From owner-freebsd-security@FreeBSD.ORG Mon Dec 22 19:10:20 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id ECF7D9E; Mon, 22 Dec 2014 19:10:20 +0000 (UTC) Received: from mail-oi0-x231.google.com (mail-oi0-x231.google.com [IPv6:2607:f8b0:4003:c06::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id AEFC31BDF; Mon, 22 Dec 2014 19:10:20 +0000 (UTC) Received: by mail-oi0-f49.google.com with SMTP id a141so10473894oig.8; Mon, 22 Dec 2014 11:10:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=LuupF3RGconCnWTHGXExAwku8eeaq8eYOjsCZmZhXKI=; b=GfQaOz5M8jNh7sQlYHuNNS5B+8aqDiPWs0C/gE92shaLT1m/UfYe15R/aVT1tU4E6y LE8xtlLsB+PMoRyWmzNJU3BBGEqvHR4Fzng2au9mtykYPMiqKCMKwbOq17totNu3BJ+Z AwYqH1izA0GH8xg19MwClQ4lus5+42INGViFrqx7yN6zFAYjRgd9Xb5AyD6YAx6gd2JO ekBNlHlMWiEfIN1Ypa0ThDzSKAmITo8B3bolMORolJkLwt7cyE7YUJcZCTiPQMIdmJ2k vAmYd1aqDNUcdnoIFEmsVW6Xwr00mbUsmrLuhTGJtwt3XV5Rvb1kBzVRTnfnnULiGYcd Fs7A== MIME-Version: 1.0 X-Received: by 10.60.98.240 with SMTP id el16mr9053350oeb.4.1419275419956; Mon, 22 Dec 2014 11:10:19 -0800 (PST) Received: by 10.182.60.104 with HTTP; Mon, 22 Dec 2014 11:10:19 -0800 (PST) In-Reply-To: <1419274938.916478.205831685.0E7433EA@webmail.messagingengine.com> References: <252350272.1812596.1419241828431.JavaMail.zimbra@cleverbridge.com> <201412221745.KAA28186@mail.lariat.net> <1419274938.916478.205831685.0E7433EA@webmail.messagingengine.com> Date: Mon, 22 Dec 2014 11:10:19 -0800 Message-ID: Subject: Re: ntpd vulnerabilities From: jungle Boogie To: Mark Felder Content-Type: text/plain; charset=UTF-8 Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Dec 2014 19:10:21 -0000 Hi Mark, On 22 December 2014 at 11:02, Mark Felder wrote: > On Mon, Dec 22, 2014, at 11:39, Brett Glass wrote: >> I'd like to propose that FreeBSD move to OpenNTPD, which appears to >> have none of the >> fixed or unfixed (!) vulnerabilities that are present in ntpd. >> There's already a port. >> > > Historically OpenNTPD has been dismissed as a candidate because of its > reduced accuracy and missing security features. For example, it doesn't > implement the NTPv4 functionality or authentication. > > Quite literally the OpenNTPD is vulnerable to a MITM attack because of > the lack of authentication. Their stance has been that you should trust > your NTP servers and suggest using a VPN for the NTP traffic. Probably > not a bad idea, honestly. Would you say a MITM attack is similar to a forged ntp reply? If so, have you seen this: http://quigon.bsws.de/papers/opencon04/ntpd/mgp00018.html > > I don't have a qualified opinion, but that should get you on the right > track if you want to research further. -- ------- inum: 883510009027723 sip: jungleboogie@sip2sip.info xmpp: jungle-boogie@jit.si