[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4129EF1D.4070105@paradigmo.com>
From: stephane.nasdrovisky at paradigmo.com (stephane nasdrovisky)
Subject: Re: Fwd: Re: FullDisclosure: Security aspects of
time synchronization infrastructure
gadgeteer@...gantinnovations.org wrote:
>>Depending upon the criticality of the time sensitive applications on
>>the network, you might want to reconsider the use of "radio clocks"
>>and especially "GPS clocks".
>>
>>
>[...]
>
>For a fixed installation detecting if someone is dinking the gps signal
>is trivial. The unit starts thinking it is not in Kansas anymore.
>
>
As far as I can remember, the gps is not accurate ... during US raids
(i.e. against Iraq) I could not tell if time is affected or if it only
reduce the precision over the location (50-20 meters during normal
operation, 100-1000 meters during raids). Anyway, I use a couple
internet & free ntp services (my ISP, some european & US labs, ...) If
all the servers are compromised, I'm too (as far as time and I are
concerned, I want my whole network to be synchronized, I don't really
care for the real time, before configuring a remote ntp server, there
was only a 'virtual' time (my whatch), which was enough for my logs), if
only a few are, I can see there's a difference in the timing they
provide (which,anyway, I don't care about).
In germany (which means anywhere between spain and russia), there is an
official radio-clock (known as dcf-77) which does not suffer the gps
limitation (this is not a military toy). As an official clock (used for
synching administratins, parking payments,... ) it have to be up and
give the official accurate time 24-7, You (or at least I) can be
confident with this time. Unfortunatly, most receivers do not work in
machine rooms (too many ecm noise, sometimes, the building is
radio-protected,...) you have to put your receivers (yes, one is not to
be concidered reliable) out of your building !
These radio clock are easier to corrupt than gps (plain old fm against
spread spectrum)... I never faced any real time-critical project,so for
me (and I guess most admins), even the worst solution (internet NTP) is
more than enough right now (it may change in the future).
Anyway if you consider this kind of solution (internet NTP), do not
forget ACL on your routers/firewalls, use a single/cluster ntp server
for synching your network, do not let multile servers sync with the
internet NTP.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040823/4053e6f6/attachment.html
Powered by blists - more mailing lists