From: OhioHondo (ohiohondo@columbus.rr.com)
Date: Thu Feb 27 2003 - 19:34:20 GMT-3
Note that only the receiving NTP process (the clock that is going to change)
needs to have the truste-key and authentication set. For instance, the
master clock is not going to use the data that it receives from the server
so it doesn't really have to authenticate or trust the source of the data.
The Master clock appends the hash created with the data, the key and the md5
secret to the end of its NTP data packet. If the server is set to
authenticate and if the received key is trusted, the server uses its'
authentication-key info and the data to recreate the hash. It matches the
calculated hash with the hash from the NTP packet received from the master.
If they are the same, the NTP process on the server uses the info in the NTP
packet.
The same goes for NTP Broadcast Servers/Clients. The traffic flow should be
one way in this case. The Broadcast Server only needs to create the hash
that is appended to the NTP packet so it only needs the 'ntp
authentication-key' command. The NTP Broadcast Client receives the NTP
packet. If ntp authentication is on the client and the received key is a
trusted key, then the Broadcast client calculates the hash. Again if the
calculated hash equals the received hash the data is used by the Clients NTP
process.
Note -- If the Client is does not have 'ntp authenticate', it just uses the
data. It "trusts" all received data.
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Scott M. Livingston
Sent: Thursday, February 27, 2003 3:33 PM
To: 'ccie2be'; 'Group Study'
Subject: RE: NTP Clarification
Very nice! Very nice indeed! Thank You!
Scott
-----Original Message-----
From: ccie2be [mailto:ccie2be@nyc.rr.com]
Sent: Thursday, February 27, 2003 2:16 PM
To: Group Study; Scott M. Livingston
Subject: Re: NTP Clarification
Hey Scott,
Here are a couple of additional things t keep in mind re:NTP
1) Before NTP will work, the router must have it's clock set.
2) On a LAN, u can config the NTP master to broadcast NTP pkts w/
interface
command: ntp broadcast and have routers recieve these pkts w/ interface
command: ntp broadcast client
3) NTP pkts can (or should) be authenticated with keys
rtrA-------------------------rtrB
NTP master----------------NTP server
1.1.1.1
rtr A config:
ntp master
ntp authentication-key <#> md5 <secret-password>
ntp authenticate
ntp trusted-key <#>
rtrB
ntp server 1.1.1.1 key <#>
ntp authenticate-key <#> md5 <secret-password>
ntp authenticate
ntp trusted-key <#>
Notice that except for the 1st line, the 3 other commands are the same.
And, try to remember that the ntp server x.x.x.x command points to the
address of the server which in this case is the master source. ( I
often
forget so I figure if I tell you, maybe, with any luck, I'll remember
that
myself.)
Hope this is useful.
Jim
----- Original Message -----
From: "Scott M. Livingston" <scottl@sprinthosting.net>
To: <ccielab@groupstudy.com>
Sent: Thursday, February 27, 2003 11:50 AM
Subject: RE: NTP Clarification