Previous section   Next section

Recipe 14.12 NTP Authentication

14.12.1 Problem

You want to authenticate your NTP packets.

14.12.2 Solution

Use the ntp authentication command to authenticate NTP traffic between associations. To configure an NTP-enabled router to require authentication when other devices connect to it, use the following commands:

Router1#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#ntp authentication-key 2 md5 oreilly
Router1(config)#ntp authenticate
Router1(config)#ntp trusted-key 2
Router1(config)#end
Router1#

Then configure the same authentication key on the client router:

Router2#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Router2(config)#ntp authentication-key 2 md5 oreilly
Router2(config)#ntp authenticate
Router2(config)#ntp trusted-key 2
Router2(config)#ntp server 172.25.1.5 key 2
Router2(config)#end
Router2#

14.12.3 Discussion

People often confuse authentication with encryption. Authentication proves the authenticity of a packet's source, whereas encryption encodes or enciphers the packet contents. For the purposes of NTP, proving the authenticity of the packet is critical, but encrypting the contents of the packet is unnecessary, since it only contains time information (which isn't terribly sensitive).

Cisco fully supports NTP authentication as defined in RFC 1305. Authentication ensures that NTP associations synchronize time only to known and trusted NTP servers. This prevents servers from masquerading as legitimate timeservers, either accidentally or intentionally.

Time services and the ability to manipulate time services are critical to organizations that may depend on accurate time for billing, business regulatory, fault isolation, or security purposes. In such organizations, there is at least a theoretical danger that somebody could put a false NTP server on the network to change the clocks, which could be useful in some larger nefarious scheme. To prevent such problems and enhance security, many organizations allow authenticated NTP relationships only within their corporate networks.

The NTP protocol uses the RSA Message Digest 5 (MD5) algorithm to provide cryptographic authentication of NTP packets. Although the NTP packet is not encrypted, a one-way hash, created using pre-shared keys, ensures the authenticity of the sender and packet.

The previous example shows a single client/server pair enabling authentication between them. The NTP client and server pair must share the same key number and value ("oreilly") before authentication will work. It is important to note that routers support multiple keys and can assign a different key for each association, if required. You can also configure the router to accept time updates from a mixture of authenticated and nonauthenticated servers. The example below shows portions of an NTP debug trace:

Router1#debug ntp packet
NTP packets debugging is on
Router1#debug ntp authentication 
NTP authentication debugging is on
Mar 18 22:39:12 EST: NTP: rcv packet from 172.16.2.2 to 172.25.1.7 
Mar 18 22:39:12 EST:  leap 0, mode 3, version 3, stratum 4, ppoll 256
Mar 18 22:39:12 EST:  Authentication key 2
Mar 18 22:39:12 EST: NTP: stateless xmit packet to 172.16.2.2:
Mar 18 22:39:12 EST:  leap 0, mode 4, version 3, stratum 3, ppoll 256
Mar 18 22:39:12 EST:  Authentication key 2

Notice that the client polled the server with authentication key 2 and the server responded with its NTP response and authentication key 2 as well. Assuming that both key 2 strings are also equal, the client will form an association with the server and synchronize its internal clock with the server's.

Broadcast and multicast NTP associations also support NTP authentication:

Router3#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router3(config)#clock timezone EST -5
Router3(config)#clock summer-time EDT recurring
Router3(config)#ntp authentication-key 2 md5 oreilly
Router3(config)#ntp trusted-key 2
Router3(config)#ntp server 172.25.1.1
Router3(config)#interface ethernet0
Router3(config-if)#ntp multicast key 2
Router3(config-if)#end
Router3#

This example shows the configuration for an NTP multicast server that sends multicast packets using the default NTP address, 224.0.1.1, with authentication enabled. You can configure authentication for NTP broadcast mode similarly by adding the command:

Router3(config-if)#ntp broadcast key 2

It is important to note that NTP broadcast and multicast modes use a single key for the entire multicast domain.

Organizations that receive NTP feeds from the Internet cannot usually rely on NTP authentication because few public servers support authentication functionality. This is not a major concern since NTP algorithms ignore timeservers with outrageous dates and times. Reduce the risk of synchronizing to illegitimate NTP providers by configuring your NTP servers with multiple NTP Stratum 1 servers.


  Previous section   Next section
Top