From owner-freebsd-security@FreeBSD.ORG Wed Dec 24 01:06:36 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A680CDC0 for ; Wed, 24 Dec 2014 01:06:36 +0000 (UTC) Received: from mx5.roble.com (mx5.roble.com [206.40.34.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 98FD439F8 for ; Wed, 24 Dec 2014 01:06:36 +0000 (UTC) Date: Tue, 23 Dec 2014 17:06:30 -0800 (PST) From: Roger Marquis To: freebsd-security@freebsd.org Subject: Re: ntpd vulnerabilities User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Dec 2014 01:06:36 -0000 Dag-Erling Sm??rgrav wrote: >I absolutely agree. If we replace the NTP suite, it will be with a >minimal SNTP client, although no decision has been made. For now openntpd is the recommended solution but a more minimal client might be preferable depending on implementation specifics. The only feature missing from openntpd that we could use is a way to set the egress interface. Openntpd's "listen on" directive only defines the ingress tcp adddress, outgoing queries still use the server's primary ip. Roger Marquis