Re: NTP authentication is affected by source interface?[2]

From: Michy Eika (cciemaster@shingor.net)
Date: Thu May 04 2006 - 09:45:19 ART

• Next message: Arun Arumuganainar: "Re: NTP authentication is affected by source interface?[2]"
• Previous message: darbyweaver@yahoo.com: "Re: Re: IEWB Lab 3 task 5.24 and Lab 15 task 5.28 Dual ponit"
• Maybe in reply to: Alexei Monastyrnyi: "Re: NTP authentication is affected by source interface?[2]"
• Next in thread: Arun Arumuganainar: "Re: NTP authentication is affected by source interface?[2]"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Arun.

Thanks for explaining about NTP.
NTP source will be necessary on client(querier). So I modified the
configuration below.
BTW, If source interface is specified, output interface will be used. So
don't we
have to care about this unless we use ACL ?

[R1]
ntp master 3

ntp authentication-key 1234 md5 cisco

[R3]
ntp server 1.1.1.1 key 1234

ntp source Loopback0

ntp authenticate

ntp authentication-key 1234 md5 cisco

ntp trusted-key 1234

----- Original Message -----
From: "Arun Arumuganainar" <aarumuga@hotmail.com>
To: "Michy Eika" <cciemaster@shingor.net>; <alexeim@orcsoftware.com>; "Wang,
Ting (Taylor)" <wangting@avaya.com>
Cc: <ccielab@groupstudy.com>
Sent: Thursday, May 04, 2006 6:46 PM
Subject: Re: NTP authentication is affected by source interface?[2]

> Hi Michy ,
>
> " NTP SOURCE " command will only apply for NTP Query and not NTP reply .
> Actually when ever an NTP Query is made, source address will be picked up
> from "NTP SOURCE" command . When a query is received by a server or a
> Master
> , the reply will use the destination address of the query as the source
> address . NTP SOURCE will not come in to Picture .
>
> This is behavior for all the TCP and UDP application and not restricted to
> NTP .
>
> Thanks and Regards
> Arun
>
> ----- Original Message -----
> From: "Michy Eika" <cciemaster@shingor.net>
> To: <alexeim@orcsoftware.com>; "Wang, Ting (Taylor)" <wangting@avaya.com>
> Cc: <ccielab@groupstudy.com>
> Sent: Thursday, May 04, 2006 10:03 AM
> Subject: Re: NTP authentication is affected by source interface?[2]
>
>
>> Thanks all.
>>
>> With respect to NTP, it's a little bit hard to investigate for me. :-)
>>
>> I'm appreciating your cooperation so much!
>>
>> Michy
>> ----- Original Message -----
>> From: "Alexei Monastyrnyi" <alexeim@orcsoftware.com>
>> To: "Wang, Ting (Taylor)" <wangting@avaya.com>
>> Cc: "Michy Eika" <cciemaster@shingor.net>; <ccielab@groupstudy.com>
>> Sent: Tuesday, May 02, 2006 5:03 PM
>> Subject: Re: NTP authentication is affected by source interface?[2]
>>
>>
>> > You can find a descent explanation here regarding NTP auth. Yes,
>> > "trusted-key" is needed for client only.
>> > http://www.internetworkexpert.com/resources/01700369.htm
>> >
>> > As for source interface, looks like it is only used by client.
>> > This small config along with debug ip packets for NTP shows that server
>> > is replaying with its FR interface IP regardless of having "ntp source
>> > lo0". NTP client does make use of "source lo0".
>> >
>> > NTP master
>> >
>> > r1#sh run in lo 0
>> > Building configuration...
>> >
>> > Current configuration : 63 bytes
>> > !
>> > interface Loopback0
>> > ip address 15.15.1.1 255.255.255.0
>> > end
>> >
>> > r1#sh run in ser 0.1
>> > Building configuration...
>> >
>> > Current configuration : 127 bytes
>> > !
>> > interface Serial0.1 point-to-point
>> > ip address 15.15.12.1 255.255.255.0
>> > frame-relay interface-dlci 102
>> > end
>> >
>> > r1#sh run | in ntp
>> > ntp authentication-key 1 md5 13061E010803 7
>> > ntp source Loopback0
>> > ntp master 3
>> >
>> >
>> >
>> > NTP client
>> >
>> > r2#sh run in lo 0
>> > Building configuration...
>> >
>> > Current configuration : 63 bytes
>> > !
>> > interface Loopback0
>> > ip address 15.15.2.2 255.255.255.0
>> > end
>> >
>> > r2#sh run in ser 0.1
>> > Building configuration...
>> >
>> > Current configuration : 146 bytes
>> > !
>> > interface Serial0.1 point-to-point
>> > ip address 15.15.12.2 255.255.255.0
>> > frame-relay interface-dlci 201
>> > end
>> >
>> > r2#sh run | in ntp
>> > ntp authentication-key 1 md5 030752180500 7
>> > ntp authenticate
>> > ntp trusted-key 1
>> > ntp source Loopback0
>> > ntp server 15.15.12.1 key 1
>> >
>> > on 29/04/2006 12:22 Wang, Ting (Taylor) wrote:
>> >> Hi Group,
>> >> Anyone have the idea on the NTP questions in my last mail?
>> >> Does "ntp source lo0" and "ntp trusted-key 1234" only make sense
> for
>> >> client?
>> >> Taylor
>> >> -----Original Message-----
>> >> From: Wang, Ting (Taylor)
>> >> Sent: Friday, April 28, 2006 11:02 AM
>> >> To: 'Michy Eika'; 'ccielab@groupstudy.com'
>> >> Subject: RE: NTP authentication is affected by source interface?[2]
>> >>
>> >> Hi ,
>> >> I think the "ntp source lo0" is only useful for client, for the
>> >> purpose
>> >> of robust and ntp ACL. The "ntp server 1.1.1.1 " indicate the
>> >> destination IP address for NTP request is lo0 of NTP server.
>> >> BTW, I think the command of "ntp trusted-key 1234" is only needed in
>> >> client. It is redundent for NTP server, since client authenticate
>> >> the
>> >> server only, not the vice verse. Could anyone confirm if I'm right?
>> >> Taylor
>> >> -----Original Message-----
>> >> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
>> >> Of
>> >> Michy Eika
>> >> Sent: Sunday, April 23, 2006 9:06 AM
>> >> To: ccielab@groupstudy.com
>> >> Subject: NTP authentication is affected by source interface?[2]
>> >>
>> >> Hi folks!
>> >>
>> >> Hello again. And I wanna supplement my question with network topology.
>> >> I'm planning to use NTP. But if I want to configure routers to make it
>> >> more robust and secure, I think I should implement authentication and
>> >> redundant path to connect NTP server(ntp master router). In this case,
>> >> do I need to make loopback interface as source interface on both
>> >> routers(client and server router)?
>> >> I'm concerned about one of redundant link failure's impact. I wonder
>> >> what happens if redundant link failure occurs on NTP server or client.
> I
>> >> wonder the authentication is affected...(and etc...) . I think ntp ACL
>> >> will be affected by this circumstance.
>> >>
>> >> |--lo0[R1]s0/0-----[R2]------s0/1[R3]lo0--|
>> >> |e0/0 e0/1|
>> >> |-----------[R4]-----------|
>> >> R1 lo:1.1.1.1
>> >> R3 lo:3.3.3.3
>> >> * R1 can reach R3 and vice versa.
>> >>
>> >> [R1]
>> >> ntp master 3
>> >>
>> >> ntp source Loopback0
>> >>
>> >> ntp authenticate
>> >>
>> >> ntp authentication-key 1234 md5 cisco
>> >>
>> >> ntp trusted-key 1234
>> >>
>> >>
>> >> [R3]
>> >> ntp server 1.1.1.1 key 1234
>> >>
>> >> ntp source Loopback0
>> >>
>> >> ntp authenticate
>> >>
>> >> ntp authentication-key 1234 md5 cisco
>> >>
>> >> ntp trusted-key 1234
>> >>
>> >> _______________________________________________________________________
>> >> Subscription information may be found at:
>> >> http://www.groupstudy.com/list/CCIELab.html
>> >>
>> >> _______________________________________________________________________
>> >> Subscription information may be found at:
>> >> http://www.groupstudy.com/list/CCIELab.html
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html

• Next message: Arun Arumuganainar: "Re: NTP authentication is affected by source interface?[2]"
• Previous message: darbyweaver@yahoo.com: "Re: Re: IEWB Lab 3 task 5.24 and Lab 15 task 5.28 Dual ponit"
• Maybe in reply to: Alexei Monastyrnyi: "Re: NTP authentication is affected by source interface?[2]"
• Next in thread: Arun Arumuganainar: "Re: NTP authentication is affected by source interface?[2]"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 01 2006 - 06:33:20 ART