Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 29 Apr 2016 17:44:28 -0700 (PDT)
From:      Roger Marquis <marquis@roble.com>
To:        Charles Swiger <cswiger@mac.com>
Cc:        freebsd-security <freebsd-security@freebsd.org>
Subject:   Re: FreeBSD Security Advisory FreeBSD-SA-16:16.ntp
In-Reply-To: <28698FCA-CEAB-4A0F-9F12-57FCCD871E1E@mac.com>
References:  <20160429082953.DB31D1769@freefall.freebsd.org> <9e6342a420259fec7bd21d6222cc6e05@zahemszky.hu> <1461929003.67736.2.camel@yandex.com> <CINIP100NTSBSRqf69a0000002a@cinip100ntsbs.irtnog.net> <BABF8C57A778F04791343E5601659908237051@cinip100ntsbs.irtnog.net> <0O6F002Z65WLUS40@mr28p00im-smtpin028.me.com> <28698FCA-CEAB-4A0F-9F12-57FCCD871E1E@mac.com>

| previous in thread | raw e-mail | index | archive | help
>> Who needs millisecond accuracy anyway?
>
>Cell phones, cell phone towers, computers handling financial transactions, etc.

I manage security for several dozen FreeBSD computers handling financial
transactions and they all run openntpd in client-only mode.  It was the
only way we could avoid an absolute deluge of security incident tickets
from corp scanning (mainly Nessus).

These hosts, as well as cell phone towers, etc may be reasons for
keeping isc ntpd as a port but do not support a case for keeping it in
base.

>> perhaps, for those sites that need to run ntpd for one of the reasons
>> listed above but again, that's a tiny fraction of the installed base. Most
>> FreeBSD systems only need to query a timehost, not to be a time server.
>
> Your data for that?

Are you seriously proposing that most FreeBSD installations need to
serve as timeservers?

> openntpd implements SNTPv4 and not the NTPv4 protocol.  The extra sanity checking
> in the latter helps detect and mitigate against falsetickers, which is why folks
> continue to use NTP and ntpd rather than rdate or SNTP implementations like openntpd.

And your data for that?  I'd personally be surprised if most devops were
familiar with the differences between SNTPv4 and NTPv4.

OTOH openntpd's ntpd.conf does provide a "constraints from" directive
which will query one or more http/https sites and use the resulting
timestamps to reject ntp responses outside of a range near the
constraint.  This is a nice OOB feature not found in base ntpd.

Roger



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?>