Re: [chrony-dev] Idea: Leapsecond info via DNS

[Miroslav Lichvar]

On Sun, Sep 18, 2016 at 10:53:54AM +0200, Rune Magnussen wrote:
> På Fri, 16 Sep 2016 17:48:29 +0200
> Miroslav Lichvar  skrev:
> > However, I'm not sure if this is the best approach for getting leap
> > second information. DNS is normally unsecure, so a MITM attacker could
> > inject a false leap second even if all NTP sources were
> > authenticated. 
> Is DNS worse than NTP-packets when it comes to MITM? 

If we compare authenticated NTP with unauthenticated DNS, then yes. If
both are unauthenticated, NTP still might be slightly better as the
attacker has to modify packets from a majority of the client's sources
instead of just one DNS server. Of course, if the attacker is close
to the client and can modify all its traffic, it doesn't matter.

> > I'd rather see chrony to get support for reading leap seconds from the
> > "leap-seconds.list" file, which is distributed by multiple servers,
> > and recommend running "sleep $[RANDOM] && wget -O ... https://;
> > from cron every month or so.
> You would then have to make sure the checksums are downloaded from
> another mirror than the file and the best mirrors would depend on where
> you are. This seems almost as complicated as adding support for leap
> seconds via DNS.

I'm not sure I follow. Why would I need to download data from multiple
servers? Are you suggesting to not trust one server, but have a voting
mechanism with at least three different servers like NTP normally does?

-- 
Miroslav Lichvar

-- 
To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe" 
in the subject.
For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the 
subject.
Trouble?  Email listmas...@chrony.tuxfamily.org.

Re: [chrony-dev] Idea: Leapsecond info via DNS

[Rune Magnussen]

På Mon, 19 Sep 2016 09:15:27 +0200
Miroslav Lichvar  skrev:
> On Sun, Sep 18, 2016 at 10:53:54AM +0200, Rune Magnussen wrote:
> > På Fri, 16 Sep 2016 17:48:29 +0200
> > Miroslav Lichvar  skrev:  
[vut]
> 
> > > I'd rather see chrony to get support for reading leap seconds
> > > from the "leap-seconds.list" file, which is distributed by
> > > multiple servers, and recommend running "sleep $[RANDOM] && wget
> > > -O ... https://; from cron every month or so.  
> > You would then have to make sure the checksums are downloaded from
> > another mirror than the file and the best mirrors would depend on
> > where you are. This seems almost as complicated as adding support
> > for leap seconds via DNS.  
> 
> I'm not sure I follow. Why would I need to download data from multiple
> servers? Are you suggesting to not trust one server, but have a voting
> mechanism with at least three different servers like NTP normally
> does?
I just meant that if you want to validate the downloaded file then you
should get the checksum from a different mirror. If the file is
compromised on one server then the checksum file migt be too. In that
case there would be no detectable error. With tho servers there would
be warnings if either the leap second file or the checksum file was
changed. 

Anyway, I did not make enough research. Now I have found a place to
download the file, but there is not any obvious checksum file. Perhaps
you really have to download the entire file more than once to make
sure. Looks like most of my points are moot.

Regards Rune


--
To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe" 
in the subject.
For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the 
subject.
Trouble?  Email listmas...@chrony.tuxfamily.org.