NTP Authentication


You want to authenticate your NTP packets.


Use the ntp authentication command to authenticate NTP traffic between associations. To configure an NTP enabled router to require authentication when other devices connect to it, use the following commands:

Router1#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#ntp authentication-key 2 md5 oreilly
Router1(config)#ntp authenticate
Router1(config)#ntp trusted-key 2

Then you must configure the same authentication-key on the client router:

Router2#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#ntp authentication-key 2 md5 oreilly
Router2(config)#ntp authenticate
Router2(config)#ntp trusted-key 2
Router2(config)#ntp server key 2



People often confuse authentication with encryption. Authentication proves the authenticity of a packet's source, whereas encryption encodes or enciphers the packet contents. For the purposes of NTP, proving the authenticity of the packet is critical, whereas encrypting the contents of the packet is unnecessary, since it only contains time information, which isn't terribly sensitive in itself.

Cisco fully supports NTP authentication defined in RFC 1305. NTP authentication ensures that NTP associations synchronize time only to known and trusted NTP servers. This prevents servers from masquerading as legitimate timeservers either accidentally or intentionally.

Time services and the ability to manipulate time services are critical to organizations that may depend on accurate time for billing, business regulatory issues, fault isolation, or security purposes. In such organizations, there is at least a theoretical danger that somebody could put a false NTP server on the network to change the clocks, which could be useful in some larger nefarious scheme. To prevent such problems and enhance security, many organizations only allow authenticated NTP relationships within their corporate networks.

The NTP protocol uses the RSA Message Digest 5 (MD5) algorithm to provide cryptographic authentication of NTP packets. Although the NTP packet is not encrypted, a one-way hash, created using pre-shared keys, ensures the authenticity of the sender and packet. The contents of the NTP packet's time and date information do not warrant secrecy, so no encryption is required.

The example above shows a single client/server pair, enabling authentication between them. The NTP client and server pair must share the same key number and value ("oreilly," in this case) before authentication will work. Note that routers support multiple keys and can assign a different key for each association, if required. You can also configure the router to accept time updates from a mixture of authenticated and nonauthenticated servers. This example shows portions of a NTP debug trace:

Router1#debug ntp packet
NTP packets debugging is on
Router1#debug ntp authentication 
NTP authentication debugging is on
Mar 18 22:39:12 EST: NTP: rcv packet from to 
Mar 18 22:39:12 EST: leap 0, mode 3, version 3, stratum 4, ppoll 256
Mar 18 22:39:12 EST: Authentication key 2

Mar 18 22:39:12 EST: NTP: stateless xmit packet to
Mar 18 22:39:12 EST: leap 0, mode 4, version 3, stratum 3, ppoll 256
Mar 18 22:39:12 EST: Authentication key 2

Notice that the client polled the server with authentication key 2 and the server responded with its NTP response and authentication key 2 as well. Assuming that both key 2 strings are also equal, the client will form an association with the server and synchronize its internal clock with the server's.

Broadcast and multicast NTP associations also support NTP authentication:

Router3#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router3(config)#clock timezone EST -5
Router3(config)#clock summer-time EDT recurring
Router3(config)#ntp authentication-key 2 md5 oreilly
Router3(config)#ntp trusted-key 2
Router3(config)#ntp server
Router3(config)#interface Ethernet0
Router3(config-if)#ntp multicast key 2

This example shows the configuration for an NTP multicast server that sends multicast packets by using the default NTP address with authentication enabled. You can configure authentication for NTP broadcast mode similarly with the only difference being the command:

Router3(config-if)#ntp broadcast key 2

It is important to note that NTP broadcast and multicast modes use a single key for the entire multicast domain.

Organizations that receive NTP feeds from the Internet usually cannot rely on NTP authentication because few public servers support authentication functionality. This is not a major concern, since NTP algorithms ignore timeservers with outrageous dates and time. Reduce the risk of synchronizing to illegitimate NTP providers by configuring your NTP servers with multiple NTP Stratum 1 servers.

Cisco IOS Cookbook
Cisco IOS Cookbook (Cookbooks (OReilly))
ISBN: 0596527225
EAN: 2147483647
Year: 2004
Pages: 505
Simiral book on Amazon

Flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net