RE: NTP authentication

From: Brian McGahan (brian@cyscoexpert.com)
Date: Tue Dec 03 2002 - 20:28:43 GMT-3

• Next message: Brian McGahan: "RE: Dialer profiles and broadcast"
• Previous message: Benny Chong: "OT: Cisco CD --- software expire?"
• Maybe in reply to: Ram Shummoogum: "NTP authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

        A common misconception about NTP is the way authentication is
implemented; however, it makes perfect sense if you think about it
logically.

        What is the purpose of using NTP authentication? The most
obvious answer is that authentication is used to prevent someone from
tampering with the timestamps on the logs generated by devices. To
implement an attack on NTP, a hacker would make their rogue host appear
to be a valid NTP server. NTP authentication is therefore used to
authenticate the time *source*, not the client.

Take the following scenario:

R1--12.0.0.0/8--R2

R1 and R2 share the segment 12.0.0.0/8. R1 is the NTP master, and R2 is
the client. To get a better understanding of how NTP authentication
works, try the following possible configurations and see which of them
work and which of them do not.

*Note: NTP should not take longer than 15 or 20 seconds to initially
synchronize. If your routers do not synchronize within this period,
remove any 'ntp server' or 'ntp peer' statements and replace them. If
synchronization still does not occur, there is a configuration problem.

Case 1: No authentication

R1#sh run | in ntp
ntp master 1

R2#sh run | in ntp
ntp clock-period 17179865
ntp server 12.0.0.1
R2#sh ntp stat
Clock is synchronized, stratum 2, reference is 12.0.0.1
<snip>
R2#show ntp associations detail
12.0.0.1 configured, our_master, sane, valid, stratum 1

Case 2: Authentication on server, no authentication on client

R1#sh run | in ntp
ntp authentication-key 1 md5 121A0C041104 7
ntp authenticate
ntp master 1

R2#sh run | in ntp
ntp clock-period 17179863
ntp server 12.0.0.1
R2#sh ntp stat
Clock is synchronized, stratum 2, reference is 12.0.0.1
<snip>
R2#sh ntp assoc detail
12.0.0.1 configured, our_master, sane, valid, stratum 1

Case 3: No authentication on server, authentication on client

R1#sh run | in ntp
ntp master 1
R1#

R2#sh run | in ntp
ntp authentication-key 1 md5 08701E1F28492647465A5D547E 7
ntp authenticate
ntp trusted-key 1
ntp clock-period 17179863
ntp server 12.0.0.1 key 1
R2#sh ntp stat
Clock is unsynchronized, stratum 16, no reference clock
<snip>
R2#sh ntp assoc detail
12.0.0.1 configured, insane, invalid, unsynced, stratum 16

Case 4: Authentication on server and client

R1#sh run | in ntp
ntp authentication-key 1 md5 0822455D0A16 7
ntp authenticate
ntp master 1
R1#

R2#sh run | in ntp
ntp authentication-key 1 md5 060506324F41 7
ntp authenticate
ntp trusted-key 1
ntp clock-period 17179865
ntp server 12.0.0.1 key 1
R2#sh ntp stat
Clock is synchronized, stratum 2, reference is 12.0.0.1
<snip>
R2#sh ntp assoc detail
12.0.0.1 configured, authenticated, our_master, sane, valid, stratum 1

        As shown by the above configuration, NTP authentication is used
to authenticate the NTP source, not any associated clients.

HTH

Brian McGahan, CCIE #8593
Director of Design and Implementation
brian@cyscoexpert.com

CyscoExpert Corporation
Internetwork Consulting & Training
Voice: 847.674.3392
Fax: 847.674.2625

> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> Cisco Engineer
> Sent: Tuesday, December 03, 2002 3:46 PM
> To: Ram Shummoogum; ccielab@groupstudy.com
> Subject: Re: NTP authentication
>
> Infact, I had the same worry. I went ahead to clear my
> doubt with one of our old CCIEs and the answer I got -
> "Cisco's NTP implementation usually behaves weird with
> authentication".
>
> I was not at all convinced with that answer. would
> appreciate if someone answers this. Infact I went
> ahead and used lattest IOS to make sure if it was a
> bug and may be it had been taken care in the latter
> versions, but it still syncs up if you take out
> authentication on one end. prety weird !!
>
> Thanks
>
> Joy
>
>
> --- Ram Shummoogum <rshummoo@ca.ibm.com> wrote:
> > Hi:
> > A quick one:
> >
> > I configured NTP on 2 Routers back-to-back with
> > authentication (md5).
> > So far everything works fine.
> > I remove authentication on one of the Routers( no
> > ntp authenticate) and
> > they continue to sync.
> > I even rebooted the router on which I had removed
> > the authentication and
> > they still sync.
> >
> >
> > Any ideas why?
> >
> >
> > cheers
> >
> > RAM
>
>
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
> http://mailplus.yahoo.com

• Next message: Brian McGahan: "RE: Dialer profiles and broadcast"
• Previous message: Benny Chong: "OT: Cisco CD --- software expire?"
• Maybe in reply to: Ram Shummoogum: "NTP authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Jan 17 2003 - 17:21:38 GMT-3