Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!uunet!snorkelwacker.mit.edu!apple!agate!ucbvax!HPSDEL.SDE.HP.COM!wunder From: wunder@HPSDEL.SDE.HP.COM (Walter Underwood) Newsgroups: comp.protocols.time.ntp Subject: vendor supported NTP Message-ID: <9101142057.AA04699@hpsdel.sde.hp.com> Date: 14 Jan 91 20:57:42 GMT References: <1991Jan14.172342.7062@convex.com> Sender: daemon@ucbvax.BERKELEY.EDU Distribution: inet Organization: The Internet Lines: 52 1) Which vendors are currently supporting NTP as a vendor released product (I only know of DEC)? HP does not, but the HP port was done at HP. 2) Which vendors have "plans" of supporting NTP as a vendor release product in the next release of their OS? NTP is not in HP-UX 8.0, which is the "next release." I would guess that whenever we support a time syncronization system it will be DECdns, which is part of OSF DCE. Of course, I'm not in the relevant divisions, or an official spokeperson. 3) Have there been ANY instances/examples/rumors/etc of NTP being used to break into a machine (like fingerd was used by the Morris worm)? We haven't noticed any here. 4) How 'secure' is NTP from external threat? If only does what is in the spec, quite secure. If it is busted, who knows. The truely paranoid might want to see if it works in its own little chroot() prison, since it runs as "root". That would really limit the damage that an NTP break-in could do. 5) How many vendors are running NTP internally (even though they don't support NTP as a product)? HP has quite a few machines running NTP, and we do run NTP with external machines. One additional comment -- in our security policy, when we secure a service the first thing that we look at is whether there is sensitive information accessible via that service. We've decided that the current time and the paramaters of our clock are not sensitive information, so we don't have access control on NTP. OK, one more -- I don't think that we are very vulnerable to a denial of service attack from malicious clocks, partly because all of our primaries would need to conspire against us, and partly because our time-dependent services rely more on syncronization betwen hosts than on absolute time. So if all the hosts are an hour off from UTC, but still sync'ed to 10 ms between each other, all our services still work correctly. Authentication (and "time treaties" with our primaries) would really reduce this risk. Anybody want to re-write NTP in GYPSY and verify it? Or is verification still dead? wunder