ntp.conf changes for NTS
James Browning
jamesb.fe80 at gmail.com
Sat Feb 2 14:10:07 UTC 2019
On Sat, Feb 2, 2019, 5:27 AM Hal Murray via devel <devel at ntpsec.org wrote:
>
> > Yes, you'd need implausible to impossible lifetimes of the client/server
> > pairing for these to ever become a problem. But again, when key rollover
> > gets implemented as indicated in the RFC, those will stop being useful
> on the
> > second rollover.
>
> What stops being useful when K rolls over is old cookies.
>
> C2S and S2C are used to authenticate the packets and also to encrypt new
> replacement cookies from server to client. There is no roll over
> mechanism
> for C2S or S2C. They get refreshed if you go through NTS-KE again, but
> that
> doesn't happen during normal operations. You need to do something like
> drop 8
> packets in a row.
>
IIRC the previous key is kept for a rotation. Unless you are using
something like poll 14+ it shouldn't be a problem.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190202/8a3cacd4/attachment.html>
More information about the devel
mailing list