From: Petr Lapukhov (petr@internetworkexpert.com)
Date: Wed Nov 22 2006 - 09:07:47 ART
Yeah, the main idea is that key number is specified in packet. Server could
not
pick up the right key to authenticate responce, until you put a key number
into client's packet.
2006/11/22, srdja blagojevic <srdja1@pexim.co.yu>:
>
> >Step 3
> > Router(config)# ntp trusted-key key-number Defines trusted
> authentication
> keys.
> >
> >If a key is trusted, this system will be ready to synchronize to a system
> that uses this key in its NTP packets. "
> >
>
> This is true on NTP server. If packet arrive without encription from NTP
> client it will respond with no use of authentication. If packet arrive
> from
> NTP client with encriprion, NTP server will respond with encrypted packets
> (if packet from client is encrypred with one of trusted keys).
>
> On NTP client you have to use ntp server key command to send encrypted
> packet to the NTP server. Otherwise it will send unencrypted packet to NTP
> server.
>
> hth,
> Srdja
>
>
>
>
> -----Original Message-----
> From: Lab Rat #109385382 [mailto:techlist01@gmail.com]
> Sent: Wednesday, November 22, 2006 11:42
> To: 'srdja blagojevic'; 'Petr Lapukhov'
> Cc: 'Cisco certification'
> Subject: RE: NTP Question
>
> You sure about that? I'm not discounting that you're right, I'm just
> curious as to the details...apparently, when the three steps are entered
> below, authentication seems to "just occur."
>
> From the Doc CD:
>
> "The authentication process begins from the moment an NTP packet is
> created.
> Cryptographic checksum keys are generated using the MD5 Message Digest
> Algorithm and are embedded into the NTP synchronization packet that is
> sent
> to a receiving client. Once a packet is received by a client, its
> cryptographic checksum key is decrypted and checked against a list of
> trusted keys. If the packet contains a matching authenticator key, the
> timestamp information that is contained within it is accepted by the
> receiving client. NTP synchronization packets that do not contain a
> matching
> authenticator key will be ignored. "
>
> "After NTP authentication is properly configured, your networking device
> will only synchronize with and provide synchronization to trusted time
> sources. To enable your networking device to send and receive encrypted
> synchronization packets, use the following commands in global
> configuration
> mode:
>
>
> Command Purpose
> Step 1
> Router(config)# ntp authenticate
> Enables the NTP authentication feature.
>
> Step 2
> Router(config)# ntp authentication-key number md5 value Defines the
> authentication keys.
>
> Each key has a key number, a type, and a value. Currently the only key
> type
> supported is md5.
>
> Step 3
> Router(config)# ntp trusted-key key-number Defines trusted authentication
> keys.
>
> If a key is trusted, this system will be ready to synchronize to a system
> that uses this key in its NTP packets. "
>
>
> -----Original Message-----
> From: srdja blagojevic [mailto:srdja1@pexim.co.yu]
> Sent: Wednesday, November 22, 2006 2:37 AM
> To: 'Lab Rat #109385382'; 'Petr Lapukhov'
> Cc: 'Cisco certification'
> Subject: RE: NTP Question
>
>
> If you debug NTP on the router who is NTP client, you will see that in the
> first case (without ntp server key 1) NTP is synchronized without using
> key
> for encription.
>
> If you use ntp server key 1 command, output will show usage of key 1 for
> encription.
>
> In both cases you will see synchronized NTP between routers.
>
> hth,
> Srdja
>
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Lab
> Rat #109385382
> Sent: Wednesday, November 22, 2006 10:26
> To: 'Petr Lapukhov'
> Cc: Cisco certification; security@groupstudy.com
> Subject: RE: NTP Question
>
> Petr.not sure about that. I've labbed up both ways and they both work
> (with
> only one key configured). Maybe I didn't wait long enough, but NTP was
> sync'd in both scenarios.
>
>
>
>
>
> From: petrsoft@gmail.com [mailto:petrsoft@gmail.com] On Behalf Of Petr
> Lapukhov
> Sent: Wednesday, November 22, 2006 12:56 AM
> To: Lab Rat #109385382
> Cc: Cisco certification; security@groupstudy.com
> Subject: Re: NTP Question
>
>
>
> You definitely need "ntp server x.x.x.x key y" in order to let your router
> know, what key to use when polling the NTP server. This is because you may
> have many keys configured on the same router, and use different keys for
> different servers.
>
> 2006/11/22, Lab Rat #109385382 <techlist01@gmail.com>:
>
> I have seen two different configurations by a from leading training
> vendors.
>
> If you have the following commands set:
>
>
> ntp authenticate
> ntp authentication-key 1 md5 PASSWORD
> ntp trusted-key 1
>
>
> do you need the following command:
>
>
> ntp server x.x.x.x key 1
>
>
> I have seen the solution stated as such:
>
>
> ntp server x.x.x.x
>
>
> Thanks,
>
> Ed
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
> --
> Petr Lapukhov, CCIE #16379
> petr@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
> Toll Free: 877-224-8987
> Outside US: 775-826-4344
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
-- Petr Lapukhov, CCIE #16379 petr@internetworkexpert.comInternetwork Expert, Inc. http://www.InternetworkExpert.com Toll Free: 877-224-8987 Outside US: 775-826-4344
This archive was generated by hypermail 2.1.4 : Fri Dec 01 2006 - 08:05:48 ART