The first and biggest problem I see with this report is that it assumes there is supposed to be a connection between a private key and a server.  No such connection exists with symmetric keys for NTP.

I think that there may be a problem here. Once an association has been authenticated then that packets between the two systems need to continue to use the key used for creating that association trust. What needs to happen is that when the trust is established a reference to the key used should be kept until the association is cleared. Otherwise, according to the report, any other valid key in the list can be used, probably by a rogue server that has a trusted key which can spoof the packets.

Danny and Harlan, you have both a point there.

'Hijacking' a key that is used for another peer is only possible if a key is already compromised.

Hijacking after authentication can be prevented by keeping the (auto-)key in the peer structure once a peer authenticated itself with it. Packets that need cryptographic authentication are validated against this key and ignored otherwise. (This must be of course 'forgotten' when the peer association drops.)

Alas, this does not prevent *establishing* a peer connection from a rogue peer under false identity. To prevent *this*, we need an association between IP addresses and the allowed keys for an address, and such does not exist yet.

The first issue should not be too hard to tackle, but it doesn't get us very far without solving the second one.

The options we have here is either another key format that includes addresses associated with the key (which is IMHO a massive compatibility problem) or an additional config file that provides that associations. The additional config data takes a bit more effort to maintain, but it might be more secure and provide a better migration path.

An additional step could 'quarantine' key material that has been found to be used in fraudulent ways, e.g. by moving it into another directory (so it cannot be used again) and dropping the autokey from the key store.

Am I missing something vital here, or would implementing these 3 steps solve the issue?

(In reply to comment #2)
> I think that there may be a problem here. Once an association has been
> authenticated then that packets between the two systems need to continue to use
> the key used for creating that association trust. What needs to happen is that
> when the trust is established a reference to the key used should be kept until
> the association is cleared. Otherwise, according to the report, any other valid
> key in the list can be used, probably by a rogue server that has a trusted key
> which can spoof the packets.

Danny, please say more.  There's nothing wrong with there being multiple trusted keys, and since we're talking about UDP here, we have no way of knowing if a client starts talking to a server with "trusted key #1" and then the client gets reconfigured/restarting using "trusted key #2".  There's no reason this should not work.

What exactly do you mean by an "association" here?

I can still see it being a reasonable conclusion that this report is not a valid bug.

Thinking about implementing:

 trustedkey <keyid> ... [ from <ip> ...]

for a first pass at a solution.

Resolved in 4.2.8p6 and 4.3.90.

The solution is to have the ntp.keys file contain an optional 4th column, a comma-separated list of IPs that are allowed to serve time.

This is documented in the ntp.keys documentation.  We still need to update html/authentic.html - see bug 2997.

ACTIVE was fixed - PASSIVE was not.

STAGED for p7.