Hi, I was wondering what most folks use for NTP security? Do they use the low cost, light weight symmetric key cryptographic protection method using MD5 or do folks go in for full digital signatures and X.509 certificates (AutoKey Security)? Thanks, Glen
On Mon, Nov 3, 2008 at 10:15 PM, Glen Kent <glen.kent@gmail.com> wrote:
Hi,
I was wondering what most folks use for NTP security?
Do they use the low cost, light weight symmetric key cryptographic protection method using MD5 or do folks go in for full digital signatures and X.509 certificates (AutoKey Security)?
I'm just wondering -- in globak scheme of security issue, is NTP security a major issue? Just curious. - ferg -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
Date: Mon, 3 Nov 2008 22:23:07 -0800 From: "Paul Ferguson" <fergdawgster@gmail.com>
On Mon, Nov 3, 2008 at 10:15 PM, Glen Kent <glen.kent@gmail.com> wrote:
Hi,
I was wondering what most folks use for NTP security?
Do they use the low cost, light weight symmetric key cryptographic protection method using MD5 or do folks go in for full digital signatures and X.509 certificates (AutoKey Security)?
I'm just wondering -- in globak scheme of security issue, is NTP security a major issue?
Just curious.
It's probably not a "major issue", but forged NTP data can, in theory, be used to allow the implementation of replay attacks. I'll admit I have never heard of a real-world case. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: oberman@es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751
So, can i safely assume that nobody deployes Autokey security for NTP and the best that one does right now is by using the cryptographic authentication provided in the base spec of NTPv4. Cheers, Glen On Tue, Nov 4, 2008 at 11:59 AM, Kevin Oberman <oberman@es.net> wrote:
Date: Mon, 3 Nov 2008 22:23:07 -0800 From: "Paul Ferguson" <fergdawgster@gmail.com>
On Mon, Nov 3, 2008 at 10:15 PM, Glen Kent <glen.kent@gmail.com> wrote:
Hi,
I was wondering what most folks use for NTP security?
Do they use the low cost, light weight symmetric key cryptographic protection method using MD5 or do folks go in for full digital signatures and X.509 certificates (AutoKey Security)?
I'm just wondering -- in globak scheme of security issue, is NTP security a major issue?
Just curious.
It's probably not a "major issue", but forged NTP data can, in theory, be used to allow the implementation of replay attacks. I'll admit I have never heard of a real-world case. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: oberman@es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751
On 4/11/2008, at 7:23 PM, Paul Ferguson wrote:
On Mon, Nov 3, 2008 at 10:15 PM, Glen Kent <glen.kent@gmail.com> wrote:
Hi,
I was wondering what most folks use for NTP security?
Do they use the low cost, light weight symmetric key cryptographic protection method using MD5 or do folks go in for full digital signatures and X.509 certificates (AutoKey Security)?
I'm just wondering -- in globak scheme of security issue, is NTP security a major issue?
Just curious.
Out of sync time was a big deal in James Bond 18 (Tomorrow Never Dies). Anyway, pushing time out of sync seems an interesting way to break services that require stuff to be synced up. Kerberos is one such example. Push a KDC out of sync from it's clients, and auth wouldn't happen anymore. Seems like a simple way to kick router admins out of their equipment if you're causing trouble, or at least, slow them down. Of course, this only really works if your network has 3 reliable +secure time sources + 1 for redundancy. I'm not sure that .*pool\.ntp \.org would class as reliable+secure if you're concerned about NTP security. -- Nathan Ward
On Nov 4, 2008, at 2:30 PM, Nathan Ward wrote:
Anyway, pushing time out of sync seems an interesting way to break services that require stuff to be synced up. Kerberos is one such example.
The analytical/forensic fidelity of various forms of telemetry such as NetFlow, syslog, etc. is highly dependent upon an accurate time-hack, as well. ----------------------------------------------------------------------- Roland Dobbins <rdobbins@cisco.com> // +852.9133.2844 mobile History is a great teacher, but it also lies with impunity. -- John Robb
Of course, this only really works if your network has 3 reliable +secure time sources + 1 for redundancy. I'm not sure that .*pool\.ntp \.org would class as reliable+secure if you're concerned about NTP security. It's important to recognize that "secure" NTP has nothing to do with real World time, and everything to do with all your secure systems being on *the same* time, whatever that is. It really doesn't matter (much) if your secure NTP cluster gets its time from an inconsistent source [provided it won't allow changes of too great a magnitude at a time] but as long as they are all on the *same* time, you can maintain your security.
From an SPs point-of-view, security is very odd. It doesn't matter how well your "internal" systems are if you are sending mail with the wrong time (say some future date) and MTAs at your customers are rejecting them.
Deepak
On Mon, 03 Nov 2008 22:23:07 PST, Paul Ferguson said:
I'm just wondering -- in globak scheme of security issue, is NTP security a major issue?
The biggest problem is that you pretty much have to spoof a server that the client is already configured to be accepting NTP packets from. And *then* you have to remember that your packets can only lie about the time by a very small number of milliseconds or they get tossed out by the NTP packet filter that measures the apparent jitter. Remember, the *real* clock is also sending correct updates. At *best*, you lie like hell, and get the clock thrown out as an "insane" timesource. But at that point, a properly configured clock will go on autopilot till a quorum of sane clocks reappears, so you don't have much chance of wedging in a huge time slew (unless you *really* hit the jackpot, and the client reboots and does an ntpdate and you manage to cram in enough false packets to mis-set the clock then). So in most cases, you can only push the clock around by milliseconds - and that doesn't buy you very much room for a replay attack or similar, because that's under the retransmit timeout for a lost packet. It isn't like you can get away with replaying something from 5 minutes ago. Now, if you wanted to be *dastardly*, you'd figure out where a site's Stratum-1 server(s) have their GPS antennas, and you'd read the recent research on spoofing GPS signals - at *that* point you'd have a good chance of controlling the horizontal and vertical....
I dont think this is correct. I have seen routing protocol adjacencies going down because of some perturbations in NTP. I understand, any router implementation worth its salt would not use the NTP clock internally, but i have seen some real life issues where OSPF went down because the time moved ahead and it thought that it hadnt heard from the neighbor since a long time. All such bugs were eventually fixed, but this is just one example. There is an emerging need to distribute highly accurate time information over IP and over MPLS packet switched networks (PSNs). A variety of applications require time information to a precision which existing protocols cannot supply. TICTOC is an IETF WG created to develop solutions that meet the requirements of such protocols and applications. Glen
On Tue, Nov 4, 2008 at 12:22 PM, <Valdis.Kletnieks@vt.edu> wrote: On Mon, 03 Nov 2008 22:23:07 PST, Paul Ferguson said:
I'm just wondering -- in globak scheme of security issue, is NTP security a major issue?
The biggest problem is that you pretty much have to spoof a server that the client is already configured to be accepting NTP packets from. And *then* you have to remember that your packets can only lie about the time by a very small number of milliseconds or they get tossed out by the NTP packet filter that measures the apparent jitter. Remember, the *real* clock is also sending correct updates. At *best*, you lie like hell, and get the clock thrown out as an "insane" timesource. But at that point, a properly configured clock will go on autopilot till a quorum of sane clocks reappears, so you don't have much chance of wedging in a huge time slew (unless you *really* hit the jackpot, and the client reboots and does an ntpdate and you manage to cram in enough false packets to mis-set the clock then).
So in most cases, you can only push the clock around by milliseconds - and that doesn't buy you very much room for a replay attack or similar, because that's under the retransmit timeout for a lost packet. It isn't like you can get away with replaying something from 5 minutes ago.
Now, if you wanted to be *dastardly*, you'd figure out where a site's Stratum-1 server(s) have their GPS antennas, and you'd read the recent research on spoofing GPS signals - at *that* point you'd have a good chance of controlling the horizontal and vertical....
There is an emerging need to distribute highly accurate time information over IP and over MPLS packet switched networks (PSNs).
good of you to ask. it exists today. http://ieee1588.nist.gov/ cheers, lincoln.
On Tue, 4 Nov 2008, Lincoln Dale wrote:
There is an emerging need to distribute highly accurate time information over IP and over MPLS packet switched networks (PSNs).
good of you to ask. it exists today. http://ieee1588.nist.gov/
According to the TICTOC charter, you need more than just IEEE 1588 for accurate time distribution over IP and/or MPLS networks. http://www.ietf.org/html.charters/tictoc-charter.html Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ SOLE LUNDY FASTNET IRISH SEA: NORTHEAST 3 OR 4, OCCASIONALLY 5 AT FIRST, BECOMING VARIABLE LATER. SLIGHT OR MODERATE. OCCASIONAL DRIZZLE. MODERATE OR GOOD.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 4 nov 2008, at 10.14, Lincoln Dale wrote:
There is an emerging need to distribute highly accurate time information over IP and over MPLS packet switched networks (PSNs).
good of you to ask. it exists today. http://ieee1588.nist.gov/
Just a shame the world is not built on Ethernets. IETF tried to do TICTOC which will/could have done a better time-transfer over any IP network. But...let's see... Best regards, - - kurtis - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) iEYEARECAAYFAkkS95QACgkQAFdZ6xrc/t5kvQCgscel1cEN2rid9sznzaAGPbi0 7BAAn1BsqRrZzFMTfDJHbctMeGkXxVKu =7A5W -----END PGP SIGNATURE-----
On Tue, 04 Nov 2008 01:52:05 -0500 Valdis.Kletnieks@vt.edu wrote:
On Mon, 03 Nov 2008 22:23:07 PST, Paul Ferguson said:
I'm just wondering -- in globak scheme of security issue, is NTP security a major issue?
The biggest problem is that you pretty much have to spoof a server that the client is already configured to be accepting NTP packets from. And *then* you have to remember that your packets can only lie about the time by a very small number of milliseconds or they get tossed out by the NTP packet filter that measures the apparent jitter. Remember, the *real* clock is also sending correct updates. At *best*, you lie like hell, and get the clock thrown out as an "insane" timesource. But at that point, a properly configured clock will go on autopilot till a quorum of sane clocks reappears, so you don't have much chance of wedging in a huge time slew (unless you *really* hit the jackpot, and the client reboots and does an ntpdate and you manage to cram in enough false packets to mis-set the clock then).
So in most cases, you can only push the clock around by milliseconds - and that doesn't buy you very much room for a replay attack or similar, because that's under the retransmit timeout for a lost packet. It isn't like you can get away with replaying something from 5 minutes ago.
Now, if you wanted to be *dastardly*, you'd figure out where a site's Stratum-1 server(s) have their GPS antennas, and you'd read the recent research on spoofing GPS signals - at *that* point you'd have a good chance of controlling the horizontal and vertical....
http://nob.cs.ucdavis.edu/bishop/papers/1990-acsac/ is old but does have a good analysis of the problem. --Steve Bellovin, http://www.cs.columbia.edu/~smb
On Mon, Nov 03, 2008 at 10:23:07PM -0800, Paul Ferguson wrote:
On Mon, Nov 3, 2008 at 10:15 PM, Glen Kent <glen.kent@gmail.com> wrote:
Hi,
I was wondering what most folks use for NTP security?
Do they use the low cost, light weight symmetric key cryptographic protection method using MD5 or do folks go in for full digital signatures and X.509 certificates (AutoKey Security)?
I'm just wondering -- in globak scheme of security issue, is NTP security a major issue?
Just curious.
- ferg
depends on your POV... in a dns context, TSIG and DNSSEC validation depend on accurate time - failure to resolve data because of a time slip might be considered a significantissue. --bill
My original question got drowned amidst all this vibrant discussions! Do folks already use or plan to use Autokey for NTP? Glen On Tue, Nov 4, 2008 at 4:00 PM, <bmanning@vacation.karoshi.com> wrote:
On Mon, Nov 03, 2008 at 10:23:07PM -0800, Paul Ferguson wrote:
On Mon, Nov 3, 2008 at 10:15 PM, Glen Kent <glen.kent@gmail.com> wrote:
Hi,
I was wondering what most folks use for NTP security?
Do they use the low cost, light weight symmetric key cryptographic protection method using MD5 or do folks go in for full digital signatures and X.509 certificates (AutoKey Security)?
I'm just wondering -- in globak scheme of security issue, is NTP security a major issue?
Just curious.
- ferg
depends on your POV... in a dns context, TSIG and DNSSEC validation depend on accurate time - failure to resolve data because of a time slip might be considered a significantissue.
--bill
On Nov 4, 2008, at 3:11 AM, Glen Kent wrote:
My original question got drowned amidst all this vibrant discussions!
Do folks already use or plan to use Autokey for NTP?
In my experience most people have a hard enough time remembering to run ntp at all (and with an even remotely sane configuration - this is why a sane default using the ntp pool is helpful as a baseline). Add authentication into the mix and many operations will almost certainly just have even more mis-configuration. :-) - ask -- http://develooper.com/ - http://askask.com/
On Nov 4, 2008, at 3:11 AM, Glen Kent wrote:
My original question got drowned amidst all this vibrant discussions!
Do folks already use or plan to use Autokey for NTP?
In my experience most people have a hard enough time remembering to run ntp at all (and with an even remotely sane configuration - this is why a sane default using the ntp pool is helpful as a baseline). Add authentication into the mix and many operations will almost certainly just have even more mis-configuration. :-)
One of the things to lament is that it is so hard to find any reasonable examples of how to set up various configurations in a secure manner. There is voluminous documentation. Some of it is dated. Some of it is contradictory. Most of it assumes at least general familiarity with the topic. Accurate time/NTP is, on one hand, fundamentally important to a variety of needs, but on the other hand, is usually implemented just "well enough." ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 4 nov 2008, at 07.23, Paul Ferguson wrote:
I'm just wondering -- in globak scheme of security issue, is NTP security a major issue?
Just curious.
Maybe not NTP per se but timing is. Best regards, - - kurtis - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) iEYEARECAAYFAkkS98IACgkQAFdZ6xrc/t5TFgCgsCtZvsgwdVvaJYflTLVPxI4D zpQAn39r49MJ3VKU4SrHCnYoVpqpU8Ej =chKQ -----END PGP SIGNATURE-----
participants (14)
-
Ask Bjørn Hansen -
bmanning@vacation.karoshi.com -
Deepak Jain -
Glen Kent -
Joe Greco -
Kevin Oberman -
Kurt Erik Lindqvist -
Lincoln Dale -
Nathan Ward -
Paul Ferguson -
Roland Dobbins -
Steven M. Bellovin -
Tony Finch -
Valdis.Kletnieks@vt.edu