Re: NTP authentication is affected by source interface?[2]

From: Arun Arumuganainar (aarumuga@hotmail.com)
Date: Fri May 05 2006 - 11:52:19 ART

• Next message: Melwani, Manoj J: "IEWB Lab 16 - 4.2 OSPF"
• Previous message: Scott Morris: "RE: One of the better router messages"
• Maybe in reply to: Alexei Monastyrnyi: "Re: NTP authentication is affected by source interface?[2]"
• Next in thread: Michy Eika: "Re: NTP authentication is affected by source interface?[2]"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Yes you are right !!!Actually NTP server could send a query either to
Master or to another Server . In both case NTP source command will apply .
When Source is not specified it will use physical interface .

Pls. Note : The behavior is same as BGP , MSDP or any other TCP/UDP
application .

Just if you have time you can lab this up . Try bringing up a BGP loop back
peering ( Simple iBGP peering with loopback address as the peer address ) .

1) When you do not configure update-source on both sides BGP connection will
not come up .
2) Configure update-source to correct loop-back address on only one side .
The connection will immidiately comes up .

Pls. Note : Update-source need not be configured on both sides to establish
a BGP Connection .

Thanks and Regards
Arun
----- Original Message -----
From: "Schulz, Dave" <DSchulz@dpsciences.com>
To: "Arun Arumuganainar" <aarumuga@hotmail.com>; "Michy Eika"
<cciemaster@shingor.net>; <alexeim@orcsoftware.com>; "Wang, Ting (Taylor)"
<wangting@avaya.com>
Cc: <ccielab@groupstudy.com>
Sent: Friday, May 05, 2006 6:53 PM
Subject: RE: NTP authentication is affected by source interface?[2]

> Arun -
>
> Thanks for the explanation on the source. So, are you saying that the
> query to the Master will contain the specified source (loopback0). I
> would assume that this is not specified, then the physical interface
> would be specified as the source, correct?
>
>
> Dave Schulz,
> Email: dschulz@dpsciences.com
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Arun Arumuganainar
> Sent: Thursday, May 04, 2006 5:47 AM
> To: Michy Eika; alexeim@orcsoftware.com; Wang, Ting (Taylor)
> Cc: ccielab@groupstudy.com
> Subject: Re: NTP authentication is affected by source interface?[2]
>
> Hi Michy ,
>
> " NTP SOURCE " command will only apply for NTP Query and not NTP reply .
> Actually when ever an NTP Query is made, source address will be picked
> up
> from "NTP SOURCE" command . When a query is received by a server or a
> Master
> , the reply will use the destination address of the query as the source
> address . NTP SOURCE will not come in to Picture .
>
> This is behavior for all the TCP and UDP application and not restricted
> to
> NTP .
>
> Thanks and Regards
> Arun
>
> ----- Original Message -----
> From: "Michy Eika" <cciemaster@shingor.net>
> To: <alexeim@orcsoftware.com>; "Wang, Ting (Taylor)"
> <wangting@avaya.com>
> Cc: <ccielab@groupstudy.com>
> Sent: Thursday, May 04, 2006 10:03 AM
> Subject: Re: NTP authentication is affected by source interface?[2]
>
>
> > Thanks all.
> >
> > With respect to NTP, it's a little bit hard to investigate for me. :-)
> >
> > I'm appreciating your cooperation so much!
> >
> > Michy
> > ----- Original Message -----
> > From: "Alexei Monastyrnyi" <alexeim@orcsoftware.com>
> > To: "Wang, Ting (Taylor)" <wangting@avaya.com>
> > Cc: "Michy Eika" <cciemaster@shingor.net>; <ccielab@groupstudy.com>
> > Sent: Tuesday, May 02, 2006 5:03 PM
> > Subject: Re: NTP authentication is affected by source interface?[2]
> >
> >
> > > You can find a descent explanation here regarding NTP auth. Yes,
> > > "trusted-key" is needed for client only.
> > > http://www.internetworkexpert.com/resources/01700369.htm
> > >
> > > As for source interface, looks like it is only used by client.
> > > This small config along with debug ip packets for NTP shows that
> server
> > > is replaying with its FR interface IP regardless of having "ntp
> source
> > > lo0". NTP client does make use of "source lo0".
> > >
> > > NTP master
> > >
> > > r1#sh run in lo 0
> > > Building configuration...
> > >
> > > Current configuration : 63 bytes
> > > !
> > > interface Loopback0
> > > ip address 15.15.1.1 255.255.255.0
> > > end
> > >
> > > r1#sh run in ser 0.1
> > > Building configuration...
> > >
> > > Current configuration : 127 bytes
> > > !
> > > interface Serial0.1 point-to-point
> > > ip address 15.15.12.1 255.255.255.0
> > > frame-relay interface-dlci 102
> > > end
> > >
> > > r1#sh run | in ntp
> > > ntp authentication-key 1 md5 13061E010803 7
> > > ntp source Loopback0
> > > ntp master 3
> > >
> > >
> > >
> > > NTP client
> > >
> > > r2#sh run in lo 0
> > > Building configuration...
> > >
> > > Current configuration : 63 bytes
> > > !
> > > interface Loopback0
> > > ip address 15.15.2.2 255.255.255.0
> > > end
> > >
> > > r2#sh run in ser 0.1
> > > Building configuration...
> > >
> > > Current configuration : 146 bytes
> > > !
> > > interface Serial0.1 point-to-point
> > > ip address 15.15.12.2 255.255.255.0
> > > frame-relay interface-dlci 201
> > > end
> > >
> > > r2#sh run | in ntp
> > > ntp authentication-key 1 md5 030752180500 7
> > > ntp authenticate
> > > ntp trusted-key 1
> > > ntp source Loopback0
> > > ntp server 15.15.12.1 key 1
> > >
> > > on 29/04/2006 12:22 Wang, Ting (Taylor) wrote:
> > >> Hi Group,
> > >> Anyone have the idea on the NTP questions in my last mail?
> > >> Does "ntp source lo0" and "ntp trusted-key 1234" only make sense
> for
> > >> client?
> > >> Taylor
> > >> -----Original Message-----
> > >> From: Wang, Ting (Taylor)
> > >> Sent: Friday, April 28, 2006 11:02 AM
> > >> To: 'Michy Eika'; 'ccielab@groupstudy.com'
> > >> Subject: RE: NTP authentication is affected by source interface?[2]
> > >>
> > >> Hi ,
> > >> I think the "ntp source lo0" is only useful for client, for the
> purpose
> > >> of robust and ntp ACL. The "ntp server 1.1.1.1 " indicate the
> > >> destination IP address for NTP request is lo0 of NTP server.
> > >> BTW, I think the command of "ntp trusted-key 1234" is only needed
> in
> > >> client. It is redundent for NTP server, since client authenticate
> the
> > >> server only, not the vice verse. Could anyone confirm if I'm right?
> > >> Taylor
> > >> -----Original Message-----
> > >> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
> Behalf Of
> > >> Michy Eika
> > >> Sent: Sunday, April 23, 2006 9:06 AM
> > >> To: ccielab@groupstudy.com
> > >> Subject: NTP authentication is affected by source interface?[2]
> > >>
> > >> Hi folks!
> > >>
> > >> Hello again. And I wanna supplement my question with network
> topology.
> > >> I'm planning to use NTP. But if I want to configure routers to make
> it
> > >> more robust and secure, I think I should implement authentication
> and
> > >> redundant path to connect NTP server(ntp master router). In this
> case,
> > >> do I need to make loopback interface as source interface on both
> > >> routers(client and server router)?
> > >> I'm concerned about one of redundant link failure's impact. I
> wonder
> > >> what happens if redundant link failure occurs on NTP server or
> client.
> I
> > >> wonder the authentication is affected...(and etc...) . I think ntp
> ACL
> > >> will be affected by this circumstance.
> > >>
> > >> |--lo0[R1]s0/0-----[R2]------s0/1[R3]lo0--|
> > >> |e0/0 e0/1|
> > >> |-----------[R4]-----------|
> > >> R1 lo:1.1.1.1
> > >> R3 lo:3.3.3.3
> > >> * R1 can reach R3 and vice versa.
> > >>
> > >> [R1]
> > >> ntp master 3
> > >>
> > >> ntp source Loopback0
> > >>
> > >> ntp authenticate
> > >>
> > >> ntp authentication-key 1234 md5 cisco
> > >>
> > >> ntp trusted-key 1234
> > >>
> > >>
> > >> [R3]
> > >> ntp server 1.1.1.1 key 1234
> > >>
> > >> ntp source Loopback0
> > >>
> > >> ntp authenticate
> > >>
> > >> ntp authentication-key 1234 md5 cisco
> > >>
> > >> ntp trusted-key 1234
> > >>
> > >>
> _______________________________________________________________________
> > >> Subscription information may be found at:
> > >> http://www.groupstudy.com/list/CCIELab.html
> > >>
> > >>
> _______________________________________________________________________
> > >> Subscription information may be found at:
> > >> http://www.groupstudy.com/list/CCIELab.html
> >
> >
> _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Melwani, Manoj J: "IEWB Lab 16 - 4.2 OSPF"
• Previous message: Scott Morris: "RE: One of the better router messages"
• Maybe in reply to: Alexei Monastyrnyi: "Re: NTP authentication is affected by source interface?[2]"
• Next in thread: Michy Eika: "Re: NTP authentication is affected by source interface?[2]"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 01 2006 - 06:33:20 ART