Hi, Harry-- On Nov 12, 2010, at 8:18 AM, Harry wrote: > What I haven't been able to figure out is... > 1. How/Where to locate a public/remote NTP server that supports MD5 > authentication?
http://support.ntp.org/bin/view/Servers/WebSearch?search=MD5&scope=all&web=Servers ...suggests: http://support.ntp.org/bin/view/Servers/TimexCsColumbiaEdu http://support.ntp.org/bin/view/Servers/SeskuPlaneacionNet You could also ask your ISP. > 2. How would the administrator of this NTP server (a human) > distribute the keys to me: Via email? Via Phone/Fax? You'd probably have to contact the NTP admin and coordinate a method. > 3. Having received the keys even by secure means such as email/phone/ > fax, what is stopping me from going rogue later... say, by using the > key values of the authentic server and distributing wrong time? (I > won't of course actually go rogue, just trying to understand.) The effect would be similar to any falseticker, whether deliberately serving rogue time or by accident. By configuring 4 (or more) NTP servers, http://en.wikipedia.org/wiki/Marzullo%27s_algorithm allows you to reliably discard 1 (or more) falsetickers. In point of fact, the NTP pool project uses a scoring mechanism to track the time offsets of servers in the NTP pool, and will drop servers if their clocks drift out of sync with real time. > Can somebody please explain this in plain English? Sure. Almost nobody bothers implementing autokey or MD5 security for NTP because (a) ntpd is quite good at discarding bad timeservers, (b) people running NTP timeservers tend to implement monitoring to alert them if a server is messing up-- perhaps by participating in the NTP pool, or using Nagios or some similar monitoring, and finally (c) people who really care about NTP setup a stratum-0 timesource like a GPS receiver, WWV/WWVB radio clock receiver, or even rubidium/cesium atomic clocks. Regards, -- -Chuck _______________________________________________ questions mailing list [email protected] http://lists.ntp.org/listinfo/questions
