Dec
28

Hi Brian,I configured NTP on 2 Routers back-to-back with authentication (md5). So far everything works fine. I removed authentication on one of the Routers (no ntp authenticate) and they continue to sync. I even rebooted the router on which I had removed the authentication and they still sync. Any ideas why?

A common misconception about NTP authentication is the direction in which authentication occurs, however it makes perfect sense if you ask yourself this question: what is the purpose of using NTP authentication?

One clear answer is that authentication is used to prevent tampering with the timestamps on the logs generated by devices. To implement an attack on NTP, a hacker would make their rogue host appear to be a valid NTP server. NTP authentication is therefore used to authenticate the time source, not the client.

Take the following scenario:

R1–12.0.0.0/8–R2

R1 and R2 share the segment 12.0.0.0/8. R1 is the NTP master, and R2 is the client. To get a better understanding of how NTP authentication works, try the following possible configurations and see which of them work and which of them do not.

Case 1: No authentication

R1#sh run | in ntp
ntp master 1

R2#sh run | in ntp server
ntp server 12.0.0.1

R2#sh ntp status | in synch
Clock is synchronized, stratum 2, reference is 12.0.0.1

R2#show ntp associations detail
12.0.0.1 configured, our_master, sane, valid, stratum 1

Case 2: Authentication on server, no authentication on client

R1#sh run | in ntp
ntp authentication-key 1 md5 121A0C041104 7
ntp authenticate
ntp master 1

R2#sh run | in ntp
ntp clock-period 17179863
ntp server 12.0.0.1

R2#sh ntp status | in sync
Clock is synchronized, stratum 2, reference is 12.0.0.1

R2#sh ntp assoc detail
12.0.0.1 configured, our_master, sane, valid, stratum 1

Case 3: No authentication on server, authentication on client

R1#sh run | in ntp
ntp master 1

R2#sh run | in ntp
ntp authentication-key 1 md5 08701E1F28492647465A5D547E 7
ntp authenticate
ntp trusted-key 1
ntp clock-period 17179863
ntp server 12.0.0.1 key 1

R2#sh ntp status | in sync
Clock is unsynchronized, stratum 16, no reference clock

R2#sh ntp assoc detail
12.0.0.1 configured, insane, invalid, unsynced, stratum 16

Case 4: Authentication on server and client

R1#sh run | in ntp
ntp authentication-key 1 md5 0822455D0A16 7
ntp authenticate
ntp master 1

R2#sh run | in ntp
ntp authentication-key 1 md5 060506324F41 7
ntp authenticate
ntp trusted-key 1
ntp clock-period 17179865
ntp server 12.0.0.1 key 1

R2#sh ntp status | in sync
Clock is synchronized, stratum 2, reference is 12.0.0.1

R2#sh ntp assoc detail
12.0.0.1 configured, authenticated, our_master, sane, valid, stratum 1

As shown by the above configuration, NTP authentication is used to authenticate the NTP source, not any associated clients.

About Brian McGahan, CCIE #8593, CCDE #2013::13:

Brian McGahan was one of the youngest engineers in the world to obtain the CCIE, having achieved his first CCIE in Routing & Switching at the age of 20 in 2002. Brian has been teaching and developing CCIE training courses for over 10 years, and has assisted thousands of engineers in obtaining their CCIE certification. When not teaching or developing new products Brian consults with large ISPs and enterprise customers in the midwest region of the United States.

Find all posts by Brian McGahan, CCIE #8593, CCDE #2013::13 | Visit Website


You can leave a response, or trackback from your own site.

11 Responses to “How does NTP authentication work?”

 
  1. Dara says:

    R1#sh run | in ntp
    ntp authentication-key 1 md5 0822455D0A16 7
    ntp authenticate <<<<< I didn’t found this necessary on the NTP server(since it’s not authenticating any time source)
    ntp master 1

    R2#sh run | in ntp
    ntp authentication-key 1 md5 060506324F41 7
    ntp authenticate
    ntp trusted-key 1
    ntp clock-period 17179865
    ntp server 12.0.0.1 key 1

    Thanks a lot for nice article !!!

  2. Ovesnel says:

    Great article Brian !!
    Thanks.

  3. Satinder Singh says:

    Great article from Great peoples.

  4. Hamed Hajeer says:

    Hi all,

    anyone can help where i can find SNMP in DOC-CD?

    i searched at system managmnet but i didnt find

    Thanks

  5. Bakker Ghanayem says:

    Why you did not use trusted-key in server.

    what is the configuration if I have three routers one is server and the routers one authenticate with the server and the another no.

  6. Krunal says:

    It looks like ntp trusted-key 1 is also required on NTP server. See the following result. I have configured NTP between two router R3 and R5. Following are the results.

    *Sep 3 06:54:11.469: Authentication key 0
    Rack22R3#
    Rack22R3#sh debug
    IP routing:
    IP routing debugging is on
    NTP:
    NTP authentication debugging is on

    *Sep 3 06:54:45.189: RT: NET-RED 0.0.0.0/0
    Rack22R3#
    Rack22R3#
    Rack22R3#sh run | in ntp
    ntp logging
    ntp authentication-key 1 md5 05080F1C2243 7
    ntp authenticate
    ntp trusted-key 1
    ntp server 22.22.0.130 key 1 source Loopback0
    Rack22R3#
    *Sep 3 06:55:15.469: Authentication key 0
    Rack22R3#

    /*************************************************************************/
    Rack22R5#sh run | in ntp
    ntp logging
    ntp authentication-key 1 md5 00071A150754 7
    ntp authenticate
    ntp source FastEthernet0/1
    ntp master 5
    ntp update-calendar
    ntp server 22.22.254.254 source Loopback0
    Rack22R5#config t
    Enter configuration commands, one per line. End with CNTL/Z.
    Rack22R5(config)#ntp tru
    Rack22R5(config)#ntp trusted-key 1
    Rack22R5(config)#
    /*************************************************************************/

    Rack22R3#
    Rack22R3#sh ntp status
    Clock is unsynchronized, stratum 16, no reference clock
    nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**18
    reference time is 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900)
    clock offset is 0.0000 msec, root delay is 0.00 msec
    root dispersion is 0.00 msec, peer dispersion is 0.00 msec
    Rack22R3#
    *Sep 3 06:56:19.469: Authentication key 1
    *Jan 1 08:20:11.900: %SYS-6-CLOCKUPDATE: System clock has been updated from 06:56:19 UTC Fri Sep 3 2010 to 08:20:11 UTC Sat Jan 1 2000, configured from NTP by 22.22.0.130.
    Rack22R3#
    Rack22R3#
    Rack22R3#sh ntp status
    Clock is unsynchronized, stratum 16, no reference clock
    nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**18
    reference time is D02B1A93.78FC31D4 (06:56:19.472 UTC Fri Sep 3 2010)
    clock offset is -336782167569.6788 msec, root delay is 30.61 msec
    root dispersion is 7352305.74 msec, peer dispersion is 16000.00 msec

    Rack22R3#sh ntp
    .Jan 1 08:20:37.619: RT: NET-RED 0.0.0.0/0asso
    Rack22R3#sh ntp associations detail
    22.22.0.130 configured, authenticated, insane, invalid, stratum 5
    ref ID 127.127.1.1, time BC18372D.F1D81B08 (08:19:57.944 UTC Sat Jan 1 2000)
    our mode client, peer mode server, our poll intvl 64, peer poll intvl 64
    root delay 0.00 msec, root disp 0.41, reach 0, sync dist 15890.732
    delay 30.61 msec, offset -336782167569.6788 msec, dispersion 16000.00
    precision 2**24, version 3
    org time 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900)
    rcv time 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900)
    xmt time 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900)
    filtdelay = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
    filtoffset = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
    filterror = 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0

    Rack22R3#
    Rack22R3#
    .Jan 1 08:21:15.899: Authentication key 1
    Jan 1 08:21:15.899: %NTP-5-PEERSYNC: NTP synced to peer 22.22.0.130
    Jan 1 08:21:15.899: %NTP-6-PEERREACH: Peer 22.22.0.130 is reachable
    Rack22R3#
    Rack22R3#
    Rack22R3#sh ntp status
    Clock is synchronized, stratum 6, reference is 22.22.0.130
    nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**18
    reference time is BC18377B.E72A6E5B (08:21:15.902 UTC Sat Jan 1 2000)
    clock offset is 2.7219 msec, root delay is 30.69 msec
    root dispersion is 15878.10 msec, peer dispersion is 15875.02 msec

  7. Eric says:

    Petr,

    Could you comment on your experience with this symmetric authentication in the client/server mode? After going through the 12.4t releases notes and much labbing, I am unable to reproduce a scenario where the trusted-key is necessary on the server for the client to sync. AFAIK, key 0 means “invalid key”. It is sent in replies when an invalid key is sent by a client.

    Thanks!

  8. Swapnil Nawale says:

    Hi Brian McGahan,

    Thanks a ton for such a nice examples and explanation for making this concept clear. Good day!!

  9. satisfied_ine_customer says:

    (i) One can confirm that “ntp trusted-key ” is also required on the ntp-server side in 15.2 code (iou), since if it’s not, then “debug ntp all” (on client) reveals this message:

    : NTP Core (INFO): C01C 8C bad_auth crypto_NAK

    (ii) Perhaps ine.com can document a ladder diagram of ntp authentication with an explication of the commands, aside from the 4 cases Brian M. has given above?

    Thank you and great job with a great site.

    In passing, I also like your PfR video!

 

Leave a Reply

Categories

CCIE Bloggers