NTP
Quick question on NTP
Is it possible to force authentication ? What I am saying is can I force a client to authenticate to my NTP master? In the lab if I set up NTP authentication on one router, I can set another box up without NTP authentication and it will pull the proper time. I guess I could se up an access list of the devices I want to allow to pull my time off my router but was wondering then what’s the point of md5 authentication?
Maybe there is a command I don’t know about to force authentication ?
Ed,
Blogs and organic groups at http://www.ccie.net
_______________________________________________________________________ Subscription information may be found at: http://www.groupstudy.com/list/CCIELab.html
The client authenticates the server. Never the other way around.
-Mike
NTP authentication is initialized by NTP client .
i.e relationship can be formed if client initiates the authentication and server responds to it ..
“ntp authenticate” CLI is required only on NTP client.
Gaurav Madan CCIE # 23863
Blogs and organic groups at http://www.ccie.net
_______________________________________________________________________ Subscription information may be found at: http://www.groupstudy.com/list/CCIELab.html
Hi,
In general the device which adjusts the time (NTP Request) authenticates the source of the time information (which sends NTP Update). The server only derives the Key Number but does not verify the hash. Try to configure it similarly to like client, maybe then it will force it to verify the hash as well (but not sure if it is going to change anything in client-server relationship).
For NTP peers, because they adjust time based on each other, it makes perfect sense to authenticate each other as well.
You can always use the NTP Access Control on the client/server to specify who can you accept NTP Requests/NTP Updates from.
Cheers, Piotr