Re: NTP authentication is affected by source interface?[2]

From: Michy Eika (cciemaster@shingor.net)
Date: Thu May 04 2006 - 01:33:34 ART

• Next message: Marvin Greenlee: "Re: Recursive Routing"
• Previous message: Matt White: "Re: DMVPN"
• Maybe in reply to: Alexei Monastyrnyi: "Re: NTP authentication is affected by source interface?[2]"
• Next in thread: Arun Arumuganainar: "Re: NTP authentication is affected by source interface?[2]"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Thanks all.

With respect to NTP, it's a little bit hard to investigate for me. :-)

I'm appreciating your cooperation so much!

Michy
----- Original Message -----
From: "Alexei Monastyrnyi" <alexeim@orcsoftware.com>
To: "Wang, Ting (Taylor)" <wangting@avaya.com>
Cc: "Michy Eika" <cciemaster@shingor.net>; <ccielab@groupstudy.com>
Sent: Tuesday, May 02, 2006 5:03 PM
Subject: Re: NTP authentication is affected by source interface?[2]

> You can find a descent explanation here regarding NTP auth. Yes,
> "trusted-key" is needed for client only.
> http://www.internetworkexpert.com/resources/01700369.htm
>
> As for source interface, looks like it is only used by client.
> This small config along with debug ip packets for NTP shows that server
> is replaying with its FR interface IP regardless of having "ntp source
> lo0". NTP client does make use of "source lo0".
>
> NTP master
>
> r1#sh run in lo 0
> Building configuration...
>
> Current configuration : 63 bytes
> !
> interface Loopback0
> ip address 15.15.1.1 255.255.255.0
> end
>
> r1#sh run in ser 0.1
> Building configuration...
>
> Current configuration : 127 bytes
> !
> interface Serial0.1 point-to-point
> ip address 15.15.12.1 255.255.255.0
> frame-relay interface-dlci 102
> end
>
> r1#sh run | in ntp
> ntp authentication-key 1 md5 13061E010803 7
> ntp source Loopback0
> ntp master 3
>
>
>
> NTP client
>
> r2#sh run in lo 0
> Building configuration...
>
> Current configuration : 63 bytes
> !
> interface Loopback0
> ip address 15.15.2.2 255.255.255.0
> end
>
> r2#sh run in ser 0.1
> Building configuration...
>
> Current configuration : 146 bytes
> !
> interface Serial0.1 point-to-point
> ip address 15.15.12.2 255.255.255.0
> frame-relay interface-dlci 201
> end
>
> r2#sh run | in ntp
> ntp authentication-key 1 md5 030752180500 7
> ntp authenticate
> ntp trusted-key 1
> ntp source Loopback0
> ntp server 15.15.12.1 key 1
>
> on 29/04/2006 12:22 Wang, Ting (Taylor) wrote:
>> Hi Group,
>> Anyone have the idea on the NTP questions in my last mail?
>> Does "ntp source lo0" and "ntp trusted-key 1234" only make sense for
>> client?
>> Taylor
>> -----Original Message-----
>> From: Wang, Ting (Taylor)
>> Sent: Friday, April 28, 2006 11:02 AM
>> To: 'Michy Eika'; 'ccielab@groupstudy.com'
>> Subject: RE: NTP authentication is affected by source interface?[2]
>>
>> Hi ,
>> I think the "ntp source lo0" is only useful for client, for the purpose
>> of robust and ntp ACL. The "ntp server 1.1.1.1 " indicate the
>> destination IP address for NTP request is lo0 of NTP server.
>> BTW, I think the command of "ntp trusted-key 1234" is only needed in
>> client. It is redundent for NTP server, since client authenticate the
>> server only, not the vice verse. Could anyone confirm if I'm right?
>> Taylor
>> -----Original Message-----
>> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>> Michy Eika
>> Sent: Sunday, April 23, 2006 9:06 AM
>> To: ccielab@groupstudy.com
>> Subject: NTP authentication is affected by source interface?[2]
>>
>> Hi folks!
>>
>> Hello again. And I wanna supplement my question with network topology.
>> I'm planning to use NTP. But if I want to configure routers to make it
>> more robust and secure, I think I should implement authentication and
>> redundant path to connect NTP server(ntp master router). In this case,
>> do I need to make loopback interface as source interface on both
>> routers(client and server router)?
>> I'm concerned about one of redundant link failure's impact. I wonder
>> what happens if redundant link failure occurs on NTP server or client. I
>> wonder the authentication is affected...(and etc...) . I think ntp ACL
>> will be affected by this circumstance.
>>
>> |--lo0[R1]s0/0-----[R2]------s0/1[R3]lo0--|
>> |e0/0 e0/1|
>> |-----------[R4]-----------|
>> R1 lo:1.1.1.1
>> R3 lo:3.3.3.3
>> * R1 can reach R3 and vice versa.
>>
>> [R1]
>> ntp master 3
>>
>> ntp source Loopback0
>>
>> ntp authenticate
>>
>> ntp authentication-key 1234 md5 cisco
>>
>> ntp trusted-key 1234
>>
>>
>> [R3]
>> ntp server 1.1.1.1 key 1234
>>
>> ntp source Loopback0
>>
>> ntp authenticate
>>
>> ntp authentication-key 1234 md5 cisco
>>
>> ntp trusted-key 1234
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html

• Next message: Marvin Greenlee: "Re: Recursive Routing"
• Previous message: Matt White: "Re: DMVPN"
• Maybe in reply to: Alexei Monastyrnyi: "Re: NTP authentication is affected by source interface?[2]"
• Next in thread: Arun Arumuganainar: "Re: NTP authentication is affected by source interface?[2]"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 01 2006 - 06:33:20 ART