Re: NTP authentication

From: Petr Lapukhov (petrsoft@gmail.com)
Date: Tue May 02 2006 - 01:51:00 ART

• Next message: Michael: "RE: NTP authentication"
• Previous message: Luis Rueda: "RE: IPV6"
• Maybe in reply to: Petr Lapukhov: "Re: NTP authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Luis,

Looked thought Appendix C quickly, here are the main points:

....
The authenticator field consists of two subfields, one consisting of the
pkt.keyid variable and the other the pkt.check variable computed by the
encrypt procedure
...
If authentication is not enabled, the procedure simply exits. If the
association is active (modes 1, 3, 5), the key is determined from the
system key identifier. If the association is passive (modes 2, 4) the
key is determined from the peer key identifier, if the authentic bit is
set, or as the default key (zero) otherwise.
....

Yet they describe the use of DES CBC for checksum computation :)

HTH
Petr

2006/5/1, Luis Rueda <luis.rueda@comsat.com.co>:
>
> Dave,
>
> I took a look at the RFC and surprisingly, the key is mentioned, but it
> was not clear to me if they have to match. Take a look at Appendix C.
>
> http://www.faqs.org/rfcs/rfc1305.html
>
> Regards,
>
> Luis
>
> ------------------------------
> *De:* Schulz, Dave [mailto:DSchulz@dpsciences.com]
> *Enviado el:* Monday, May 01, 2006 9:07 AM
> *Para:* Petr Lapukhov
> *CC:* Luis Rueda; Michael; ccielab
> *Asunto:* RE: NTP authentication
>
> Nice explanation, Petr. So, then you are saying the keys must agreenot
> only in the key itself, but also the number.
>
>
>
>
>
> Dave Schulz,
>
> Email: dschulz@dpsciences.com <dschulz@dpsciences.com%20>
>
>
> ------------------------------
>
> *From:* Petr Lapukhov [mailto:petrsoft@gmail.com]
> *Sent:* Monday, May 01, 2006 9:58 AM
> *To:* Schulz, Dave
> *Cc:* Luis Rueda; Michael; ccielab
> *Subject:* Re: NTP authentication
>
>
>
> Guys,
>
> I think I got some logic behind this..
>
> Okay, so what does that mean :))
>
> First of all, all authenticated packets carry key numbers with them. Next:
>
> 1) We have "active" and "passive" modes. Active mode (peer active, client)
>
> deduces key from "key" parameter in command line (ntp peer key,
> ntp server key).
>
> Passive mode deduces key number from incoming "active" packet,
> and look up key-string in it's keyring. E.g when server receives a query
> with key, it replies with the key-string under same key-number
> from it's key-ring.
>
> 2) As i get it, ony "synchronization" packets needs to be authenticated.
>
> That is, only packets that can change our clock needs to be authenticated.
>
> So, "ntp server" is not required to check authentication in query packet.
> It does something else, though. More on that later.
>
> 3) Authentication is not enabled until we enter "ntp authenticate"
> command.
> When "ntp authenticate'" is turend on, we inspect every "sync" packet
> to get key number. We then look that key-string by it's number in our key
> ring,
> verify md5 checksum, and if the key is trusted, we consider packet to be
> authenticated.
>
> 4) As i said, when a "passive" router receives packet from "active"
> neighbor,
> it looks up it key ring. Next, if this is "sync" packet, we need to
> validate it.
> That is, key needs to be trusted, and md5 sum must match.
>
> If this is a "query" packet, we simple reply with "sync" packet, and
> include key
> from our key-ring in reply, looking that key by key-number from packet.
>
> That's all i get :) By the way, I discovered that we dont need to enable
> "ntp authentication" on server either. It still does respond with
> appropriate keys.
>
> HTH
> Petr
>
> 2006/5/1, Schulz, Dave <DSchulz@dpsciences.com>:
>
> That is what I was thinking, but after doing the debugs.I didn't see
> this. I'll run it again.
>
>
>
>
>
> Dave Schulz,
>
> Email: dschulz@dpsciences.com <dschulz@dpsciences.com%20>
>
>
> ------------------------------
>
> *From:* Petr Lapukhov [mailto:petrsoft@gmail.com]
> *Sent:* Monday, May 01, 2006 9:05 AM
> *To:* Schulz, Dave
> *Cc:* Luis Rueda; Michael; ccielab
> *Subject:* Re: NTP authentication
>
>
>
> Actually, if you do a "debug ntp authentication" you will see,
> that NTP packets carry key number with them :))
>
> I try to dig that topic, since information on NTP is scarse and vague :))
>
> Petr
>
> 2006/5/1, Schulz, Dave <DSchulz@dpsciences.com >:
>
> Luis -
>
> Do you have a configuration where this worked successfully? I labbed it
> up and could only get the authentication to work if the key #'s are the
> same.
>
>
> Dave Schulz,
> Email: dschulz@dpsciences.com
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto: nobody@groupstudy.com] On Behalf Of
> Luis Rueda
> Sent: Sunday, April 30, 2006 4:09 PM
> To: Michael; ccielab
> Subject: RE: NTP authentication
>
> If you mean like OSPF that you have to use the same number on both ? I'm
> pretty sure not. I have used them with different numbers and they all
> work.
>
> Diferent numbers are supported because maybe you have different servers
> with different passwords....
>
> Hope it helps.
>
> Luis
>
> -----Mensaje original-----
> De: nobody@groupstudy.com [mailto: nobody@groupstudy.com] En nombre de
> Michael
> Enviado el: Sunday, April 30, 2006 3:05 PM
> Para: ccielab
> Asunto: RE: NTP authentication
>
> Hi Groupstudy,
>
>
>
> Is there anyone that can please comment / help on this subject?
>
>
>
> Thanks in advance,
>
> Michael
>
>
>
> _____
>
> From: Michael [mailto: mamiller2@comcast.net]
> Sent: Sunday, April 30, 2006 2:43 AM
> To: ccielab (ccielab@groupstudy.com)
> Subject: NTP authentication
>
>
>
>
>
> Hey all~
>
>
>
> Can anyone confirm that ntp key id numbers also need to be the same for
> peers using md5 authentication? I have been experimenting with
> different configurations and this all that seems to work.
>
>
>
>
>
> P1R1-2511#show run | inc ntp
>
> ntp authentication-key 1 md5 0941571D100812 7
>
> ntp authentication-key 3 md5 00070155 7
>
> ntp authenticate
>
> ntp trusted-key 1
>
> ntp trusted-key 3
>
> ntp trusted-key 6
>
> ntp clock-period 17180181
>
> ntp peer 10.10.3.3 key 3
>
> ntp peer 10.10.4.4 key 1
>
> ntp peer 10.10.5.5 key 1
>
> ntp peer 10.10.6.6 key 1
>
> ntp peer 10.10.7.7 key 1
>
> ntp peer 10.10.8.8 key 1
>
> ntp peer 10.10.9.9 key 1
>
> ntp server 66.90.78.182
>
> P1R1-2511#
>
>
>
> CR3#show run | inc ntp
>
> ntp authentication-key 3 md5 104D1B4A 7
>
> ntp authenticate
>
> ntp trusted-key 3
>
> ntp clock-period 17208479
>
> ntp source Loopback0
>
> ntp peer 10.10.1.1 key 3 prefer
>
> CR3#
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Michael: "RE: NTP authentication"
• Previous message: Luis Rueda: "RE: IPV6"
• Maybe in reply to: Petr Lapukhov: "Re: NTP authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 01 2006 - 06:33:20 ART