Authentication - NTP

This is a discussion on Authentication - NTP ; Do you enable authentication level on NTP server ? I have one NTP server (A) which is on both internal and external network, and another 2 NTP server (B, C) in internal netowrk. A is used to retrieve time information ...

+ Reply to Thread
Results 1 to 9 of 9

Thread: Authentication

  1. Authentication

    Do you enable authentication level on NTP server ?
    I have one NTP server (A) which is on both internal and external network, and another 2 NTP server (B, C) in internal netowrk.
    A is used to retrieve time information from Internet while B,C retrieve time from A and distributing it to clients.
    Where should I install authentication phase ?
    _______________________________________________
    questions mailing list
    questions@lists.ntp.isc.org
    https://lists.ntp.isc.org/mailman/listinfo/questions


  2. Re: Authentication

    Riccardo Castellani wrote:
    > Do you enable authentication level on NTP server ?
    > I have one NTP server (A) which is on both internal and external network, and another 2 NTP server (B, C) in internal netowrk.
    > A is used to retrieve time information from Internet while B,C retrieve time from A and distributing it to clients.
    > Where should I install authentication phase ?
    > _______________________________________________
    > questions mailing list
    > questions@lists.ntp.isc.org
    > https://lists.ntp.isc.org/mailman/listinfo/questions
    >


    The first question to ask yourself is: what problem are you trying to solve?

    All that authentication does for you is to provide some assurance that
    you are really dealing with the server you think you are instead of a
    bogus server set up by a hacker to cause mischief!

    Many sites run without authentication. Others need to be able to prove
    that their time stamps are traceable to NIST or some comparable national
    standards agency in another country. Such sites need authentication.



  3. Re: Authentication


    >Many sites run without authentication. Others need to be able to prove
    >that their time stamps are traceable to NIST or some comparable national
    >standards agency in another country. Such sites need authentication.


    How many of the national standards laboratories support authentication?

    I took a quick poke with google and didn't find any public
    keys from NIST. (I could easily have missed them.)

    --
    These are my opinions, not necessarily my employer's. I hate spam.


  4. Re: Authentication

    Hal Murray wrote:
    >>Many sites run without authentication. Others need to be able to prove
    >>that their time stamps are traceable to NIST or some comparable national
    >>standards agency in another country. Such sites need authentication.

    >
    >
    > How many of the national standards laboratories support authentication?
    >
    > I took a quick poke with google and didn't find any public
    > keys from NIST. (I could easily have missed them.)
    >


    That was how I THOUGHT it was supposed to work from casual browsing of
    the documentation and discussions here! I've never needed it myself. I
    couldn't find anything on the NIST web site.

    This is the only link I could find:
    http://tf.nist.gov/time/authentication.htm
    and does not seem to be what we are looking for.

    Who KNOWS how to authenicate with NIST???


  5. Re: Authentication

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Replying to message <78OdnWalYMgih2PYnZ2dnUVZ_h7inZ2d@megapath.net>

    >> Many sites run without authentication. Others need to be able to prove
    >> that their time stamps are traceable to NIST or some comparable national
    >> standards agency in another country. Such sites need authentication.

    >
    > How many of the national standards laboratories support authentication?
    >
    > I took a quick poke with google and didn't find any public
    > keys from NIST. (I could easily have missed them.)



    The NRC in Canada has an authenticated service available for a fee. You can
    find the details at the following address:
    http://inms-ienm.nrc-cnrc.gc.ca/cals...#Authenticated

    - --
    Pierre Dubuc
    pldubuc@yahoo.ca
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.7 (NetBSD)

    iEYEARECAAYFAkX+vKoACgkQaMA1iJ2qYmJdpgCeN70aT4MbEO P2/SZ1ZHo6mNIO
    ++sAoPG3ill2HlsUXlegbUZmgtzyAmny
    =AAdg
    -----END PGP SIGNATURE-----

  6. Re: Authentication

    Hal Murray wrote:
    >> Many sites run without authentication. Others need to be able to prove
    >> that their time stamps are traceable to NIST or some comparable national
    >> standards agency in another country. Such sites need authentication.

    >
    > How many of the national standards laboratories support authentication?
    >
    > I took a quick poke with google and didn't find any public
    > keys from NIST. (I could easily have missed them.)
    >


    They may not want to give out keys to everyone. Just because nothing is
    posted doesn't mean that they don't have. Almost noone makes these
    things public.

    Danny
    _______________________________________________
    questions mailing list
    questions@lists.ntp.isc.org
    https://lists.ntp.isc.org/mailman/listinfo/questions


  7. Re: Authentication

    Richard B. gilbert wrote:
    > Hal Murray wrote:
    >>> Many sites run without authentication. Others need to be able to prove
    >>> that their time stamps are traceable to NIST or some comparable national
    >>> standards agency in another country. Such sites need authentication.

    >>
    >> How many of the national standards laboratories support authentication?
    >>
    >> I took a quick poke with google and didn't find any public
    >> keys from NIST. (I could easily have missed them.)
    >>

    >
    > That was how I THOUGHT it was supposed to work from casual browsing of
    > the documentation and discussions here! I've never needed it myself. I
    > couldn't find anything on the NIST web site.
    >
    > This is the only link I could find:
    > http://tf.nist.gov/time/authentication.htm
    > and does not seem to be what we are looking for.
    >
    > Who KNOWS how to authenicate with NIST???


    You contact them directly and find out. Even when you set things up you
    need to get the keys that work with the server that you're using. It has
    to be done out-of-band.

    Danny
    _______________________________________________
    questions mailing list
    questions@lists.ntp.isc.org
    https://lists.ntp.isc.org/mailman/listinfo/questions


  8. Re: Authentication

    >>> Many sites run without authentication. Others need to be able to prove
    >>> that their time stamps are traceable to NIST or some comparable national
    >>> standards agency in another country. Such sites need authentication.


    >> How many of the national standards laboratories support authentication?


    >> I took a quick poke with google and didn't find any public
    >> keys from NIST. (I could easily have missed them.)


    >They may not want to give out keys to everyone. Just because nothing is
    >posted doesn't mean that they don't have. Almost noone makes these
    >things public.


    I think I'm missing something.

    Congress passed a law saying that stock brokers have to time-stamp
    transaction traceable to NIST. I assume NIST is expected to cooperate,
    either by funding from Congress or a pay-for-service system.

    Why wouldn't NIST want to publicize the procedure for getting
    authenticated time?

    Is the limiting factor CPU cycles or network bandwidth?

    Assuming it's CPU cycles, what's the ballpark cost to replicate
    a bank of CPUs to solve the problem? (aka authenticate everything)

    Even with a pay-for-service system, but I'd still expect a web page
    describing how to sign up or who to contact for more info.

    --
    These are my opinions, not necessarily my employer's. I hate spam.


  9. Re: Authentication

    On Mar 20, 1:01 am, hal-use...@ip-64-139-1-69.sjc.megapath.net (Hal
    Murray) wrote:
    > Congress passed a law saying that stock brokers have to time-stamp
    > transaction traceable to NIST. I assume NIST is expected to cooperate,
    > either by funding from Congress or a pay-for-service system.
    >
    > Why wouldn't NIST want to publicize the procedure for getting
    > authenticated time?

    ....
    > Even with a pay-for-service system, but I'd still expect a web page
    > describing how to sign up or who to contact for more info.


    In government, the left hand is rarely informed about what the right
    hand is doing. The number of self-contradictory laws and policy
    documents which even a small municipality produces is staggering.

    If there does in fact exist a new law that implicitly requires NIST to
    offer authenticated NTP: my guess is some hard-working, well-meaning
    group of science-oriented persons at NIST is expected to read the
    thousands of pages of the congressional record produced every month,
    and interpret any "implicit" statements in that record into explicit
    courses of action for NIST. It is therefore unsurprising that some
    things get overlooked ;-).

    "Democracy is the worst form of government except all the others that
    have been tried." -Sir Winston Churchill




+ Reply to Thread