[ntpwg] Network Time Protocol (NTP) Options for DHCPv6

David L. Mills mills at udel.edu
Tue Nov 13 03:33:24 UTC 2007 

Brian,

Roaming laptops is what NTP Autokey is designed for. All a properly 
configued laptop would not need anything except a flag that says to use 
it and possibly the public group key. Heck with NTP; use Autokey to 
authenticate the server for anything.

Dave

Brian Utterback wrote:

>
>
> David L. Mills wrote:
>
>> Brian,
>>
>> My model about the keys is that the DHCP server would supply a key ID 
>> for the NTP server(s) as configured, but not the keys themselves. The 
>> keys would have to be configured for the NTP server and client 
>> separately. The DHCP server would be responsible only for the opaque 
>> key ID.
>>
>
> I see what you mean, but I am not sure about the use case here.
> Certainly if the keys are pre-configured on both the clients and the
> servers, then the key id is a must.  But I am concerned about the
> roaming laptop mode here. If I bring my laptop to a network, I would
> like to be able to get enough info from the DHCP server to allow me
> to securely connect to the server and have it be authenticated. Perhaps
> a public key distribution scheme?
>
>> There is an issue about the security of the DFCP server itself; that 
>> is another issue. I'm assuming the DHCP server is behind the firewall.
>
>
> Right. Out of the realm of our discussion.
>
>>
>> The mode specification could be any of the valid NTP modes. If client 
>> (3) it would be an ordinary client/server association. A means would 
>> be necessary to specify broadcast client, as that is not a mode in 
>> the strict sense. It could be symmetric active (1), in which case the 
>> victim would initiate that type association. To specify symmetric 
>> passive (2) means that the victim should wait for a symmetric active 
>> (1) packet. This does not seem useful.
>
>
> If you get a broadcast address to use then you should be a broadcast
> client. I don't see the usefulness of a DHCP client being a symmetric
> anything. Perhaps this is a failure of imagination on my part.
>
>

More information about the ntpwg mailing list