Re: NTP authentication question

Hi Joe

*ntp trusted-key* is not needed on the server side going by David's config
(12.4 mainline)
I believe I've also not used it on server side with 12.4(T) either, however
ntp authentication can be pretty "finicky" :)

Regards
Roy

On 9 December 2011 18:40, Joe Astorino <joeastorino1982_at_gmail.com> wrote:

> -What does <ntp trusted-key *id*> command provide that <ntp server
> *ip-addr*key
> *id*> does not?
>
> "ntp server *ip* key *id*" just tells the client to point to the NTP server
> at *ip* and to use key *id*. That authentication key still needs to be
> trusted or "activated" for it to be useful. You must create the key, AND
> trust the key
>
>
> -<ntp authenticate> command is only necessary for the clients, yes?
> Yep. I don't know of a way for the server to authenticate the client in a
> master/client relationship. You can do it with an NTP peer relationship I
> believe.
>
>
> -If NTP authentication only occurs with <ntp authenticate>, <ntp
> trusted-key *id*> and <ntp server ip-addr key id>, why does Cisco make the
> extra commands required? Why not just use the <ntp server *ip-addr* key
> *id
> *> command?
>
> Because they are Cisco : ) Seriously, I understand your frustration but
> that is just the way the code is. You must define the key and specifically
> trust that key, even though you would clearly want to trust a key you just
> called in the ntp server command. <shrug>
>
> PS. As of 12.4 I believe you must have ntp trusted-key on the server side
> as well for NTP to sync
>
>
>
> On Fri, Dec 9, 2011 at 10:20 AM, David Johnson <dmjohnson.intl_at_gmail.com
> >wrote:
>
> > Hi Experts
> > I'm sure this has been asked before, but I couldn't find it. I am
> looking
> > at NTP authentication and trying to figure out what the individual
> commands
> > do.
> >
> > *Here is what I know:*
> > -<ntp trusted-key *id*> only has to be on the authenticating device
> > (usually the client). If it is configured on the server, or a device
> > without a configured <ntp server *ip-addr*> command, it will not affect
> > authentication of any clients. The same goes for <ntp authenticate>
> command
> > on servers.
> > -Without the key *id* option in <ntp server *ip-addr*>, output from <show
> > ntp association detail> does not say authenticated. That is true
> > regardless of <ntp authenticate> command configured or not. From this, I
> > gather <ntp server *ip-addr* key *id*> is needed for authentication,
> along
> > with <ntp authenticate>.
> > -<ntp server *ip-addr* key *id*>, the key id must be included in the <ntp
> > trusted-key *id*> command, else the NTP peer will not authenticate. You
> > can have multiple ntp trusted keys as long as they match the server keys
> > and include the key id configured in ntp server command.
> >
> > *Here is what I do not know:*
> > -What does <ntp trusted-key *id*> command provide that <ntp server
> > *ip-addr*key
> > *id*> does not? While it is undoubtedly necessary for NTP
> authentication,
> > I do not see why the command is necessary in providing information the
> > other command does not.
> > -<ntp authenticate> command is only necessary for the clients, yes? If I
> > wanted the server to authenticate the clients, how would I go about doing
> > that?
> > -If NTP authentication only occurs with <ntp authenticate>, <ntp
> > trusted-key *id*> and <ntp server ip-addr key id>, why does Cisco make
> the
> > extra commands required? Why not just use the <ntp server *ip-addr* key
> > *id
> > *> command?
> >
> >
> > I have looked this up in books and online, but cannot find the
> granularity
> > of answers I am looking for. I'm sure there are a host of mistakes in my
> > assumptions, if you could straighten me out, I would appreciate it.
> >
> > *Testing Information:*
> > Below is my configuration, I tried to make it basic, the routers are
> > directly connected, and connectivity is fine:
> > (C2691-ADVENTERPRISEK9_SNA-M), Version 12.4(13b)
> >
> >
> ---------------------------------------------------------------------------------------
> > *R2 Configuration v1 -- Client (without key command in ntp server ip)*
> > ntp authentication-key 1 md5 021201481F575F 7
> > ntp authenticate
> > ntp trusted-key 1
> > ntp clock-period 17179896
> > ntp server 6.6.6.6
> >
> > *R2(config)#do sh ntp assoc deta*
> > 6.6.6.6 configured, our_master, sane, valid, stratum 2
> >
> > *R2 Configuration v2 -- Client* *(with key command in ntp server ip)*
> > ntp authentication-key 1 md5 021201481F575F 7
> > ntp authenticate
> > ntp trusted-key 1
> > ntp clock-period 17179908
> > ntp server 6.6.6.6 key 1
> >
> > *R2(config)#do sh ntp assoc deta*
> > 6.6.6.6 configured, authenticated, our_master, sane, valid, stratum 2
> >
> >
> ---------------------------------------------------------------------------------------
> > *R6 Configuration -- Server*
> > ntp authentication-key 1 md5 09584B1A0D5447 7
> > ntp authentication-key 2 md5 010703174F5956 7
> > ntp master 2
> >
> >
> ---------------------------------------------------------------------------------------
> >
> > Thanks!
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> >
> >
> >
> >
>
>
> --
> Regards,
>
> Joe Astorino
> CCIE #24347
> Blog: http://astorinonetworks.com
>
> "He not busy being born is busy dying" - Dylan
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
Regards
Roy Waterman
07515963501
Blogs and organic groups at http://www.ccie.net