Re: NTP authentication question from Joe Astorino on 2011-12-09 (Ccielab archives 12/2011)

From: Joe Astorino <joeastorino1982_at_gmail.com>
Date: Fri, 9 Dec 2011 13:40:22 -0500

-What does <ntp trusted-key *id*> command provide that <ntp server
*ip-addr*key
*id*> does not?

"ntp server *ip* key *id*" just tells the client to point to the NTP server
at *ip* and to use key *id*. That authentication key still needs to be
trusted or "activated" for it to be useful. You must create the key, AND
trust the key

-<ntp authenticate> command is only necessary for the clients, yes?
Yep. I don't know of a way for the server to authenticate the client in a
master/client relationship. You can do it with an NTP peer relationship I
believe.

-If NTP authentication only occurs with <ntp authenticate>, <ntp
trusted-key *id*> and <ntp server ip-addr key id>, why does Cisco make the
extra commands required? Why not just use the <ntp server *ip-addr* key *id
*> command?

Because they are Cisco : ) Seriously, I understand your frustration but
that is just the way the code is. You must define the key and specifically
trust that key, even though you would clearly want to trust a key you just
called in the ntp server command. <shrug>

PS. As of 12.4 I believe you must have ntp trusted-key on the server side
as well for NTP to sync

On Fri, Dec 9, 2011 at 10:20 AM, David Johnson <dmjohnson.intl_at_gmail.com>wrote:

> Hi Experts
> I'm sure this has been asked before, but I couldn't find it. I am looking
> at NTP authentication and trying to figure out what the individual commands
> do.
>
> *Here is what I know:*
> -<ntp trusted-key *id*> only has to be on the authenticating device
> (usually the client). If it is configured on the server, or a device
> without a configured <ntp server *ip-addr*> command, it will not affect
> authentication of any clients. The same goes for <ntp authenticate> command
> on servers.
> -Without the key *id* option in <ntp server *ip-addr*>, output from <show
> ntp association detail> does not say authenticated. That is true
> regardless of <ntp authenticate> command configured or not. From this, I
> gather <ntp server *ip-addr* key *id*> is needed for authentication, along
> with <ntp authenticate>.
> -<ntp server *ip-addr* key *id*>, the key id must be included in the <ntp
> trusted-key *id*> command, else the NTP peer will not authenticate. You
> can have multiple ntp trusted keys as long as they match the server keys
> and include the key id configured in ntp server command.
>
> *Here is what I do not know:*
> -What does <ntp trusted-key *id*> command provide that <ntp server
> *ip-addr*key
> *id*> does not? While it is undoubtedly necessary for NTP authentication,
> I do not see why the command is necessary in providing information the
> other command does not.
> -<ntp authenticate> command is only necessary for the clients, yes? If I
> wanted the server to authenticate the clients, how would I go about doing
> that?
> -If NTP authentication only occurs with <ntp authenticate>, <ntp
> trusted-key *id*> and <ntp server ip-addr key id>, why does Cisco make the
> extra commands required? Why not just use the <ntp server *ip-addr* key
> *id
> *> command?
>
>
> I have looked this up in books and online, but cannot find the granularity
> of answers I am looking for. I'm sure there are a host of mistakes in my
> assumptions, if you could straighten me out, I would appreciate it.
>
> *Testing Information:*
> Below is my configuration, I tried to make it basic, the routers are
> directly connected, and connectivity is fine:
> (C2691-ADVENTERPRISEK9_SNA-M), Version 12.4(13b)
>
> ---------------------------------------------------------------------------------------
> *R2 Configuration v1 -- Client (without key command in ntp server ip)*
> ntp authentication-key 1 md5 021201481F575F 7
> ntp authenticate
> ntp trusted-key 1
> ntp clock-period 17179896
> ntp server 6.6.6.6
>
> *R2(config)#do sh ntp assoc deta*
> 6.6.6.6 configured, our_master, sane, valid, stratum 2
>
> *R2 Configuration v2 -- Client* *(with key command in ntp server ip)*
> ntp authentication-key 1 md5 021201481F575F 7
> ntp authenticate
> ntp trusted-key 1
> ntp clock-period 17179908
> ntp server 6.6.6.6 key 1
>
> *R2(config)#do sh ntp assoc deta*
> 6.6.6.6 configured, authenticated, our_master, sane, valid, stratum 2
>
> ---------------------------------------------------------------------------------------
> *R6 Configuration -- Server*
> ntp authentication-key 1 md5 09584B1A0D5447 7
> ntp authentication-key 2 md5 010703174F5956 7
> ntp master 2
>
> ---------------------------------------------------------------------------------------
>
> Thanks!
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
Regards,
Joe Astorino
CCIE #24347
Blog: http://astorinonetworks.com
"He not busy being born is busy dying" - Dylan
Blogs and organic groups at http://www.ccie.net

Received on Fri Dec 09 2011 - 13:40:22 ART

This archive was generated by hypermail 2.2.0 : Sun Jan 01 2012 - 08:27:00 ART