nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Question on Loosely Synchronized Router Clocks

From: "Steven M. Bellovin" <smb () cs columbia edu>
Date: Tue, 18 Sep 2007 14:10:34 -0400

On Tue, 18 Sep 2007 13:51:55 -0400
Valdis.Kletnieks () vt edu wrote:


On Tue, 18 Sep 2007 09:27:32 PDT, Bora Akyol said:


It is not dependent on time. You'd like a protocol to be self
sufficient if at all possible.

Moving the vulnerability of one protocol to another is not highly
desirable in general.


The interesting failure mode is, of course, what happens when you're
not in time sync, so the routing protocol falls over - and due to the
lack of routing table entries, you become unable to reach your
timesource.


I've been talking with Xin offline, and raised that exact point.  That
said, in some security contexts there's little choice: you have to have
some way to assure that a message is fresh.  There are other choices in
some environment, such as monotonically increasing counters and
challenge/response protocols; depending on other decisions and the
particular context, these may be worse or not even possible.  For
example, if someone several hops away from the origination needs to
examine a signed *object*, a timestamp is probably better than a
counter, and challenge/response isn't even possible.  That doesn't make
timestamps good -- and they do have many disadvantages -- but they may
be the only choice.


                --Steve Bellovin, http://www.cs.columbia.edu/~smb
Previous By Date Next
Previous By Thread Next

Current thread: