[ntpwg] [dhcwg] Re: Network Time Protocol (NTP) Options for DHCPv6
Danny Mayer
mayer at ntp.org
Fri Nov 16 15:33:08 GMT 2007
Ralph Droms wrote:
> DHCPv6 does not use IPSEC between the client and the server. Rather,
> it uses a shared key for authentication and message verification.
>
> It is possible to use IPSEC between a relay agent and a server.
>
Thanks for the correction. As long as the shared key authentication does
not depend on a valid time in any way then this is fine.
Danny
> - Ralph
>
> On Nov 15, 2007, at Nov 15, 2007,11:26 PM, Danny Mayer wrote:
>
>> Brian Utterback wrote:
>>> Interesting. I agree that a key needs to be specified somehow, but it
>>> is not clear to me how to do it. We have to assume that the client
>>> does not have the same NTP keys. However, we would like a way to
>>> specify a server and keys securely, so that the security of the
>>> network depends only on the security of DHCP. Again I am not up to
>>> date, *is* there a secure DHCP? If so, then how to get keys to the
>>> clients becomes an issue.
>>
>> DHCPv6 uses IPSEC for security. However, as I pointed out in my own
>> response, if you are provisioning an NTP server then it means that NTP
>> is not running at the time and any security that requires reasonably
>> close timestamps at both ends is likely to fail.
>>
>> Danny
>>
>> _______________________________________________
>> dhcwg mailing list
>> dhcwg at ietf.org
>> https://www1.ietf.org/mailman/listinfo/dhcwg
>
More information about the ntpwg
mailing list