NetworkLabNotes/chapter/ntp.tex

\chapter{NTP}

\gls{ntp} is the source of all evil and \gls{sla}. A network wide source of time configuration for all network nodes, servers, clients etc. is necessary.

\textbf{Configure timezone}\\In this case it\tsq{s} for \gls{metdst}\textbf{:}

\begin{txt}
clock timezone MET 1 0
clock summer-time MET-DST recurring last Sun Mar 2:00 last Sun Oct 3:00
\end{txt}

\textbf{Configure used timezone}\\when doing logging and debugging operations\textbf{:}

\begin{txt}
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
\end{txt}

A select number of Cisco switches support synchronization with the hardware clock, too. The standard is to only sync the software clock.\\\cliline{ntp update-calendar}

\fig{ntp/ntp}{ntp}{\gls{ntp}}

\gls{ntp} servers are a hierarchical tree with stratum 0 servers as the authoritative in the tree. These servers get their time from either \gls{gprs} satellites or atomic clocks {\footnotesize (i.e. an authoritative time \gls{src})}.

\subsection{Characteristics}

\begin{itemize}
	\item Uses \gls{udp} port 123 on both \gls{src} and \gls{dst},
	\item polling interval ranging from 64-1024 sec. Length of interval is dependant upon network cond.,
	\item large differences between \gls{ntp} reference time and local client time will result in increased pooling interval.
\end{itemize}

\fig{ntp/ntpstratum}{ntpstratum}{Stratum levels}

\section{The old NTP from \tsq{85}}

\textbf{Team Cymru} has a nice template for how to enable \gls{ntp} \textbf{with} \textit{access control} on \gls{ios} and \gls{junos}\footnote{\url{https://www.team-cymru.org/secure-ntp-template.html}}. Shown below is a copy of the \gls{ios} example from Cymrus website.

\begin{cisco}
	! Core NTP configuration
	ntp update-calendar             ! update hardware clock (certain hardware only, i.e. 6509s)
	ntp server 192.0.2.1            ! a time server you sync with
	ntp peer   192.0.2.2            ! a time server you sync with and allow to sync to you
	ntp source Loopback0            ! we recommend using a loopback interface for sending NTP messages if possible
	!
	! NTP access control
	ntp access-group query-only 1   ! deny all NTP control queries
	ntp access-group serve 1        ! deny all NTP time and control queries by default
	ntp access-group peer 10        ! permit time sync to configured peer(s)/server(s) only
	ntp access-group serve-only 20  ! permit NTP time sync requests from a select set of clients
	!
	! access control lists (ACLs)
	access-list 1 remark utility ACL to block everything
	access-list 1 deny any
	!
	access-list 10 remark NTP peers/servers we sync to/with
	access-list 10 permit 192.0.2.1
	access-list 10 permit 192.0.2.2
	access-list 10 deny any
	!
	access-list 20 remark Hosts/Networks we allow to get time from us
	access-list 20 permit 192.0.2.0 0.0.0.255
	access-list 20 deny any
\end{cisco}

\textbf{Beware} when running a cisco node as \gls{ntp} master and are using access-list to restrict possible clients/peers. You need to allow 127.127.[0-255].1 in the access-list\footnote{The 3rd octet will vary depending on the node.}. This because the master NTP node in the network uses this \gls{ipv4} address as internal master.

\section{Secure NTP}

\subsection{Characteristics}

\begin{itemize}
	\item \gls{ntp} is insecure be default, whích prompted for \gls{sntp} to come along,
	\item Cisco \gls{ios} devices typically only support MD5 encryption\footnote{\url{https://en.wikipedia.org/wiki/MD5}}
\end{itemize}

\subsubsection{Configure SNTP}

\textbf{Team Cymru} has a nice template for how to enable \gls{sntp} on \gls{ios} and \gls{junos}\footnote{\url{https://www.team-cymru.org/secure-ntp-template.html}}. Shown below is a copy of the \gls{ios} example from Cymrus website.

\begin{cisco}
ntp authenticate                            ! enable NTP authentication
ntp authentication-key [key-id] md5 [hash]  ! define a NTP authentication key
ntp trusted-key [key-id]                    ! mark a NTP authentication key as trusted
ntp peer [peer_address] key [key-id]        ! form a authenticated session with a peer
ntp server [server_address] key [key-id]    ! form a authenticated session with a server
\end{cisco}

\subsection{Versions}

Generally today \gls{ntp}v3 or v4 is found. The difference to v4 \textit{(amongst other)} is
\begin{itemize}
	\item support for \gls{ipv6}.
	\item The security in the protocol is upped to with support for X509 certs.
	\item Automatic calculation of time-distribution\footnote{to archive high time accuracy against lowest bandwidth cost} in  a network based upon specific multicast groups leveraging v6 site-local multicast addresses.
	\item \cliline{ntp-server ipv6-addr version 4}
\end{itemize}
NTP: Initial commit 2017-06-01 21:48:34 +00:00			`\chapter{NTP}`

			`\gls{ntp} is the source of all evil and \gls{sla}. A network wide source of time configuration for all network nodes, servers, clients etc. is necessary.`
Changed file structure 2017-06-01 18:41:55 +00:00
updated ntp.tex 2017-06-01 22:14:20 +00:00			`\textbf{Configure timezone}\\In this case it\tsq{s} for \gls{metdst}\textbf{:}`

			`\begin{txt}`
			`clock timezone MET 1 0`
			`clock summer-time MET-DST recurring last Sun Mar 2:00 last Sun Oct 3:00`
			`\end{txt}`

			`\textbf{Configure used timezone}\\when doing logging and debugging operations\textbf{:}`

			`\begin{txt}`
			`service timestamps debug datetime msec localtime show-timezone`
			`service timestamps log datetime msec localtime show-timezone`
			`\end{txt}`

Updated ntp.tex 2017-06-03 12:58:12 +00:00			`A select number of Cisco switches support synchronization with the hardware clock, too. The standard is to only sync the software clock.\\\cliline{ntp update-calendar}`

update chapter ntp 2017-06-02 01:18:30 +00:00			`\fig{ntp/ntp}{ntp}{\gls{ntp}}`

			`\gls{ntp} servers are a hierarchical tree with stratum 0 servers as the authoritative in the tree. These servers get their time from either \gls{gprs} satellites or atomic clocks {\footnotesize (i.e. an authoritative time \gls{src})}.`

			`\subsection{Characteristics}`

			`\begin{itemize}`
			`\item Uses \gls{udp} port 123 on both \gls{src} and \gls{dst},`
			`\item polling interval ranging from 64-1024 sec. Length of interval is dependant upon network cond.,`
			`\item large differences between \gls{ntp} reference time and local client time will result in increased pooling interval.`
			`\end{itemize}`

			`\fig{ntp/ntpstratum}{ntpstratum}{Stratum levels}`

Changed file structure 2017-06-01 18:41:55 +00:00			`\section{The old NTP from \tsq{85}}`

updated ntp.tex 2017-06-04 00:39:12 +00:00			`\textbf{Team Cymru} has a nice template for how to enable \gls{ntp} \textbf{with} \textit{access control} on \gls{ios} and \gls{junos}\footnote{\url{https://www.team-cymru.org/secure-ntp-template.html}}. Shown below is a copy of the \gls{ios} example from Cymrus website.`

			`\begin{cisco}`
			`! Core NTP configuration`
			`ntp update-calendar ! update hardware clock (certain hardware only, i.e. 6509s)`
			`ntp server 192.0.2.1 ! a time server you sync with`
			`ntp peer 192.0.2.2 ! a time server you sync with and allow to sync to you`
			`ntp source Loopback0 ! we recommend using a loopback interface for sending NTP messages if possible`
			`!`
			`! NTP access control`
			`ntp access-group query-only 1 ! deny all NTP control queries`
			`ntp access-group serve 1 ! deny all NTP time and control queries by default`
			`ntp access-group peer 10 ! permit time sync to configured peer(s)/server(s) only`
			`ntp access-group serve-only 20 ! permit NTP time sync requests from a select set of clients`
			`!`
			`! access control lists (ACLs)`
			`access-list 1 remark utility ACL to block everything`
			`access-list 1 deny any`
			`!`
			`access-list 10 remark NTP peers/servers we sync to/with`
			`access-list 10 permit 192.0.2.1`
			`access-list 10 permit 192.0.2.2`
			`access-list 10 deny any`
			`!`
			`access-list 20 remark Hosts/Networks we allow to get time from us`
			`access-list 20 permit 192.0.2.0 0.0.0.255`
			`access-list 20 deny any`
			`\end{cisco}`

ntp.tex 2017-06-04 20:51:49 +00:00			`\textbf{Beware} when running a cisco node as \gls{ntp} master and are using access-list to restrict possible clients/peers. You need to allow 127.127.[0-255].1 in the access-list\footnote{The 3rd octet will vary depending on the node.}. This because the master NTP node in the network uses this \gls{ipv4} address as internal master.`

Changed file structure 2017-06-01 18:41:55 +00:00			`\section{Secure NTP}`

update chapter ntp 2017-06-02 01:18:30 +00:00			`\subsection{Characteristics}`

			`\begin{itemize}`
updated ntp.tex 2017-06-04 00:39:12 +00:00			`\item \gls{ntp} is insecure be default, whích prompted for \gls{sntp} to come along,`
			`\item Cisco \gls{ios} devices typically only support MD5 encryption\footnote{\url{https://en.wikipedia.org/wiki/MD5}}`
update chapter ntp 2017-06-02 01:18:30 +00:00			`\end{itemize}`
updated ntp.tex 2017-06-04 00:39:12 +00:00
			`\subsubsection{Configure SNTP}`

			`\textbf{Team Cymru} has a nice template for how to enable \gls{sntp} on \gls{ios} and \gls{junos}\footnote{\url{https://www.team-cymru.org/secure-ntp-template.html}}. Shown below is a copy of the \gls{ios} example from Cymrus website.`

			`\begin{cisco}`
			`ntp authenticate ! enable NTP authentication`
			`ntp authentication-key [key-id] md5 [hash] ! define a NTP authentication key`
			`ntp trusted-key [key-id] ! mark a NTP authentication key as trusted`
			`ntp peer [peer_address] key [key-id] ! form a authenticated session with a peer`
			`ntp server [server_address] key [key-id] ! form a authenticated session with a server`
			`\end{cisco}`

			`\subsection{Versions}`

			`Generally today \gls{ntp}v3 or v4 is found. The difference to v4 \textit{(amongst other)} is`
			`\begin{itemize}`
			`\item support for \gls{ipv6}.`
			`\item The security in the protocol is upped to with support for X509 certs.`
			`\item Automatic calculation of time-distribution\footnote{to archive high time accuracy against lowest bandwidth cost} in a network based upon specific multicast groups leveraging v6 site-local multicast addresses.`
updated ntp.tex 2017-06-05 00:00:13 +00:00			`\item \cliline{ntp-server ipv6-addr version 4}`
updated ntp.tex 2017-06-04 00:39:12 +00:00			`\end{itemize}`