Monday, November 10, 2008

NTP Authentication

1. NTP Peers don't need to be at the same stratum.

2. Without "ntp authentication"
NTP_client:
ntp authentication-key 1 md5 cisco
ntp server 101.1.1.1 key 1
NTP_server:
ntp master 3
ntp authentication-key 1 md5 cisco
2.1 the debug you can see both server and client send out packet with key 1. The time will be synch.
2.2 "show ntp assossiate detail" on client, it shows that server is authenticated.

3. With "ntp authentication"
Only change will be in client
NTP_client:
ntp authenticate
ntp authentication-key 1 md5 cisco
ntp server 101.1.1.1 key 1
3.1 The time won't sync because it does not trust any key.
3.2 The server is authenticated.

4. You need both 'ntp authenticate' and 'ntp trust-key 1' to enable the time sync.


5. Time information will also be accepted from an unauthenticated peer or server if the peer/server has no key identifier associated with it via the 'ntp peer server key' global configuration command.



6. This configuration is working too. The peers configure with different key number but as long as the other side configured with the right authentication-key it will accept the time information.
For ntp server, if it receives a request with key and key is valid, it will reply with time information with same key.

Router2(151.1.2.2)#
ntp authentication-key 1 md5 cisco
ntp authentication-key 2 md5 ibm
ntp authentication-key 3 md5 google
ntp authenticate
ntp trusted-key 1 #trust the time information from server 45.1.200.29
ntp trusted-key 2 #trust the time information from peer 150.1.3.3 using key 2. See note on R3)
ntp peer 150.1.3.3 key 3 source Loopback0
ntp server 45.1.200.29 key 1

Router3(151.1.3.3)#
ntp authentication-key 1 md5 cisco
ntp authentication-key 2 md5 ibm
ntp authentication-key 3 md5 google
ntp authenticate
ntp trusted-key 1 #trust the time information from server 216.16.234.10
ntp trusted-key 3 #trust the time information from peer 150.1.2.2 using key 3. (diff from the line below but match the configuration in Router2.
ntp peer 150.1.2.2 key 2 source Loopback0
ntp server 216.16.234.10 key 1

So basically when router receives a ntp packet from x.x.x.x with key number y, it will verify it with the configuration of 'ntp authentication-key y md5' regardless what the key number configured under 'ntp peer x.x.x.x key z'.

'ntp peer x.x.x.x key z' means the router will send a packet to x.x.x.x with key z. But for inbound packet from x.x.x.x it dose not need to use the same key.

What about only change Router3 to "ntp peer 150.1.2.2 source loopback0"(without key)? In this case, Router2 will not accept time information from Router3 because at Router2 we configure that Router3 should have key included. But Router3 will still trust Router2 as peer ntp. Please refer to point 5. To make this works, either change it back or change Router2 to 'ntp peer 150.1.3.3 source loopback 0'.

7. Reference: http://www.nil.com/ipcorner/SecTimeManagement/

Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)