Hi Brian,I configured NTP on 2 Routers back-to-back with authentication (md5). So far everything works fine. I removed authentication on one of the Routers (no ntp authenticate) and they continue to sync. I even rebooted the router on which I had removed the authentication and they still sync. Any ideas why?

A common misconception about NTP authentication is the direction in which authentication occurs, however it makes perfect sense if you ask yourself this question: what is the purpose of using NTP authentication?

One clear answer is that authentication is used to prevent tampering with the timestamps on the logs generated by devices. To implement an attack on NTP, a hacker would make their rogue host appear to be a valid NTP server. NTP authentication is therefore used to authenticate the time source, not the client.

Take the following scenario:

R1--12.0.0.0/8--R2

R1 and R2 share the segment 12.0.0.0/8. R1 is the NTP master, and R2 is the client. To get a better understanding of how NTP authentication works, try the following possible configurations and see which of them work and which of them do not.

Case 1: No authentication

R1#sh run | in ntp

ntp master 1
R2#sh run | in ntp server

ntp server 12.0.0.1
R2#sh ntp status | in synch

Clock is synchronized, stratum 2, reference is 12.0.0.1
R2#show ntp associations detail

12.0.0.1 configured, our_master, sane, valid, stratum 1

Case 2: Authentication on server, no authentication on client

R1#sh run | in ntp

ntp authentication-key 1 md5 121A0C041104 7

ntp authenticate

ntp master 1
R2#sh run | in ntp

ntp clock-period 17179863

ntp server 12.0.0.1
R2#sh ntp status | in sync

Clock is synchronized, stratum 2, reference is 12.0.0.1
R2#sh ntp assoc detail

12.0.0.1 configured, our_master, sane, valid, stratum 1

Case 3: No authentication on server, authentication on client

R1#sh run | in ntp

ntp master 1
R2#sh run | in ntp

ntp authentication-key 1 md5 08701E1F28492647465A5D547E 7

ntp authenticate

ntp trusted-key 1

ntp clock-period 17179863

ntp server 12.0.0.1 key 1
R2#sh ntp status | in sync

Clock is unsynchronized, stratum 16, no reference clock
R2#sh ntp assoc detail

12.0.0.1 configured, insane, invalid, unsynced, stratum 16

Case 4: Authentication on server and client

R1#sh run | in ntp

ntp authentication-key 1 md5 0822455D0A16 7

ntp authenticate

ntp master 1
R2#sh run | in ntp

ntp authentication-key 1 md5 060506324F41 7

ntp authenticate

ntp trusted-key 1

ntp clock-period 17179865

ntp server 12.0.0.1 key 1
R2#sh ntp status | in sync

Clock is synchronized, stratum 2, reference is 12.0.0.1
R2#sh ntp assoc detail

12.0.0.1 configured, authenticated, our_master, sane, valid, stratum 1

As shown by the above configuration, NTP authentication is used to authenticate the NTP source, not any associated clients.