What's left to doo on NTS
Gary E. Miller
gem at rellim.com
Sat Mar 2 20:40:14 UTC 2019
Yo Eric!
On Sat, 2 Mar 2019 12:52:49 -0500
"Eric S. Raymond" <esr at thyrsus.com> wrote:
> Gary E. Miller via devel <devel at ntpsec.org>:
> > > > The way Mark explained it to me, you want one NTS-KE per aisle,
> > > > or per rack. That limits the number of servers, with keys,
> > > > that need to be protected.
> > >
> > > I now think this plan is a mistake and that Hal did the right
> > > thing by building key service into ntpd itself.
> >
> > The opinion that counts is that of Cisco. Anyone asked them?
>
> It hasn't come up. I get the impression their requirements list is not
> that fine-grained.
They likely read the RFC differently, best to confirm.
For example, I'll bet they want the ntpd in their routers to continue
to be ntpd servers, with cookies, but want the NTS-KE elsewhere. Otherwise
the poor little router not powerful enough to to TLS 1.3, etc.
> > > If you don't trust that your LAN is secured enough to do that, you
> > > can't trust it enough to pass NTS-KE traffic over it either.
> >
> > Not the LAN, your containers.
>
> I don't understand that.
Think data center. The data center controls the LAN, but the customers
control what is in the containers. Or the hacker that used the latest
Wordpress bug to take over the contrainer. And breaking out of a
container to infect the motherboard is not that hard.
RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
gem at rellim.com Tel:+1 541 382 8588
Veritas liberabit vos. -- Quid est veritas?
"If you can’t measure it, you can’t improve it." - Lord Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190302/3281e77d/attachment.bin>
More information about the devel
mailing list