From: Lab Rat #109385382 (techlist01@gmail.com)
Date: Wed Nov 22 2006 - 07:41:36 ART
You sure about that? I'm not discounting that you're right, I'm just
curious as to the details...apparently, when the three steps are entered
below, authentication seems to "just occur."
From the Doc CD:
"The authentication process begins from the moment an NTP packet is created.
Cryptographic checksum keys are generated using the MD5 Message Digest
Algorithm and are embedded into the NTP synchronization packet that is sent
to a receiving client. Once a packet is received by a client, its
cryptographic checksum key is decrypted and checked against a list of
trusted keys. If the packet contains a matching authenticator key, the
timestamp information that is contained within it is accepted by the
receiving client. NTP synchronization packets that do not contain a matching
authenticator key will be ignored. "
"After NTP authentication is properly configured, your networking device
will only synchronize with and provide synchronization to trusted time
sources. To enable your networking device to send and receive encrypted
synchronization packets, use the following commands in global configuration
mode:
Command Purpose
Step 1
Router(config)# ntp authenticate
Enables the NTP authentication feature.
Step 2
Router(config)# ntp authentication-key number md5 value
Defines the authentication keys.
Each key has a key number, a type, and a value. Currently the only key type
supported is md5.
Step 3
Router(config)# ntp trusted-key key-number
Defines trusted authentication keys.
If a key is trusted, this system will be ready to synchronize to a system
that uses this key in its NTP packets. "
-----Original Message-----
From: srdja blagojevic [mailto:srdja1@pexim.co.yu]
Sent: Wednesday, November 22, 2006 2:37 AM
To: 'Lab Rat #109385382'; 'Petr Lapukhov'
Cc: 'Cisco certification'
Subject: RE: NTP Question
If you debug NTP on the router who is NTP client, you will see that in the
first case (without ntp server key 1) NTP is synchronized without using key
for encription.
If you use ntp server key 1 command, output will show usage of key 1 for
encription.
In both cases you will see synchronized NTP between routers.
hth,
Srdja
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Lab
Rat #109385382
Sent: Wednesday, November 22, 2006 10:26
To: 'Petr Lapukhov'
Cc: Cisco certification; security@groupstudy.com
Subject: RE: NTP Question
Petr.not sure about that. I've labbed up both ways and they both work (with
only one key configured). Maybe I didn't wait long enough, but NTP was
sync'd in both scenarios.
From: petrsoft@gmail.com [mailto:petrsoft@gmail.com] On Behalf Of Petr
Lapukhov
Sent: Wednesday, November 22, 2006 12:56 AM
To: Lab Rat #109385382
Cc: Cisco certification; security@groupstudy.com
Subject: Re: NTP Question
You definitely need "ntp server x.x.x.x key y" in order to let your router
know, what key to use when polling the NTP server. This is because you may
have many keys configured on the same router, and use different keys for
different servers.
2006/11/22, Lab Rat #109385382 <techlist01@gmail.com>:
I have seen two different configurations by a from leading training vendors.
If you have the following commands set:
ntp authenticate
ntp authentication-key 1 md5 PASSWORD
ntp trusted-key 1
do you need the following command:
ntp server x.x.x.x key 1
I have seen the solution stated as such:
ntp server x.x.x.x
Thanks,
Ed
This archive was generated by hypermail 2.1.4 : Fri Dec 01 2006 - 08:05:48 ART