AutoKey can not span NAT. So your local NTP server has to have an interface "inside" the NAT if the Trust Group is your NTP server and LAN clients. Your local NTP server must have an interface outside the NAT if the Trust Group is your NTP server and a remote time server. Here's Dr. Mills' PowerPoint slides describing the NTP Security Model: http://www.ece.udel.edu/~mills/database/brief/autokey/autokey.ppt -- Steve Kostecke <[email protected]> NTP Public Services Project - http://support.ntp.org/ _______________________________________________ questions mailing list [email protected] http://lists.ntp.org/listinfo/questions
