Re: [chrony-dev] Traffic amplification with chrony commands

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-dev Archives ]


On Sat, Jan 18, 2014 at 06:11:24AM +1000, Thomas Sprinkmeier wrote:
> If your nonce is only 32 bits then using anything stronger than MD5 is overkill.
> You could try to future-proof by allowing the nonce to grow over time and switch
> to a more secure hash if/when appropriate, but then you have to guard against
> version-rollback attacks.

That would be another complication. To me, padding of the request
packets so they are never smaller than replies still looks like the
best option here. The maximum length of each possible reply is known
at both sides, so it should be quite easy to implement. I'm more
worried about keeping enough compatibility with older versions that
chronyc will print "Protocol version mismatch" instead of retrying.

-- 
Miroslav Lichvar

-- 
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.


Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/