RE: NTP hedaches

From: Brian McGahan (brian@cyscoexpert.com)
Date: Fri Jun 27 2003 - 15:23:27 GMT-3

• Next message: chwarren@cox.net: "Re: RE: Please help!!! CBWFQ"
• Previous message: Brian McGahan: "RE: Clock and NTP interaction"
• Maybe in reply to: ccie2be: "NTP hedaches"
• Next in thread: ccie2be: "Re: NTP hedaches"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Jim,

        Here's a previous post of mine that should help:

http://www.groupstudy.com/archives/ccielab/200212/msg00120.html

        A common misconception about NTP is the way authentication is
implemented; however, it makes perfect sense if you think about it
logically.

        What is the purpose of using NTP authentication? The most
obvious answer is that authentication is used to prevent someone from
tampering with the timestamps on the logs generated by devices. To
implement an attack on NTP, a hacker would make their rogue host appear
to be a valid NTP server. NTP authentication is therefore used to
authenticate the time *source*, not the client.

Take the following scenario:

R1--12.0.0.0/8--R2

R1 and R2 share the segment 12.0.0.0/8. R1 is the NTP master, and R2 is
the client. To get a better understanding of how NTP authentication
works, try the following possible configurations and see which of them
work and which of them do not.

*Note: NTP should not take longer than 15 or 20 seconds to initially
synchronize. If your routers do not synchronize within this period,
remove any 'ntp server' or 'ntp peer' statements and replace them. If
synchronization still does not occur, there is a configuration problem.

Case 1: No authentication

R1#sh run | in ntp
ntp master 1

R2#sh run | in ntp
ntp clock-period 17179865
ntp server 12.0.0.1
R2#sh ntp stat
Clock is synchronized, stratum 2, reference is 12.0.0.1
<snip>
R2#show ntp associations detail
12.0.0.1 configured, our_master, sane, valid, stratum 1

Case 2: Authentication on server, no authentication on client

R1#sh run | in ntp
ntp authentication-key 1 md5 121A0C041104 7
ntp authenticate
ntp master 1

R2#sh run | in ntp
ntp clock-period 17179863
ntp server 12.0.0.1
R2#sh ntp stat
Clock is synchronized, stratum 2, reference is 12.0.0.1
<snip>
R2#sh ntp assoc detail
12.0.0.1 configured, our_master, sane, valid, stratum 1

Case 3: No authentication on server, authentication on client

R1#sh run | in ntp
ntp master 1
R1#

R2#sh run | in ntp
ntp authentication-key 1 md5 08701E1F28492647465A5D547E 7
ntp authenticate
ntp trusted-key 1
ntp clock-period 17179863
ntp server 12.0.0.1 key 1
R2#sh ntp stat
Clock is unsynchronized, stratum 16, no reference clock
<snip>
R2#sh ntp assoc detail
12.0.0.1 configured, insane, invalid, unsynced, stratum 16

Case 4: Authentication on server and client

R1#sh run | in ntp
ntp authentication-key 1 md5 0822455D0A16 7
ntp authenticate
ntp master 1
R1#

R2#sh run | in ntp
ntp authentication-key 1 md5 060506324F41 7
ntp authenticate
ntp trusted-key 1
ntp clock-period 17179865
ntp server 12.0.0.1 key 1
R2#sh ntp stat
Clock is synchronized, stratum 2, reference is 12.0.0.1
<snip>
R2#sh ntp assoc detail
12.0.0.1 configured, authenticated, our_master, sane, valid, stratum 1

        As shown by the above configuration, NTP authentication is used
to authenticate the NTP source, not any associated clients.

HTH

Brian McGahan, CCIE #8593
Director of Design and Implementation
brian@cyscoexpert.com

CyscoExpert Corporation
Internetwork Consulting & Training
Toll Free: 866.CyscoXP
Fax: 847.674.2625

> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> ccie2be
> Sent: Friday, June 27, 2003 11:52 AM
> To: Group Study
> Subject: NTP hedaches
>
> Hi all,
>
> I've been having problems getting NTP to work as expected.
>
> I have 3 2500's, rtr A, rtrB, and rtrC connected to each other via a
> common
> ethernet segment.
>
> rtrA-----------------rtrB
> |
> |
> rtrC
>
>
> rtrA config:
> ntp master 6
>
> rtrB config:
> ntp master 10
> ntp server 10.0.1.1 (rtrA's lo0 addr)
>
> rtrC config:
> ntp peer 10.0.1.1
> ntp peer 10.0.2.2 (rtrB's lo0 addr)
>
> Problems and issues:
> Before rtrC was configured, rtrB sync'ed with rtrA as expected, but
now
> rtrA
> won't sync with itself and rtrC is syncing with rtrB. Shouldn't rtrC
sync
> with rtrA since it has a lower stratum?
>
> Why doesn't rtrA sync with itself? Show ntp asso det shows "insane,
> invalid,
> etc.
>
> rtrA and rtrB had sync'ed up properly before I configured
authentication
> but
> then it stopped working correctly so I removed the authentication and
now
> it
> won't work. Any ideas as to what's going on?
>
> When doing authentication, is the following necessary?
>
> ntp client:
> ntp server a.b.c.d key # ( Is this needed when the command,
ntp
> trusted key #, is used?)
> ntp trusted key # ( Is this needed if the key#
option is
> used in the above command?)
> ntp authentication-key # md5 <password>
> ntp authenticate
>
>
> According to Doyle, volume II, the command, ntp trusted key # isn't
needed
> on
> the ntp master, but when I removed it from the master, ntp stopped
> working?
> Doyle isn't wrong on this point is he?
>
> Thanks for any insight you can provide, Jim
>
>
>

• Next message: chwarren@cox.net: "Re: RE: Please help!!! CBWFQ"
• Previous message: Brian McGahan: "RE: Clock and NTP interaction"
• Maybe in reply to: ccie2be: "NTP hedaches"
• Next in thread: ccie2be: "Re: NTP hedaches"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Jul 04 2003 - 11:11:12 GMT-3