From: Arun Arumuganainar (aarumuga@hotmail.com)
Date: Thu May 04 2006 - 09:51:18 ART
Yes you are right . We need not care about Source interface until you have
used ACLs on the server .
Thanks and Regards
Arun
----- Original Message -----
From: "Michy Eika" <cciemaster@shingor.net>
To: "Arun Arumuganainar" <aarumuga@hotmail.com>
Cc: <ccielab@groupstudy.com>; <alexeim@orcsoftware.com>; "Wang, Ting
(Taylor)" <wangting@avaya.com>
Sent: Thursday, May 04, 2006 6:15 PM
Subject: Re: NTP authentication is affected by source interface?[2]
> Hi Arun.
>
> Thanks for explaining about NTP.
> NTP source will be necessary on client(querier). So I modified the
> configuration below.
> BTW, If source interface is specified, output interface will be used. So
> don't we
> have to care about this unless we use ACL ?
>
> [R1]
> ntp master 3
>
> ntp authentication-key 1234 md5 cisco
>
>
> [R3]
> ntp server 1.1.1.1 key 1234
>
> ntp source Loopback0
>
> ntp authenticate
>
> ntp authentication-key 1234 md5 cisco
>
> ntp trusted-key 1234
>
>
> ----- Original Message -----
> From: "Arun Arumuganainar" <aarumuga@hotmail.com>
> To: "Michy Eika" <cciemaster@shingor.net>; <alexeim@orcsoftware.com>;
"Wang,
> Ting (Taylor)" <wangting@avaya.com>
> Cc: <ccielab@groupstudy.com>
> Sent: Thursday, May 04, 2006 6:46 PM
> Subject: Re: NTP authentication is affected by source interface?[2]
>
>
> > Hi Michy ,
> >
> > " NTP SOURCE " command will only apply for NTP Query and not NTP reply .
> > Actually when ever an NTP Query is made, source address will be picked
up
> > from "NTP SOURCE" command . When a query is received by a server or a
> > Master
> > , the reply will use the destination address of the query as the source
> > address . NTP SOURCE will not come in to Picture .
> >
> > This is behavior for all the TCP and UDP application and not restricted
to
> > NTP .
> >
> > Thanks and Regards
> > Arun
> >
> > ----- Original Message -----
> > From: "Michy Eika" <cciemaster@shingor.net>
> > To: <alexeim@orcsoftware.com>; "Wang, Ting (Taylor)"
<wangting@avaya.com>
> > Cc: <ccielab@groupstudy.com>
> > Sent: Thursday, May 04, 2006 10:03 AM
> > Subject: Re: NTP authentication is affected by source interface?[2]
> >
> >
> >> Thanks all.
> >>
> >> With respect to NTP, it's a little bit hard to investigate for me. :-)
> >>
> >> I'm appreciating your cooperation so much!
> >>
> >> Michy
> >> ----- Original Message -----
> >> From: "Alexei Monastyrnyi" <alexeim@orcsoftware.com>
> >> To: "Wang, Ting (Taylor)" <wangting@avaya.com>
> >> Cc: "Michy Eika" <cciemaster@shingor.net>; <ccielab@groupstudy.com>
> >> Sent: Tuesday, May 02, 2006 5:03 PM
> >> Subject: Re: NTP authentication is affected by source interface?[2]
> >>
> >>
> >> > You can find a descent explanation here regarding NTP auth. Yes,
> >> > "trusted-key" is needed for client only.
> >> > http://www.internetworkexpert.com/resources/01700369.htm
> >> >
> >> > As for source interface, looks like it is only used by client.
> >> > This small config along with debug ip packets for NTP shows that
server
> >> > is replaying with its FR interface IP regardless of having "ntp
source
> >> > lo0". NTP client does make use of "source lo0".
> >> >
> >> > NTP master
> >> >
> >> > r1#sh run in lo 0
> >> > Building configuration...
> >> >
> >> > Current configuration : 63 bytes
> >> > !
> >> > interface Loopback0
> >> > ip address 15.15.1.1 255.255.255.0
> >> > end
> >> >
> >> > r1#sh run in ser 0.1
> >> > Building configuration...
> >> >
> >> > Current configuration : 127 bytes
> >> > !
> >> > interface Serial0.1 point-to-point
> >> > ip address 15.15.12.1 255.255.255.0
> >> > frame-relay interface-dlci 102
> >> > end
> >> >
> >> > r1#sh run | in ntp
> >> > ntp authentication-key 1 md5 13061E010803 7
> >> > ntp source Loopback0
> >> > ntp master 3
> >> >
> >> >
> >> >
> >> > NTP client
> >> >
> >> > r2#sh run in lo 0
> >> > Building configuration...
> >> >
> >> > Current configuration : 63 bytes
> >> > !
> >> > interface Loopback0
> >> > ip address 15.15.2.2 255.255.255.0
> >> > end
> >> >
> >> > r2#sh run in ser 0.1
> >> > Building configuration...
> >> >
> >> > Current configuration : 146 bytes
> >> > !
> >> > interface Serial0.1 point-to-point
> >> > ip address 15.15.12.2 255.255.255.0
> >> > frame-relay interface-dlci 201
> >> > end
> >> >
> >> > r2#sh run | in ntp
> >> > ntp authentication-key 1 md5 030752180500 7
> >> > ntp authenticate
> >> > ntp trusted-key 1
> >> > ntp source Loopback0
> >> > ntp server 15.15.12.1 key 1
> >> >
> >> > on 29/04/2006 12:22 Wang, Ting (Taylor) wrote:
> >> >> Hi Group,
> >> >> Anyone have the idea on the NTP questions in my last mail?
> >> >> Does "ntp source lo0" and "ntp trusted-key 1234" only make sense
> > for
> >> >> client?
> >> >> Taylor
> >> >> -----Original Message-----
> >> >> From: Wang, Ting (Taylor)
> >> >> Sent: Friday, April 28, 2006 11:02 AM
> >> >> To: 'Michy Eika'; 'ccielab@groupstudy.com'
> >> >> Subject: RE: NTP authentication is affected by source interface?[2]
> >> >>
> >> >> Hi ,
> >> >> I think the "ntp source lo0" is only useful for client, for the
> >> >> purpose
> >> >> of robust and ntp ACL. The "ntp server 1.1.1.1 " indicate the
> >> >> destination IP address for NTP request is lo0 of NTP server.
> >> >> BTW, I think the command of "ntp trusted-key 1234" is only needed in
> >> >> client. It is redundent for NTP server, since client authenticate
> >> >> the
> >> >> server only, not the vice verse. Could anyone confirm if I'm right?
> >> >> Taylor
> >> >> -----Original Message-----
> >> >> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> >> >> Of
> >> >> Michy Eika
> >> >> Sent: Sunday, April 23, 2006 9:06 AM
> >> >> To: ccielab@groupstudy.com
> >> >> Subject: NTP authentication is affected by source interface?[2]
> >> >>
> >> >> Hi folks!
> >> >>
> >> >> Hello again. And I wanna supplement my question with network
topology.
> >> >> I'm planning to use NTP. But if I want to configure routers to make
it
> >> >> more robust and secure, I think I should implement authentication
and
> >> >> redundant path to connect NTP server(ntp master router). In this
case,
> >> >> do I need to make loopback interface as source interface on both
> >> >> routers(client and server router)?
> >> >> I'm concerned about one of redundant link failure's impact. I wonder
> >> >> what happens if redundant link failure occurs on NTP server or
client.
> > I
> >> >> wonder the authentication is affected...(and etc...) . I think ntp
ACL
> >> >> will be affected by this circumstance.
> >> >>
> >> >> |--lo0[R1]s0/0-----[R2]------s0/1[R3]lo0--|
> >> >> |e0/0 e0/1|
> >> >> |-----------[R4]-----------|
> >> >> R1 lo:1.1.1.1
> >> >> R3 lo:3.3.3.3
> >> >> * R1 can reach R3 and vice versa.
> >> >>
> >> >> [R1]
> >> >> ntp master 3
> >> >>
> >> >> ntp source Loopback0
> >> >>
> >> >> ntp authenticate
> >> >>
> >> >> ntp authentication-key 1234 md5 cisco
> >> >>
> >> >> ntp trusted-key 1234
> >> >>
> >> >>
> >> >> [R3]
> >> >> ntp server 1.1.1.1 key 1234
> >> >>
> >> >> ntp source Loopback0
> >> >>
> >> >> ntp authenticate
> >> >>
> >> >> ntp authentication-key 1234 md5 cisco
> >> >>
> >> >> ntp trusted-key 1234
> >> >>
> >> >>
This archive was generated by hypermail 2.1.4 : Thu Jun 01 2006 - 06:33:20 ART