From: Bogdan Sass (bogdan.sass@catc.ro)
Date: Sun Jan 04 2009 - 17:26:15 ARST
Jason Madsen wrote:
> maybe the RFC has more insight...haven't read through it in quite a while.
>
> I've just always remembered and accepted that you need the "trusted-key"
> command on NTP clients, but it is a rather strange configuration if you ask
> me. Why should you specify the key you want your server to authenticate to
> via "ntp server x.x.x.x key x", but yet you still have to specify that key
> as trusted...weird.
>
> I just did a quick test and found that with a key created and specified in
> an NTP server x.x.x.x key x statement as long as the server has that same
> key created it will authenticate with the client, but it will not sync time
> unless the client also has the trusted key statement.
>
<snip>
It just gets better - I just completed an NTP lab with my students,
and found out another interesting thing: if you leave out the "key x"
part in "ntp server a.b.c.d key x", the client will not authenticate the
session with that server. Even if "ntp authenticate" is configured. The
client will sync, but without authenticating the server.
Server#sh run | i ntp
ntp master 4
Client#sh run | i ntp
ntp authentication-key 1 md5 104D000A061843 7 ;cisco1
ntp authentication-key 2 md5 110A1016141D59 7 ;cisco2
ntp authenticate
ntp server 1.1.1.1
Client#sh ntp ass det
1.1.1.1 *configured, our_master, sane, valid, stratum 4
*
I still need to check what happens if I configure the trusted-key as
"1", but I want to authenticate the server using key 2 (ntp server
a.b.c.d key 2) :)
[ LE: as expected, authentication fails.
a) Key 1 configured on server, key 1 trusted on client, key 2 configured
on "ntp server" statement - authentication fails
Server#sh run | i ntp
ntp authentication-key 1 md5 13061E01080355 7
ntp master 4
Client#sh run | i ntp
ntp authentication-key 1 md5 104D000A061843 7
ntp authentication-key 2 md5 110A1016141D59 7
ntp authenticate
ntp trusted-key 1
ntp server 1.1.1.1 key 2
Server#
Jan 4 19:32:14.183: Authentication key 2
Client#
.Jan 4 19:31:10.188: NTP: packet from 1.1.1.1 failed validity tests 10
.Jan 4 19:31:10.188: Authentication failed
b) Both keys configured on server, key 2 trusted on client, key 1
configured on "ntp server" statement - authentication fails
Client#sh run | i ntp
ntp authentication-key 1 md5 104D000A061843 7
ntp authentication-key 2 md5 110A1016141D59 7
ntp authenticate
ntp trusted-key 2
ntp server 1.1.1.1 key 1
Server#sh run | i ntp
ntp authentication-key 1 md5 13061E01080355 7
ntp authentication-key 2 md5 060506324F415B 7
ntp master 4
Server#
Jan 4 19:35:40.183: Authentication key 1
Client#
.Jan 4 19:33:32.192: NTP: packet from 1.1.1.1 failed validity tests 10
.Jan 4 19:33:32.192: Authentication failed
Client#sh ntp ass det
1.1.1.1 configured, authenticated, insane, invalid, unsynced, stratum 16
]
>>> Lastly, am I the only one that thinks the documentation of the NTP
>>> implementation in IOS leaves a LOT to be desired?
>>>
Not at all. I just arrived at exactly the same conclusion several
hours ago :)
The example mentioned above (leaving out "key x" in the "ntp server"
statement) is taken straight out of the documentation. And the
Networking Academy curriculum (for CCNP-ISCW) is no better - the NTP lab
shows a config that shouldn't (and doesn't) work :)
>>> cheers,
>>> Dale
>>>
>
-- Bogdan Sass CCAI,CCSP,JNCIA-ER,CCIE #22221 (RS) Information Systems Security Professional "Curiosity was framed - ignorance killed the cat"Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:43:36 ARST