From: Alexei Monastyrnyi (alexeim@orcsoftware.com)
Date: Tue May 02 2006 - 05:03:06 ART
You can find a descent explanation here regarding NTP auth. Yes,
"trusted-key" is needed for client only.
http://www.internetworkexpert.com/resources/01700369.htm
As for source interface, looks like it is only used by client.
This small config along with debug ip packets for NTP shows that server
is replaying with its FR interface IP regardless of having "ntp source
lo0". NTP client does make use of "source lo0".
NTP master
r1#sh run in lo 0
Building configuration...
Current configuration : 63 bytes
!
interface Loopback0
ip address 15.15.1.1 255.255.255.0
end
r1#sh run in ser 0.1
Building configuration...
Current configuration : 127 bytes
!
interface Serial0.1 point-to-point
ip address 15.15.12.1 255.255.255.0
frame-relay interface-dlci 102
end
r1#sh run | in ntp
ntp authentication-key 1 md5 13061E010803 7
ntp source Loopback0
ntp master 3
NTP client
r2#sh run in lo 0
Building configuration...
Current configuration : 63 bytes
!
interface Loopback0
ip address 15.15.2.2 255.255.255.0
end
r2#sh run in ser 0.1
Building configuration...
Current configuration : 146 bytes
!
interface Serial0.1 point-to-point
ip address 15.15.12.2 255.255.255.0
frame-relay interface-dlci 201
end
r2#sh run | in ntp
ntp authentication-key 1 md5 030752180500 7
ntp authenticate
ntp trusted-key 1
ntp source Loopback0
ntp server 15.15.12.1 key 1
on 29/04/2006 12:22 Wang, Ting (Taylor) wrote:
> Hi Group,
> Anyone have the idea on the NTP questions in my last mail?
> Does "ntp source lo0" and "ntp trusted-key 1234" only make sense for
> client?
> Taylor
> -----Original Message-----
> From: Wang, Ting (Taylor)
> Sent: Friday, April 28, 2006 11:02 AM
> To: 'Michy Eika'; 'ccielab@groupstudy.com'
> Subject: RE: NTP authentication is affected by source interface?[2]
>
> Hi ,
> I think the "ntp source lo0" is only useful for client, for the purpose
> of robust and ntp ACL. The "ntp server 1.1.1.1 " indicate the
> destination IP address for NTP request is lo0 of NTP server.
> BTW, I think the command of "ntp trusted-key 1234" is only needed in
> client. It is redundent for NTP server, since client authenticate the
> server only, not the vice verse. Could anyone confirm if I'm right?
> Taylor
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Michy Eika
> Sent: Sunday, April 23, 2006 9:06 AM
> To: ccielab@groupstudy.com
> Subject: NTP authentication is affected by source interface?[2]
>
> Hi folks!
>
> Hello again. And I wanna supplement my question with network topology.
> I'm planning to use NTP. But if I want to configure routers to make it
> more robust and secure, I think I should implement authentication and
> redundant path to connect NTP server(ntp master router). In this case,
> do I need to make loopback interface as source interface on both
> routers(client and server router)?
> I'm concerned about one of redundant link failure's impact. I wonder
> what happens if redundant link failure occurs on NTP server or client. I
> wonder the authentication is affected...(and etc...) . I think ntp ACL
> will be affected by this circumstance.
>
> |--lo0[R1]s0/0-----[R2]------s0/1[R3]lo0--|
> |e0/0 e0/1|
> |-----------[R4]-----------|
> R1 lo:1.1.1.1
> R3 lo:3.3.3.3
> * R1 can reach R3 and vice versa.
>
> [R1]
> ntp master 3
>
> ntp source Loopback0
>
> ntp authenticate
>
> ntp authentication-key 1234 md5 cisco
>
> ntp trusted-key 1234
>
>
> [R3]
> ntp server 1.1.1.1 key 1234
>
> ntp source Loopback0
>
> ntp authenticate
>
> ntp authentication-key 1234 md5 cisco
>
> ntp trusted-key 1234
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Thu Jun 01 2006 - 06:33:20 ART