From: Jay Hennigan (jay@west.net)
Date: Thu Jun 26 2003 - 17:33:48 GMT-3
On Thu, 26 Jun 2003, Larson, Chris wrote:
> Along the lines of NTP. I am wondering if I can get authenticated as well as
> unauthenticated time from the same time source. In other words, can I have
> some client who use authentication against NTP server updates and other
> client that don't? It seems to me that I remember if the server has a key,
> all the clients will need the key.
>
> I am asking because we have a situation where we do not use NTP
> authentication for our devices but it appears the IDS sensor (4210) requires
> authentication if your going to use NTP as a time source. I was thinking
> either of a configuration that would allow some clients authenticated and
> some not OR a master that synchs with the current master but provides
> authentication to those clients who require it (the sensors).
An authenticating NTP server sends the NTP data in the clear along with
a hash of the same data and the authentication key.
An authenticating receiving peer hashes the plaintext data with its locally
stored trusted key. If the hash matches, authenticatition succeeds.
A receiver not using authentication simply uses the plaintext data and
throws the hash on the floor. Janitors periodically sweep up the resulting
mess, putting the dregs in the bit bucket outside.
So, your configuration should work.
-- Jay Hennigan - CCIE #7880 - Network Administration - jay@west.net WestNet: Connecting you to the planet. 805 884-6323 WB6RDV NetLojix Communications, Inc. - http://www.netlojix.com/
This archive was generated by hypermail 2.1.4 : Fri Jul 04 2003 - 11:11:11 GMT-3