
Implementation: Client side


Forgery - what if someone sends us forged ntp replies?
when we send our query, we set the "transmit timestamp" to a random cookie, and store both our cookie and the real transmit timestamp locally

servers are required to copy that timestamp verbatim into the "originate timestamp" in the reply

upon receival of the reply, we check that the originate timestamp matches the cookie we sent with the query - if they don't match, we have a case of forgery


