Re: ntpd replacement (Was: Re: Import of DragonFly Mail Agent)
On 24/02/2014 15:40, Poul-Henning Kamp wrote: In message <530b666a.1000...@rewt.org.uk>, Joe Holden writes: Please check how NTP is authenticated before giving bad advice, it's all in the RFC. v3 or v4? It is an optional part of the spec in both cases and again isn't required for 99% of people using ntpd as a client, which was the entire point of this exercise in the first place. Authentication of NTP is rapidly gaining focus these days, for obvious reasons, so I think adopting software now which don't support it would be needlessly shortsighted. 3 years ago I would have agree with you, but not now. Fair enough, that isn't the real problem we are facing but rather than derail this thread even further I think it would be best to discuss that another day :) ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: ntpd replacement (Was: Re: Import of DragonFly Mail Agent)
In message <530b666a.1000...@rewt.org.uk>, Joe Holden writes: >> Please check how NTP is authenticated before giving bad advice, >> it's all in the RFC. >> >v3 or v4? It is an optional part of the spec in both cases and again >isn't required for 99% of people using ntpd as a client, which was the >entire point of this exercise in the first place. Authentication of NTP is rapidly gaining focus these days, for obvious reasons, so I think adopting software now which don't support it would be needlessly shortsighted. 3 years ago I would have agree with you, but not now. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 p...@freebsd.org | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: ntpd replacement (Was: Re: Import of DragonFly Mail Agent)
On 24/02/2014 13:52, Poul-Henning Kamp wrote: In message <530b2dee.3030...@rewt.org.uk>, Joe Holden writes: The other point I should make here is that if you care that much about time security you shouldn't be contacting ntp servers over 3rd party networks anyway, at least not without some IP-level encryption/authentication, or use a source that can't easily be used as an attack surface, such as GPS/MSF etc. Please check how NTP is authenticated before giving bad advice, it's all in the RFC. v3 or v4? It is an optional part of the spec in both cases and again isn't required for 99% of people using ntpd as a client, which was the entire point of this exercise in the first place. If the argument is that X feature is missing then we may as well replace sendmail with exim as it has even more features, for example. But most importantly, explain how it was bad advice? There are provisions for integrity checking (not authentication) and autokey. My point was that if you need to authenticate ntp to avoid mitm-style attacks then perhaps the setup you have is wrong. If there is something huge I have missed then feel free to correct me! ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: ntpd replacement (Was: Re: Import of DragonFly Mail Agent)
In message <530b2dee.3030...@rewt.org.uk>, Joe Holden writes: >The other point I should make here is that if you care that much about >time security you shouldn't be contacting ntp servers over 3rd party >networks anyway, at least not without some IP-level >encryption/authentication, or use a source that can't easily be used as >an attack surface, such as GPS/MSF etc. Please check how NTP is authenticated before giving bad advice, it's all in the RFC. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 p...@freebsd.org | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: ntpd replacement (Was: Re: Import of DragonFly Mail Agent)
On 24/02/2014 11:26, Joe Holden wrote: On 24/02/2014 11:18, Ollivier Robert wrote: According to Joe Holden on Mon, Feb 24, 2014 at 11:13:23AM +: hm, I can't say I have noticed this as being a problem where I've used it, are there any scenarios where this is a showstopper? Non-support for auth is a concern, lack of NTPv4 protocol support is another. Base ntpd also include SNTP which is a lightweight NTPv3 client. I suspect if you can't be reasonably sure about the integrity of your network traffic you have other problems anyway... one can run ntpd -s to get a similar function to ntpdate/sntp. But again, for 99% of installs as a client, auth and/or ntpv4 doesn't matter and much like sendmail/dma, one can always install ntp.org from ports if they require authentication (I've never seen it used). The other point I should make here is that if you care that much about time security you shouldn't be contacting ntp servers over 3rd party networks anyway, at least not without some IP-level encryption/authentication, or use a source that can't easily be used as an attack surface, such as GPS/MSF etc. ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: ntpd replacement (Was: Re: Import of DragonFly Mail Agent)
On 24/02/2014 11:18, Ollivier Robert wrote: According to Joe Holden on Mon, Feb 24, 2014 at 11:13:23AM +: hm, I can't say I have noticed this as being a problem where I've used it, are there any scenarios where this is a showstopper? Non-support for auth is a concern, lack of NTPv4 protocol support is another. Base ntpd also include SNTP which is a lightweight NTPv3 client. I suspect if you can't be reasonably sure about the integrity of your network traffic you have other problems anyway... one can run ntpd -s to get a similar function to ntpdate/sntp. But again, for 99% of installs as a client, auth and/or ntpv4 doesn't matter and much like sendmail/dma, one can always install ntp.org from ports if they require authentication (I've never seen it used). ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
ntpd replacement (Was: Re: Import of DragonFly Mail Agent)
According to Joe Holden on Mon, Feb 24, 2014 at 11:13:23AM +: > hm, I can't say I have noticed this as being a problem where I've > used it, are there any scenarios where this is a showstopper? Non-support for auth is a concern, lack of NTPv4 protocol support is another. Base ntpd also include SNTP which is a lightweight NTPv3 client. -- Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- robe...@keltia.net In memoriam to Ondine, our 2nd child: http://ondine.keltia.net/ ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"