NTS keys as I understand them
Gary E. Miller
gem at rellim.com
Mon Jan 14 21:07:19 UTC 2019
Yo Hal!
On Mon, 14 Jan 2019 12:58:00 -0800
Hal Murray via devel <devel at ntpsec.org> wrote:
> > Why would a client waste all is cookies at once? Since they can be
> > reused until the NTPD returns a NACK this seems to ddefeat the
> > benefit of keeping spare cookies around.
>
> To avoid bad-guys tracking you when you change IP Addresses.
How does using all your cookies at once, at startup, prevent this?
> The NTP client gets a new cookie with each response. If things are
> working normally, you will never get a NACK or need to run NTS-KE
> again. "normally" means fewer than 8 lost packets in a row.
Yes, but then you have no spare cookies for when you DO lose 8 packets
in a row. It is pretty common to lose 8 packets in a row on today's
internet.
> It might make sense to use the same cookie on all packets in a burst,
> but then we have to think about switching IP Addresses in the middle
> of a burst and I don't want to go there.
How does a client even know that its IP changed? What with NAT, CGNAT,
4in6, and other schemes in common use that is no longer possible.
RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
gem at rellim.com Tel:+1 541 382 8588
Veritas liberabit vos. -- Quid est veritas?
"If you can’t measure it, you can’t improve it." - Lord Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190114/7952305a/attachment.bin>
More information about the devel
mailing list