Yo Eric! On Sat, 2 Mar 2019 12:52:49 -0500 "Eric S. Raymond" <e...@thyrsus.com> wrote:
> Gary E. Miller via devel <devel@ntpsec.org>:
> > > > The way Mark explained it to me, you want one NTS-KE per aisle,
> > > > or per rack. That limits the number of servers, with keys,
> > > > that need to be protected.
> > >
> > > I now think this plan is a mistake and that Hal did the right
> > > thing by building key service into ntpd itself.
> >
> > The opinion that counts is that of Cisco. Anyone asked them?
>
> It hasn't come up. I get the impression their requirements list is not
> that fine-grained.
They likely read the RFC differently, best to confirm.
For example, I'll bet they want the ntpd in their routers to continue
to be ntpd servers, with cookies, but want the NTS-KE elsewhere. Otherwise
the poor little router not powerful enough to to TLS 1.3, etc.
> > > If you don't trust that your LAN is secured enough to do that, you
> > > can't trust it enough to pass NTS-KE traffic over it either.
> >
> > Not the LAN, your containers.
>
> I don't understand that.
Think data center. The data center controls the LAN, but the customers
control what is in the containers. Or the hacker that used the latest
Wordpress bug to take over the contrainer. And breaking out of a
container to infect the motherboard is not that hard.
RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
g...@rellim.com Tel:+1 541 382 8588
Veritas liberabit vos. -- Quid est veritas?
"If you can’t measure it, you can’t improve it." - Lord Kelvin
pgp6T85agGLaD.pgp
Description: OpenPGP digital signature
_______________________________________________ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
