From: Nick (seajay76@nate.com)
Date: Mon Jan 30 2006 - 12:23:51 GMT-3
Yes, Friend.
If the client doesn't authenticate the server, it doesn't matter the server is configured with the authentication key or not. :)
So, it'll synch with the server. In this situation, both the parties don't authenticate each other.
HTH
Regards,
Nick
----- Original Message -----
From: CCIEin2006
To: Nick
Sent: Monday, January 30, 2006 10:52 PM
Subject: Re: NTP authentication
Excellent - very thorough!
Just to clarify one point...if the server has authentication key configured but the client does not, the client will still sync because the server does not try to authenticate the client?
Thanks again!
On 1/30/06, Nick <seajay76@nate.com> wrote:
Here is the Configuration I used in the lab.
HTH
Regards,
Nick
----- Original Message -----
From: Nick
To: Cisco certification
Sent: Wednesday, January 18, 2006 6:35 PM
Subject: NTP Authentication Experiment
Hi, all!!
I tested some ntp feature case by case.
Hope this may help, and please correct me if I'm wrong.
[ PRINCIPLE ]
There seem two NTP authentications; one for the ntp server itselg,
the other for ntp time information from the server.
[CONFIGURATION COMMANDS]
In NTP server , ntp authentication-key x md5 KEY is used to send the KEY to the client
so that the client can authenticate the "SEVER".
In NTP client , ntp host x.x.x.x key KEY is used for NTP "server" authentication,
and ntp trust-key KEY is used for NTP "TIME INFORMATION" from the server.
Following is the way I found the result.
[ TOPOLOGY ]
R5 is the NTP server , R4 is the NTP client
[ PRECAUTION ]
For every each step, the "ntp server" command should be deleted and re-entered
so that we can see the result quickly.
[ NOTATIONS ]
Red letter represents time information authentication.
Blue letter represents server authentication.
[ TEST PROCESS-1 ]
SITUATION : Server Authentication Keys are same, Time Authentication Keys are different.
RESULT : Server authentication was successful, but the time authentication failed.
<SERVER-R5>
Rack5R5(config)#ntp authentication-key 1 md5 cisco
Rack5R5(config)#ntp source Loopback0
Rack5R5(config)#ntp master 3
<CLIENT-R4>
Rack5R4(config)#ntp authentication-key 1 md5 cisco
Rack5R4(config)#ntp authentication-key 2 md5 ccie
Rack5R4(config)#ntp authenticate
Rack5R4(config)#ntp trusted-key 2
Rack5R4(config)#ntp server 5.5.5.5 key 1
Rack5R4(config)#do show ntp ass de
5.5.5.5 configured, authenticated, insane, invalid, unsynced, stratum 16
ref ID 0.0.0.0, time 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900)
our mode client, peer mode unspec, our poll intvl 64, peer poll intvl 64
root delay 0.00 msec, root disp 0.00, reach 0, sync dist 0.000
delay 0.00 msec, offset 0.0000 msec, dispersion 16000.00
precision 2**5, version 3
org time C778FA59.1056527C (17:33:13.063 UTC Wed Jan 18 2006)
rcv time C778FA59.1B212885 (17:33:13.105 UTC Wed Jan 18 2006)
xmt time C778FA59.0BF0263B (17:33:13.046 UTC Wed Jan 18 2006)
filtdelay = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
filtoffset = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
filterror = 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0
Now, make the time information authentication key same.
Rack5R4(config)#no ntp trusted-key 2
Rack5R4(config)#ntp trusted-key 1
Rack5R4(config)#end
Rack5R4# show ntp ass de
5.5.5.5 configured, authenticated, our_master , sane, valid, stratum 3
ref ID 127.127.7.1, time C778FAD8.F5510A7F (17:35:20.958 UTC Wed Jan 18 2006)
our mode client, peer mode server, our poll intvl 64, peer poll intvl 64
root delay 0.00 msec, root disp 0.03, reach 1, sync dist 15904.419
delay 58.76 msec, offset -8.1920 msec, dispersion 15875.02
precision 2**18, version 3
org time C778FAD9.11E61481 (17:35:21.069 UTC Wed Jan 18 2006)
rcv time C778FAD9.1B848430 (17:35:21.107 UTC Wed Jan 18 2006)
xmt time C778FAD9.0C4AA6A5 (17:35:21.048 UTC Wed Jan 18 2006)
filtdelay = 58.76 0.00 0.00 0.00 0.00 0.00 0.00 0.00
filtoffset = -8.19 0.00 0.00 0.00 0.00 0.00 0.00 0.00
filterror = 0.02 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0
Rack5R4#show ntp ass
address ref clock st when poll reach delay offset disp
*~5.5.5.5 127.127.7.1 3 20 64 1 58.8 -8.19 15875.
* master (synced), # master (unsynced), + selected, - candidate, ~ configured
[ TEST PROCESS-2 ]
SITUATION : Server Authentication Keys are different , Time Authentication Keys are same.
RESULT : Because the server was not authenticated, the time info. was not used.
<SERVER-R5>
Rack5R5(config)#ntp authentication-key 1 md5 cisco
Rack5R5(config)#ntp source Loopback0
Rack5R5(config)#ntp master 3
<CLIENT-R4>
Rack5R4(config)#ntp authentication-key 1 md5 cisco
Rack5R4(config)#ntp authentication-key 2 md5 ccie
Rack5R4(config)#ntp authenticate
Rack5R4(config)#ntp trusted-key 1
Rack5R4(config)#ntp server 5.5.5.5 key 2
Rack5R4(config)#
.Jan 18 17:44:47.098: Authentication key 0
.Jan 18 17:44:48.096: Authentication key 0
Rack5R4(config)#do show ntp ass de
5.5.5.5 configured, insane, invalid, unsynced, stratum 16
ref ID 0.0.0.0 , time 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900)
our mode client, peer mode unspec, our poll intvl 64, peer poll intvl 64
root delay 0.00 msec, root disp 0.00, reach 0, sync dist 0.000
delay 0.00 msec, offset 0.0000 msec, dispersion 16000.00
precision 2**5, version 3
org time C778FD11.0FA1EDD6 (17:44:49.061 UTC Wed Jan 18 2006)
rcv time C778FD11.191DE152 (17:44:49.098 UTC Wed Jan 18 2006)
xmt time C778FD11.09DB7C30 (17:44:49.038 UTC Wed Jan 18 2006)
filtdelay = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
filtoffset = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
filterror = 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0
Now, make the server authentication key same.
Rack5R4(config)#ntp server 5.5.5.5 key 1
Rack5R4(config)#
.Jan 18 17:47:04.097: Authentication key 1
Rack5R4(config)#do show ntp ass de
5.5.5.5 configured, authenticated, our_master, sane, valid, stratum 3
ref ID 127.127.7.1, time C778FD87.F5D378DA (17:46:47.960 UTC Wed Jan 18 2006)
our mode client, peer mode server, our poll intvl 64, peer poll intvl 64
root delay 0.00 msec, root disp 0.03, reach 1, sync dist 15904.663
delay 59.23 msec, offset -8.6605 msec, dispersion 15875.02
precision 2**18, version 3
org time C778FD98.0F23A584 (17:47:04.059 UTC Wed Jan 18 2006)
rcv time C778FD98.18F090AB (17:47:04.097 UTC Wed Jan 18 2006)
xmt time C778FD98.099723CB (17:47:04.037 UTC Wed Jan 18 2006)
filtdelay = 59.23 0.00 0.00 0.00 0.00 0.00 0.00 0.00
filtoffset = -8.66 0.00 0.00 0.00 0.00 0.00 0.00 0.00
filterror = 0.02 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0
[ TEST PROCESS-3 ]
SITUATION : The client authenticates the time information but NOT the server.
RESULT : Server authentication has not done. Not sure the time authentication occurred.
<SERVER-R5>
Rack5R5(config)#ntp authentication-key 1 md5 cisco
Rack5R5(config)#ntp source Loopback0
Rack5R5(config)#ntp master 3
<CLIENT-R4>
Rack5R4(config)#ntp authentication-key 1 md5 cisco
Rack5R4(config)#ntp authenticate
Rack5R4(config)#ntp trusted-key 1
Rack5R4(config)#ntp server 5.5.5.5
Rack5R4(config)#do show ntp ass de
5.5.5.5 configured, our_master, sane, valid, stratum 3
ref ID 127.127.7.1 , time C778FEC7.F5FA8878 (17:52:07.960 UTC Wed Jan 18 2006)
our mode client, peer mode server, our poll intvl 64, peer poll intvl 64
root delay 0.00 msec, root disp 0.03, reach 1, sync dist 15900.238
delay 50.40 msec, offset 2.3760 msec, dispersion 15875.02
precision 2**18, version 3
org time C778FECE.790F84EE (17:52:14.472 UTC Wed Jan 18 2006)
rcv time C778FECE.7EE796DE (17:52:14.495 UTC Wed Jan 18 2006)
xmt time C778FECE.71FBB84A (17:52:14.445 UTC Wed Jan 18 2006)
filtdelay = 50.40 0.00 0.00 0.00 0.00 0.00 0.00 0.00
filtoffset = 2.38 0.00 0.00 0.00 0.00 0.00 0.00 0.00
filterror = 0.02 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0
[ TEST PROCESS-4 ]
SITUATION : The client authenticates the server but NOT the time information.
RESULT : Even though the server itself was successfully authenticated. The time info was not used.
Since the authentication has been enabled, trust-key must be designated in the client.
REFERENCE : http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/ffun_r/ffrprt3/frf012.htm#wp1019137
Usage Guidelines
If authentication is enabled, use this command to define one or more key numbers (corresponding to the keys defined with the ntp authentication-key command) that a peer NTP system must provide in its NTP packets, in order for this system to synchronize to it. This function provides protection against accidentally synchronizing the system to a system that is not trusted, because the other system must know the correct authentication key.
<SERVER-R5>
Rack5R5(config)#ntp authentication-key 1 md5 cisco
Rack5R5(config)#ntp source Loopback0
Rack5R5(config)#ntp master 3
<CLIENT-R4>
Rack5R4(config)#ntp authentication-key 1 md5 cisco
Rack5R4(config)#ntp authenticate
Rack5R4(config)#ntp server 5.5.5.5 key 1
Rack5R4(config)#
.Jan 18 17:54:36.506: Authentication key 1
.Jan 18 17:54:37.504: Authentication key 1
Rack5R4(config)#
Rack5R4(config)#
Rack5R4(config)#do show ntp ass de
5.5.5.5 configured, authenticated, insane, invalid , unsynced, stratum 16
ref ID 0.0.0.0, time 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900)
our mode client, peer mode unspec, our poll intvl 64, peer poll intvl 64
root delay 0.00 msec, root disp 0.00, reach 0, sync dist 0.000
delay 0.00 msec, offset 0.0000 msec, dispersion 16000.00
precision 2**5, version 3
org time C778FF5F.C01C3A0A (17:54:39.750 UTC Wed Jan 18 2006)
rcv time C778FF5F.8114AD7C (17:54:39.504 UTC Wed Jan 18 2006)
xmt time C778FF60.720CB405 (17:54:40.445 UTC Wed Jan 18 2006)
filtdelay = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
filtoffset = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
filterror = 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0
Regards,
Nick
This archive was generated by hypermail 2.1.4 : Wed Feb 01 2006 - 07:45:50 GMT-3