[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Re: Fwd: Re: FullDisclosure: Security aspects of time synchronization infrastructure

gadgeteer@xxxxxxxxxxxxxxxxxxxxxx wrote:

Depending upon the criticality of the time sensitive applications on
the network, you might want to reconsider the use of "radio clocks"
and especially "GPS clocks".

[...]

For a fixed installation detecting if someone is dinking the gps signal
is trivial. The unit starts thinking it is not in Kansas anymore.


As far as I can remember, the gps is not accurate ... during US raids (i.e. against Iraq) I could not tell if time is affected or if it only reduce the precision over the location (50-20 meters during normal operation, 100-1000 meters during raids). Anyway, I use a couple internet & free ntp services (my ISP, some european & US labs, ...) If all the servers are compromised, I'm too (as far as time and I are concerned, I want my whole network to be synchronized, I don't really care for the real time, before configuring a remote ntp server, there was only a 'virtual' time (my whatch), which was enough for my logs), if only a few are, I can see there's a difference in the timing they provide (which,anyway, I don't care about).

In germany (which means anywhere between spain and russia), there is an official radio-clock (known as dcf-77) which does not suffer the gps limitation (this is not a military toy). As an official clock (used for synching administratins, parking payments,... ) it have to be up and give the official accurate time 24-7, You (or at least I) can be confident with this time. Unfortunatly, most receivers do not work in machine rooms (too many ecm noise, sometimes, the building is radio-protected,...) you have to put your receivers (yes, one is not to be concidered reliable) out of your building !

These radio clock are easier to corrupt than gps (plain old fm against spread spectrum)... I never faced any real time-critical project,so for me (and I guess most admins), even the worst solution (internet NTP) is more than enough right now (it may change in the future).

Anyway if you consider this kind of solution (internet NTP), do not forget ACL on your routers/firewalls, use a single/cluster ntp server for synching your network, do not let multile servers sync with the internet NTP.