Re: NTP Authentication Experiment

From: Cham (chamandeep.gill@gmail.com)
Date: Wed Jan 18 2006 - 07:37:04 GMT-3

I found this like to be very helpful on this:

http://www.internetworkexpert.com/resources/ntp-authentication.htm

thanks,
cham

On 1/18/06, Nick <seajay76@nate.com> wrote:
> Hi, all!!
>
> I tested some ntp feature case by case.
>
> Hope this may help, and please correct me if I'm wrong.
>
> [ PRINCIPLE ]
>
> There seem two NTP authentications; one for the ntp server itselg,
>
> the other for ntp time information from the server.
>
> [CONFIGURATION COMMANDS]
>
> In NTP server , ntp authentication-key x md5 KEY is used to send the KEY to the client
>
> so that the client can authenticate the "SEVER".
>
> In NTP client , ntp host x.x.x.x key KEY is used for NTP "server" authentication,
>
> and ntp trust-key KEY is used for NTP "TIME INFORMATION" from the server.
>
>
> Following is the way I found the result.
>
>
> [ TOPOLOGY ]
>
> R5 is the NTP server , R4 is the NTP client
>
>
> [ PRECAUTION ]
>
> For every each step, the "ntp server" command should be deleted and re-entered
> so that we can see the result quickly.
>
>
> [ NOTATIONS ]
>
> Red letter represents time information authentication.
> Blue letter represents server authentication.
>
>
> [ TEST PROCESS-1 ]
>
> SITUATION : Server Authentication Keys are same, Time Authentication Keys are different.
> RESULT : Server authentication was successful, but the time authentication failed.
>
> <SERVER-R5>
> Rack5R5(config)#ntp authentication-key 1 md5 cisco
> Rack5R5(config)#ntp source Loopback0
> Rack5R5(config)#ntp master 3
> <CLIENT-R4>
> Rack5R4(config)#ntp authentication-key 1 md5 cisco
> Rack5R4(config)#ntp authentication-key 2 md5 ccie
> Rack5R4(config)#ntp authenticate
> Rack5R4(config)#ntp trusted-key 2
> Rack5R4(config)#ntp server 5.5.5.5 key 1
>
> Rack5R4(config)#do show ntp ass de
> 5.5.5.5 configured, authenticated, insane, invalid, unsynced, stratum 16
> ref ID 0.0.0.0, time 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900)
> our mode client, peer mode unspec, our poll intvl 64, peer poll intvl 64
> root delay 0.00 msec, root disp 0.00, reach 0, sync dist 0.000
> delay 0.00 msec, offset 0.0000 msec, dispersion 16000.00
> precision 2**5, version 3
> org time C778FA59.1056527C (17:33:13.063 UTC Wed Jan 18 2006)
> rcv time C778FA59.1B212885 (17:33:13.105 UTC Wed Jan 18 2006)
> xmt time C778FA59.0BF0263B (17:33:13.046 UTC Wed Jan 18 2006)
> filtdelay = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
> filtoffset = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
> filterror = 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0
>
> Now, make the time information authentication key same.
>
> Rack5R4(config)#no ntp trusted-key 2
> Rack5R4(config)#ntp trusted-key 1
> Rack5R4(config)#end
>
> Rack5R4# show ntp ass de
> 5.5.5.5 configured, authenticated, our_master, sane, valid, stratum 3
> ref ID 127.127.7.1, time C778FAD8.F5510A7F (17:35:20.958 UTC Wed Jan 18 2006)
> our mode client, peer mode server, our poll intvl 64, peer poll intvl 64
> root delay 0.00 msec, root disp 0.03, reach 1, sync dist 15904.419
> delay 58.76 msec, offset -8.1920 msec, dispersion 15875.02
> precision 2**18, version 3
> org time C778FAD9.11E61481 (17:35:21.069 UTC Wed Jan 18 2006)
> rcv time C778FAD9.1B848430 (17:35:21.107 UTC Wed Jan 18 2006)
> xmt time C778FAD9.0C4AA6A5 (17:35:21.048 UTC Wed Jan 18 2006)
> filtdelay = 58.76 0.00 0.00 0.00 0.00 0.00 0.00 0.00
> filtoffset = -8.19 0.00 0.00 0.00 0.00 0.00 0.00 0.00
> filterror = 0.02 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0
>
> Rack5R4#show ntp ass
>
> address ref clock st when poll reach delay offset disp
> *~5.5.5.5 127.127.7.1 3 20 64 1 58.8 -8.19 15875.
> * master (synced), # master (unsynced), + selected, - candidate, ~ configured
>
>
> [ TEST PROCESS-2 ]
>
> SITUATION : Server Authentication Keys are different , Time Authentication Keys are same.
> RESULT : Because the server was not authenticated, the time info. was not used.
>
> <SERVER-R5>
> Rack5R5(config)#ntp authentication-key 1 md5 cisco
> Rack5R5(config)#ntp source Loopback0
> Rack5R5(config)#ntp master 3
> <CLIENT-R4>
> Rack5R4(config)#ntp authentication-key 1 md5 cisco
> Rack5R4(config)#ntp authentication-key 2 md5 ccie
> Rack5R4(config)#ntp authenticate
> Rack5R4(config)#ntp trusted-key 1
> Rack5R4(config)#ntp server 5.5.5.5 key 2
>
> Rack5R4(config)#
> .Jan 18 17:44:47.098: Authentication key 0
> .Jan 18 17:44:48.096: Authentication key 0
>
> Rack5R4(config)#do show ntp ass de
> 5.5.5.5 configured, insane, invalid, unsynced, stratum 16
> ref ID 0.0.0.0, time 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900)
> our mode client, peer mode unspec, our poll intvl 64, peer poll intvl 64
> root delay 0.00 msec, root disp 0.00, reach 0, sync dist 0.000
> delay 0.00 msec, offset 0.0000 msec, dispersion 16000.00
> precision 2**5, version 3
> org time C778FD11.0FA1EDD6 (17:44:49.061 UTC Wed Jan 18 2006)
> rcv time C778FD11.191DE152 (17:44:49.098 UTC Wed Jan 18 2006)
> xmt time C778FD11.09DB7C30 (17:44:49.038 UTC Wed Jan 18 2006)
> filtdelay = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
> filtoffset = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
> filterror = 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0
>
> Now, make the server authentication key same.
>
> Rack5R4(config)#ntp server 5.5.5.5 key 1
> Rack5R4(config)#
> .Jan 18 17:47:04.097: Authentication key 1
> Rack5R4(config)#do show ntp ass de
> 5.5.5.5 configured, authenticated, our_master, sane, valid, stratum 3
> ref ID 127.127.7.1, time C778FD87.F5D378DA (17:46:47.960 UTC Wed Jan 18 2006)
> our mode client, peer mode server, our poll intvl 64, peer poll intvl 64
> root delay 0.00 msec, root disp 0.03, reach 1, sync dist 15904.663
> delay 59.23 msec, offset -8.6605 msec, dispersion 15875.02
> precision 2**18, version 3
> org time C778FD98.0F23A584 (17:47:04.059 UTC Wed Jan 18 2006)
> rcv time C778FD98.18F090AB (17:47:04.097 UTC Wed Jan 18 2006)
> xmt time C778FD98.099723CB (17:47:04.037 UTC Wed Jan 18 2006)
> filtdelay = 59.23 0.00 0.00 0.00 0.00 0.00 0.00 0.00
> filtoffset = -8.66 0.00 0.00 0.00 0.00 0.00 0.00 0.00
> filterror = 0.02 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0
>
>
>
> [ TEST PROCESS-3 ]
>
> SITUATION : The client authenticates the time information but NOT the server.
> RESULT : Server authentication has not done. Not sure the time authentication occurred.
>
> <SERVER-R5>
> Rack5R5(config)#ntp authentication-key 1 md5 cisco
> Rack5R5(config)#ntp source Loopback0
> Rack5R5(config)#ntp master 3
>
> <CLIENT-R4>
> Rack5R4(config)#ntp authentication-key 1 md5 cisco
> Rack5R4(config)#ntp authenticate
> Rack5R4(config)#ntp trusted-key 1
> Rack5R4(config)#ntp server 5.5.5.5
>
> Rack5R4(config)#do show ntp ass de
> 5.5.5.5 configured, our_master, sane, valid, stratum 3
> ref ID 127.127.7.1, time C778FEC7.F5FA8878 (17:52:07.960 UTC Wed Jan 18 2006)
> our mode client, peer mode server, our poll intvl 64, peer poll intvl 64
> root delay 0.00 msec, root disp 0.03, reach 1, sync dist 15900.238
> delay 50.40 msec, offset 2.3760 msec, dispersion 15875.02
> precision 2**18, version 3
> org time C778FECE.790F84EE (17:52:14.472 UTC Wed Jan 18 2006)
> rcv time C778FECE.7EE796DE (17:52:14.495 UTC Wed Jan 18 2006)
> xmt time C778FECE.71FBB84A (17:52:14.445 UTC Wed Jan 18 2006)
> filtdelay = 50.40 0.00 0.00 0.00 0.00 0.00 0.00 0.00
> filtoffset = 2.38 0.00 0.00 0.00 0.00 0.00 0.00 0.00
> filterror = 0.02 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0
>
>
> [ TEST PROCESS-4 ]
>
> SITUATION : The client authenticates the server but NOT the time information.
> RESULT : Even though the server itself was successfully authenticated. The time info was not used.
> Since the authentication has been enabled, trust-key must be designated in the client.
> REFERENCE : http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/ffun_r/ffrprt3/frf012.htm#wp1019137
>
> Usage Guidelines
> If authentication is enabled, use this command to define one or more key numbers (corresponding to the keys defined with the ntp authentication-key command) that a peer NTP system must provide in its NTP packets, in order for this system to synchronize to it. This function provides protection against accidentally synchronizing the system to a system that is not trusted, because the other system must know the correct authentication key.
>
>
> <SERVER-R5>
> Rack5R5(config)#ntp authentication-key 1 md5 cisco
> Rack5R5(config)#ntp source Loopback0
> Rack5R5(config)#ntp master 3
>
> <CLIENT-R4>
> Rack5R4(config)#ntp authentication-key 1 md5 cisco
> Rack5R4(config)#ntp authenticate
> Rack5R4(config)#ntp server 5.5.5.5 key 1
>
> Rack5R4(config)#
> .Jan 18 17:54:36.506: Authentication key 1
> .Jan 18 17:54:37.504: Authentication key 1
> Rack5R4(config)#
> Rack5R4(config)#
> Rack5R4(config)#do show ntp ass de
> 5.5.5.5 configured, authenticated, insane, invalid, unsynced, stratum 16
> ref ID 0.0.0.0, time 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900)
> our mode client, peer mode unspec, our poll intvl 64, peer poll intvl 64
> root delay 0.00 msec, root disp 0.00, reach 0, sync dist 0.000
> delay 0.00 msec, offset 0.0000 msec, dispersion 16000.00
> precision 2**5, version 3
> org time C778FF5F.C01C3A0A (17:54:39.750 UTC Wed Jan 18 2006)
> rcv time C778FF5F.8114AD7C (17:54:39.504 UTC Wed Jan 18 2006)
> xmt time C778FF60.720CB405 (17:54:40.445 UTC Wed Jan 18 2006)
> filtdelay = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
> filtoffset = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
> filterror = 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0
>
> Regards,
> Nick
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Wed Feb 01 2006 - 07:45:49 GMT-3