http://www.oreilly.com/catalog/hardcisco/chapter/ch10.html authentication For additional security, you can configure your NTP servers and clients to use authentication. Cisco routers support only MD5 authentication for NTP. To enable a router to do NTP authentication: 1. Enable NTP authentication with the ntp authenticate command. 2. Define an NTP authentication key with the ntp authentication-key command. A unique number identifies each NTP key. This number is the first argument to the ntp authentication-key command. 3. Use the ntp trusted-key command to tell the router which keys are valid for authentication. The ntp trusted-key command's only argument is the number of the key defined in the previous step. To enable authentication on RouterOne and define key number 10 as MySecretKey, type: RouterOne#config terminal Enter configuration commands, one per line. End with CNTL/Z. RouterOne(config)#ntp authenticate RouterOne(config)#ntp authentication-key 10 md5 MySecretKey RouterOne(config)#ntp trusted-key 10 RouterOne(config)#^Z WARNING: Configuring NTP authentication does not require all clients to use NTP authentication; it enables clients to use authentication. Your router will still respond to unauthenticated requests, so be sure to use ACLs to limit NTP access. If your external NTP servers require authentication, you need to configure your router to use authentication when contacting those servers. To do this, perform the same steps listed previously to add an NTP authentication key; then use the ntp server command with the key argument to tell the router what key to use when authenticating with the NTP server: RouterOne#config terminal Enter configuration commands, one per line. End with CNTL/Z. RouterOne(config)#ntp authenticate RouterOne(config)#ntp authentication-key 11 md5 MyOtherKey RouterOne(config)#ntp trusted-key 11 RouterOne(config)#ntp server 130.218.59.4 key 11 RouterOne(config)#^Z Finally, to authenticate NTP peers, configure the same key on both systems and use the ntp peer command with the key argument to configure authentication: RouterOne#config terminal Enter configuration commands, one per line. End with CNTL/Z. RouterOne(config)#ntp authenticate RouterOne(config)#ntp authentication-key 12 md5 MyPeeringKey RouterOne(config)#ntp trusted-key 12 RouterOne(config)#ntp peer 135.26.100.2 key 12 RouterOne(config)#^Z --- Keep in mind the following, if you configure your clock as startum 7 the peers who receive that clock will receive it as startum 8, so maybe this is why the doccd says the default value is 8. Try configuring another router as an ntp client and you will check it out. I can recommend a few books on which you will find everyhing about ntp, one of them is CCIE Practical Studies Volume II ---- ---------- Forwarded message ---------- From: "Nick" To: "Cisco certification" Date: Wed, 18 Jan 2006 18:35:12 +0900 Subject: NTP Authentication Experiment Hi, all!! I tested some ntp feature case by case. Hope this may help, and please correct me if I'm wrong. [ PRINCIPLE ] There seem two NTP authentications; one for the ntp server itselg, the other for ntp time information from the server. [CONFIGURATION COMMANDS] In NTP server , ntp authentication-key x md5 KEY is used to send the KEY to the client so that the client can authenticate the "SEVER". In NTP client , ntp host x.x.x.x key KEY is used for NTP "server" authentication, and ntp trust-key KEY is used for NTP "TIME INFORMATION" from the server. Following is the way I found the result. [ TOPOLOGY ] R5 is the NTP server , R4 is the NTP client [ PRECAUTION ] For every each step, the "ntp server" command should be deleted and re-entered so that we can see the result quickly. [ NOTATIONS ] Red letter represents time information authentication. Blue letter represents server authentication. [ TEST PROCESS-1 ] SITUATION : Server Authentication Keys are same, Time Authentication Keys are different. RESULT : Server authentication was successful, but the time authentication failed. Rack5R5(config)#ntp authentication-key 1 md5 cisco Rack5R5(config)#ntp source Loopback0 Rack5R5(config)#ntp master 3 Rack5R4(config)#ntp authentication-key 1 md5 cisco Rack5R4(config)#ntp authentication-key 2 md5 ccie Rack5R4(config)#ntp authenticate Rack5R4(config)#ntp trusted-key 2 Rack5R4(config)#ntp server 5.5.5.5 key 1 Rack5R4(config)#do show ntp ass de 5.5.5.5 configured, authenticated, insane, invalid, unsynced, stratum 16 ref ID 0.0.0.0, time 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900) our mode client, peer mode unspec, our poll intvl 64, peer poll intvl 64 root delay 0.00 msec, root disp 0.00, reach 0, sync dist 0.000 delay 0.00 msec, offset 0.0000 msec, dispersion 16000.00 precision 2**5, version 3 org time C778FA59.1056527C (17:33:13.063 UTC Wed Jan 18 2006) rcv time C778FA59.1B212885 (17:33:13.105 UTC Wed Jan 18 2006) xmt time C778FA59.0BF0263B (17:33:13.046 UTC Wed Jan 18 2006) filtdelay = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 filtoffset = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 filterror = 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 Now, make the time information authentication key same. Rack5R4(config)#no ntp trusted-key 2 Rack5R4(config)#ntp trusted-key 1 Rack5R4(config)#end Rack5R4# show ntp ass de 5.5.5.5 configured, authenticated, our_master, sane, valid, stratum 3 ref ID 127.127.7.1, time C778FAD8.F5510A7F (17:35:20.958 UTC Wed Jan 18 2006) our mode client, peer mode server, our poll intvl 64, peer poll intvl 64 root delay 0.00 msec, root disp 0.03, reach 1, sync dist 15904.419 delay 58.76 msec, offset -8.1920 msec, dispersion 15875.02 precision 2**18, version 3 org time C778FAD9.11E61481 (17:35:21.069 UTC Wed Jan 18 2006) rcv time C778FAD9.1B848430 (17:35:21.107 UTC Wed Jan 18 2006) xmt time C778FAD9.0C4AA6A5 (17:35:21.048 UTC Wed Jan 18 2006) filtdelay = 58.76 0.00 0.00 0.00 0.00 0.00 0.00 0.00 filtoffset = -8.19 0.00 0.00 0.00 0.00 0.00 0.00 0.00 filterror = 0.02 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 Rack5R4#show ntp ass address ref clock st when poll reach delay offset disp *~5.5.5.5 127.127.7.1 3 20 64 1 58.8 -8.19 15875. * master (synced), # master (unsynced), + selected, - candidate, ~ configured [ TEST PROCESS-2 ] SITUATION : Server Authentication Keys are different , Time Authentication Keys are same. RESULT : Because the server was not authenticated, the time info. was not used. Rack5R5(config)#ntp authentication-key 1 md5 cisco Rack5R5(config)#ntp source Loopback0 Rack5R5(config)#ntp master 3 Rack5R4(config)#ntp authentication-key 1 md5 cisco Rack5R4(config)#ntp authentication-key 2 md5 ccie Rack5R4(config)#ntp authenticate Rack5R4(config)#ntp trusted-key 1 Rack5R4(config)#ntp server 5.5.5.5 key 2 Rack5R4(config)# .Jan 18 17:44:47.098: Authentication key 0 .Jan 18 17:44:48.096: Authentication key 0 Rack5R4(config)#do show ntp ass de 5.5.5.5 configured, insane, invalid, unsynced, stratum 16 ref ID 0.0.0.0, time 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900) our mode client, peer mode unspec, our poll intvl 64, peer poll intvl 64 root delay 0.00 msec, root disp 0.00, reach 0, sync dist 0.000 delay 0.00 msec, offset 0.0000 msec, dispersion 16000.00 precision 2**5, version 3 org time C778FD11.0FA1EDD6 (17:44:49.061 UTC Wed Jan 18 2006) rcv time C778FD11.191DE152 (17:44:49.098 UTC Wed Jan 18 2006) xmt time C778FD11.09DB7C30 (17:44:49.038 UTC Wed Jan 18 2006) filtdelay = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 filtoffset = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 filterror = 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 Now, make the server authentication key same. Rack5R4(config)#ntp server 5.5.5.5 key 1 Rack5R4(config)# .Jan 18 17:47:04.097: Authentication key 1 Rack5R4(config)#do show ntp ass de 5.5.5.5 configured, authenticated, our_master, sane, valid, stratum 3 ref ID 127.127.7.1, time C778FD87.F5D378DA (17:46:47.960 UTC Wed Jan 18 2006) our mode client, peer mode server, our poll intvl 64, peer poll intvl 64 root delay 0.00 msec, root disp 0.03, reach 1, sync dist 15904.663 delay 59.23 msec, offset -8.6605 msec, dispersion 15875.02 precision 2**18, version 3 org time C778FD98.0F23A584 (17:47:04.059 UTC Wed Jan 18 2006) rcv time C778FD98.18F090AB (17:47:04.097 UTC Wed Jan 18 2006) xmt time C778FD98.099723CB (17:47:04.037 UTC Wed Jan 18 2006) filtdelay = 59.23 0.00 0.00 0.00 0.00 0.00 0.00 0.00 filtoffset = -8.66 0.00 0.00 0.00 0.00 0.00 0.00 0.00 filterror = 0.02 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 [ TEST PROCESS-3 ] SITUATION : The client authenticates the time information but NOT the server. RESULT : Server authentication has not done. Not sure the time authentication occurred. Rack5R5(config)#ntp authentication-key 1 md5 cisco Rack5R5(config)#ntp source Loopback0 Rack5R5(config)#ntp master 3 Rack5R4(config)#ntp authentication-key 1 md5 cisco Rack5R4(config)#ntp authenticate Rack5R4(config)#ntp trusted-key 1 Rack5R4(config)#ntp server 5.5.5.5 Rack5R4(config)#do show ntp ass de 5.5.5.5 configured, our_master, sane, valid, stratum 3 ref ID 127.127.7.1, time C778FEC7.F5FA8878 (17:52:07.960 UTC Wed Jan 18 2006) our mode client, peer mode server, our poll intvl 64, peer poll intvl 64 root delay 0.00 msec, root disp 0.03, reach 1, sync dist 15900.238 delay 50.40 msec, offset 2.3760 msec, dispersion 15875.02 precision 2**18, version 3 org time C778FECE.790F84EE (17:52:14.472 UTC Wed Jan 18 2006) rcv time C778FECE.7EE796DE (17:52:14.495 UTC Wed Jan 18 2006) xmt time C778FECE.71FBB84A (17:52:14.445 UTC Wed Jan 18 2006) filtdelay = 50.40 0.00 0.00 0.00 0.00 0.00 0.00 0.00 filtoffset = 2.38 0.00 0.00 0.00 0.00 0.00 0.00 0.00 filterror = 0.02 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 [ TEST PROCESS-4 ] SITUATION : The client authenticates the server but NOT the time information. RESULT : Even though the server itself was successfully authenticated. The time info was not used. Since the authentication has been enabled, trust-key must be designated in the client. REFERENCE : http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/ffun_r/ffrprt3/frf012.htm#wp1019137 Usage Guidelines If authentication is enabled, use this command to define one or more key numbers (corresponding to the keys defined with the ntp authentication-key command) that a peer NTP system must provide in its NTP packets, in order for this system to synchronize to it. This function provides protection against accidentally synchronizing the system to a system that is not trusted, because the other system must know the correct authentication key. Rack5R5(config)#ntp authentication-key 1 md5 cisco Rack5R5(config)#ntp source Loopback0 Rack5R5(config)#ntp master 3 Rack5R4(config)#ntp authentication-key 1 md5 cisco Rack5R4(config)#ntp authenticate Rack5R4(config)#ntp server 5.5.5.5 key 1 Rack5R4(config)# .Jan 18 17:54:36.506: Authentication key 1 .Jan 18 17:54:37.504: Authentication key 1 Rack5R4(config)# Rack5R4(config)# Rack5R4(config)#do show ntp ass de 5.5.5.5 configured, authenticated, insane, invalid, unsynced, stratum 16 ref ID 0.0.0.0, time 00000000.00000000 (00:00:00.000 UTC Mon Jan 1 1900) our mode client, peer mode unspec, our poll intvl 64, peer poll intvl 64 root delay 0.00 msec, root disp 0.00, reach 0, sync dist 0.000 delay 0.00 msec, offset 0.0000 msec, dispersion 16000.00 precision 2**5, version 3 org time C778FF5F.C01C3A0A (17:54:39.750 UTC Wed Jan 18 2006) rcv time C778FF5F.8114AD7C (17:54:39.504 UTC Wed Jan 18 2006) xmt time C778FF60.720CB405 (17:54:40.445 UTC Wed Jan 18 2006) filtdelay = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 filtoffset = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00 filterror = 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 Regards, Nick ----