On Mon, Jan 16, 2023 at 04:41:49AM +, akihiko.iz...@sony.com wrote:
> When chronyd failed NTS-KE handshake (ex. mis-configuration of certificate),
> does chronyd fallback to plain NTP (or not)?
No, that would be a major security issue.
--
Miroslav Lichvar
--
To unsubscribe email
),
does chronyd fallback to plain NTP (or not)?
(If it is true, I afraid dedicated NTS server/client may use plain NTP
unintentionally.)
Best Regards,
-Original Message-
From: Miroslav Lichvar
Sent: Wednesday, January 11, 2023 6:54 PM
To: chrony-users@chrony.tuxfamily.org
Subject: Re: [chrony
On Wed, Jan 11, 2023 at 02:31:11AM +, akihiko.iz...@sony.com wrote:
> Thank you for clarifying my question. I learned a lot.
>
> > it would not be sent as there is an additional check made before
> > transmission comparing the length of the request and response.
>
> What comparison is done
her question.
RFC8915 describes "8.7. NTS Stripping". Isn't is applicable to Chrony?
Best Regards,
-Original Message-
From: Miroslav Lichvar
Sent: Monday, January 9, 2023 9:42 PM
To: chrony-users@chrony.tuxfamily.org
Subject: Re: [chrony-users] RE: Can we deny non-NTS client?
On Mon, Jan 09, 2023 at 12:15:23PM +, akihiko.iz...@sony.com wrote:
> > chrony does not implement any modes that could amplify NTP traffic
>
> Thank you.
> But I afraid NTP server is vulnerable to spoofed source IP address of NTP
> client, it may participate DDoS attacks even though chrony
em.
Best Regards,
-Original Message-
From: Miroslav Lichvar
Sent: Monday, January 2, 2023 6:56 PM
To: chrony-users@chrony.tuxfamily.org
Subject: Re: [chrony-users] RE: Can we deny non-NTS client?
On Tue, Dec 20, 2022 at 11:14:04AM +, akihiko.iz...@sony.com wrote:
> I conside
On Tue, Dec 20, 2022 at 11:14:04AM +, akihiko.iz...@sony.com wrote:
> I consider public NTS servers which serve to any NTP client.
> I afraid NTS servers are abused for DDoS amplification.
chrony does not implement any modes that could amplify NTP traffic,
like the ntpd mode 6, mode 7, or