NTP Broadcast Security

From: gladston@br.ibm.com
Date: Mon Jul 25 2005 - 12:37:16 GMT-3

• Next message: Arun Arumuganainar: "Re: Frame Question"
• Previous message: Bob Sinclair: "Re: Frame Question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,

How would you filter ntp broadcast received on a client (R6)?

R6 receives broadcast from R4 and from R2. It should select only R2 as the source of time.

As I saw it, it was necessary an ordinary access-list applyed on the interface receiving the broadcast.

But debugging and tests made change my mind. Debugging shows that, after receiving the ntp broadcast, the client "have a unicast conversation' with the broadcast server.
So, it seems 'ntp access-group ...' could work.
Tests shows that 'ntp access-group peer...' avoid synchronization:

int e0
 ntp broadcast client
ntp access-group peer 27
access-list 27 deny any log

R6#deb ntp pac
NTP packets debugging is on
03:52:16: NTP: rcv packet from 148.5.26.2 to 255.255.255.255 on Ethernet0:
03:52:16: leap 0, mode 5, version 3, stratum 12, ppoll 64
03:52:16: rtdel 07DF (30.746), rtdsp 0046 (1.068), refid 94050101 (148.5.1.1)
03:52:16: ref C68FBC45.2062C2D1 (19:30:13.126 UTC Mon Jul 25 2005)
03:52:16: org 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900)
03:52:16: rec 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900)
03:52:16: xmt C68FBC87.1991DAC3 (19:31:19.099 UTC Mon Jul 25 2005)
03:52:16: inp AF3C06F0.0A4BFDD3 (03:52:16.040 UTC Mon Mar 1 1993)

03:52:16: %SEC-6-IPACCESSLOGS: list 27 denied 148.5.26.2 1 packet

Debugging result when 'access-list 27' is removed, and synchronization occurs:

*Jul 25 15:03:53: NTP: rcv packet from 148.5.26.2 to 255.255.255.255 on FastEthernet4/1:
*Jul 25 15:03:53: leap 0, mode 5, version 3, stratum 12, ppoll 64
*Jul 25 15:03:53: rtdel 05EE (23.163), rtdsp 0712 (27.618), refid 94050301 (148.5.3.1)
*Jul 25 15:03:53: ref C68F5554.DE3C2C1D (12:11:00.868 UTC Mon Jul 25 2005)
*Jul 25 15:03:53: org 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900)
*Jul 25 15:03:53: rec 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900)
*Jul 25 15:03:53: xmt C68F5572.DA2B2138 (12:11:30.852 UTC Mon Jul 25 2005)
*Jul 25 15:03:53: inp C68F7DD9.1F21BE6E (15:03:53.121 UTC Mon Jul 25 2005)
Rack2R6#
*Jul 25 15:04:02: NTP: xmit packet to 148.5.26.2:
*Jul 25 15:04:02: leap 3, mode 3, version 3, stratum 0, ppoll 64
*Jul 25 15:04:02: rtdel 0000 (0.000), rtdsp 10001 (1000.015), refid 00000000 (0.0.0.0)
*Jul 25 15:04:02: ref 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900)
*Jul 25 15:04:02: org C68F5572.DA2B2138 (12:11:30.852 UTC Mon Jul 25 2005)
*Jul 25 15:04:02: rec C68F7DD9.1F21BE6E (15:03:53.121 UTC Mon Jul 25 2005)
*Jul 25 15:04:02: xmt C68F7DE2.59B7186E (15:04:02.350 UTC Mon Jul 25 2005)
*Jul 25 15:04:02: NTP: rcv packet from 148.5.26.2 to 148.5.26.6 on FastEthernet4/1:
*Jul 25 15:04:02: leap 0, mode 4, version 3, stratum 12, ppoll 64
Rack2R6#
*Jul 25 15:04:02: rtdel 05EE (23.163), rtdsp 0712 (27.618), refid 94050301 (148.5.3.1)
*Jul 25 15:04:02: ref C68F5554.DE3C2C1D (12:11:00.868 UTC Mon Jul 25 2005)
*Jul 25 15:04:02: org C68F7DE2.59B7186E (15:04:02.350 UTC Mon Jul 25 2005)
*Jul 25 15:04:02: rec C68F557C.15BA7829 (12:11:40.084 UTC Mon Jul 25 2005)
*Jul 25 15:04:02: xmt C68F557C.1713B254 (12:11:40.090 UTC Mon Jul 25 2005)
*Jul 25 15:04:02: inp C68F7DE2.5BFBA343 (15:04:02.359 UTC Mon Jul 25 2005)
.Jul 25 12:11:41: NTP: xmit packet to 148.5.26.2:
.Jul 25 12:11:41: leap 3, mode 3, version 3, stratum 0, ppoll 64
.Jul 25 12:11:41: rtdel 06D9 (26.749), rtdsp 28772B87 (10359170.029), refid 94051A02 (148.5.26.2)
.Jul 25 12:11:41: ref C68F7DE2.5BFBA343 (15:04:02.359 UTC Mon Jul 25 2005)
.Jul 25 12:11:41: org 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900)
.Jul 25 12:11:41: rec 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900)
.Jul 25 12:11:41: xmt C68F557D.15452FD3 (12:11:41.083 UTC Mon Jul 25 2005)
.Jul 25 12:11:41: NTP: rcv packet from 148.5.26.2 to 148.5.26.6 on FastEthernet4/1:
.Jul 25 12:11:41: leap 0, mode 4, version 3, stratum 12, ppoll 64
.Jul 25 12:11:41: rtdel 05EE (23.163), rtdsp 0712 (27.618), refid 94050301 (148.5.3.1)
.Jul 25 12:11:41: ref C68F5554.DE3C2C1D (12:11:00.868 UTC Mon Jul 25 2005)
.Jul 25 12:11:41: org C68F557D.15452FD3 (12:11:41.083 UTC Mon Jul 25 2005)
.Jul 25 12:11:41: rec C68F557D.15D2DEC2 (12:11:41.085 UTC Mon Jul 25 2005)
.Jul 25 12:11:41: xmt C68F557D.173902D8 (12:11:41.090 UTC Mon Jul 25 2005)
.Jul 25 12:11:41: inp C68F557D.17AE7026 (12:11:41.092 UTC Mon Jul 25 2005)

R6 syncronized with R2:

Rack2R6#sh ntp ass

      address ref clock st when poll reach delay offset disp
* 148.5.26.2 148.5.3.1 12 7 64 37 4.0 5.34 3.7
 * master (synced), # master (unsynced), + selected, - candidate, ~ configured
Rack2R6#sh ntp ass det
148.5.26.2 dynamic, our_master, sane, valid, stratum 12
ref ID 148.5.3.1, time C68F5654.E35CB660 (12:15:16.888 UTC Mon Jul 25 2005)
our mode bdcast client, peer mode bdcast, our poll intvl 64, peer poll intvl 64

• Next message: Arun Arumuganainar: "Re: Frame Question"
• Previous message: Bob Sinclair: "Re: Frame Question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Sep 04 2005 - 17:00:31 GMT-3