Re: NTP Question

From: Petr Lapukhov (petr@internetworkexpert.com)
Date: Wed Nov 22 2006 - 09:03:41 ART

• Next message: Petr Lapukhov: "Re: NTP Question"
• Previous message: Petr Lapukhov: "Re: OT: FR fragment size consideration"
• Maybe in reply to: Lab Rat #109385382: "NTP Question"
• Next in thread: Petr Lapukhov: "Re: NTP Question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

It seems to be logical to reject all packets from server, that are not
authenticated,
when you configure "ntp authenticate", however cisco does not do that. Until
you
have specified key number for your server, you communications will flow
unauthenticated, and NTP service will permit synchronization.

Just to be sure, i verified that in the lab a few minutes ago :)

2006/11/22, Lab Rat #109385382 <techlist01@gmail.com>:
>
> You sure about that? I'm not discounting that you're right, I'm just
> curious as to the details...apparently, when the three steps are entered
> below, authentication seems to "just occur."
>
> From the Doc CD:
>
> "The authentication process begins from the moment an NTP packet is
> created.
> Cryptographic checksum keys are generated using the MD5 Message Digest
> Algorithm and are embedded into the NTP synchronization packet that is
> sent
> to a receiving client. Once a packet is received by a client, its
> cryptographic checksum key is decrypted and checked against a list of
> trusted keys. If the packet contains a matching authenticator key, the
> timestamp information that is contained within it is accepted by the
> receiving client. NTP synchronization packets that do not contain a
> matching
> authenticator key will be ignored. "
>
> "After NTP authentication is properly configured, your networking device
> will only synchronize with and provide synchronization to trusted time
> sources. To enable your networking device to send and receive encrypted
> synchronization packets, use the following commands in global
> configuration
> mode:
>
>
> Command Purpose
> Step 1
> Router(config)# ntp authenticate
> Enables the NTP authentication feature.
>
> Step 2
> Router(config)# ntp authentication-key number md5 value
> Defines the authentication keys.
>
> Each key has a key number, a type, and a value. Currently the only key
> type
> supported is md5.
>
> Step 3
> Router(config)# ntp trusted-key key-number
> Defines trusted authentication keys.
>
> If a key is trusted, this system will be ready to synchronize to a system
> that uses this key in its NTP packets. "
>
>
> -----Original Message-----
> From: srdja blagojevic [mailto:srdja1@pexim.co.yu]
> Sent: Wednesday, November 22, 2006 2:37 AM
> To: 'Lab Rat #109385382'; 'Petr Lapukhov'
> Cc: 'Cisco certification'
> Subject: RE: NTP Question
>
>
> If you debug NTP on the router who is NTP client, you will see that in the
> first case (without ntp server key 1) NTP is synchronized without using
> key
> for encription.
>
> If you use ntp server key 1 command, output will show usage of key 1 for
> encription.
>
> In both cases you will see synchronized NTP between routers.
>
> hth,
> Srdja
>
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Lab
> Rat #109385382
> Sent: Wednesday, November 22, 2006 10:26
> To: 'Petr Lapukhov'
> Cc: Cisco certification; security@groupstudy.com
> Subject: RE: NTP Question
>
> Petr.not sure about that. I've labbed up both ways and they both work
> (with
> only one key configured). Maybe I didn't wait long enough, but NTP was
> sync'd in both scenarios.
>
>
>
>
>
> From: petrsoft@gmail.com [mailto:petrsoft@gmail.com] On Behalf Of Petr
> Lapukhov
> Sent: Wednesday, November 22, 2006 12:56 AM
> To: Lab Rat #109385382
> Cc: Cisco certification; security@groupstudy.com
> Subject: Re: NTP Question
>
>
>
> You definitely need "ntp server x.x.x.x key y" in order to let your router
> know, what key to use when polling the NTP server. This is because you may
> have many keys configured on the same router, and use different keys for
> different servers.
>
> 2006/11/22, Lab Rat #109385382 <techlist01@gmail.com>:
>
> I have seen two different configurations by a from leading training
> vendors.
>
> If you have the following commands set:
>
>
> ntp authenticate
> ntp authentication-key 1 md5 PASSWORD
> ntp trusted-key 1
>
>
> do you need the following command:
>
>
> ntp server x.x.x.x key 1
>
>
> I have seen the solution stated as such:
>
>
> ntp server x.x.x.x
>
>
> Thanks,
>
> Ed
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
> --
> Petr Lapukhov, CCIE #16379
> petr@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
> Toll Free: 877-224-8987
> Outside US: 775-826-4344
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>

-- 
Petr Lapukhov, CCIE #16379
petr@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Outside US: 775-826-4344

• Next message: Petr Lapukhov: "Re: NTP Question"
• Previous message: Petr Lapukhov: "Re: OT: FR fragment size consideration"
• Maybe in reply to: Lab Rat #109385382: "NTP Question"
• Next in thread: Petr Lapukhov: "Re: NTP Question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Dec 01 2006 - 08:05:48 ART