netravnen/NetworkLabNotes
1
0
Fork 0
mirror of https://gitlab.com/netravnen/NetworkLabNotes.git synced 2024-11-23 19:17:54 +00:00
Code Releases Activity

updated ntp.tex

Browse source
This commit is contained in:
chhan11 2017-06-04 02:39:12 +02:00
parent d70ae76ac8
commit 0f46ec7f65
1 changed files with 54 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

57
chapter/ntp.tex
View file

@ -32,14 +32,65 @@ A select number of Cisco switches support synchronization with the hardware cloc
\fig{ntp/ntpstratum}{ntpstratum}{Stratum levels} \fig{ntp/ntpstratum}{ntpstratum}{Stratum levels}
\section{The old NTP from \tsq{85}} \section{The old NTP from \tsq{85}}
\textbf{Team Cymru} has a nice template for how to enable \gls{ntp} \textbf{with} \textit{access control} on \gls{ios} and \gls{junos}\footnote{\url{https://www.team-cymru.org/secure-ntp-template.html}}. Shown below is a copy of the \gls{ios} example from Cymrus website.
\begin{cisco}
! Core NTP configuration
ntp update-calendar ! update hardware clock (certain hardware only, i.e. 6509s)
ntp server 192.0.2.1 ! a time server you sync with
ntp peer 192.0.2.2 ! a time server you sync with and allow to sync to you
ntp source Loopback0 ! we recommend using a loopback interface for sending NTP messages if possible
!
! NTP access control
ntp access-group query-only 1 ! deny all NTP control queries
ntp access-group serve 1 ! deny all NTP time and control queries by default
ntp access-group peer 10 ! permit time sync to configured peer(s)/server(s) only
ntp access-group serve-only 20 ! permit NTP time sync requests from a select set of clients
!
! access control lists (ACLs)
access-list 1 remark utility ACL to block everything
access-list 1 deny any
!
access-list 10 remark NTP peers/servers we sync to/with
access-list 10 permit 192.0.2.1
access-list 10 permit 192.0.2.2
access-list 10 deny any
!
access-list 20 remark Hosts/Networks we allow to get time from us
access-list 20 permit 192.0.2.0 0.0.0.255
access-list 20 deny any
\end{cisco}
\section{Secure NTP} \section{Secure NTP}
\subsection{Characteristics} \subsection{Characteristics}
\begin{itemize} \begin{itemize}
\item \item \gls{ntp} is insecure be default, whích prompted for \gls{sntp} to come along,
\item Cisco \gls{ios} devices typically only support MD5 encryption\footnote{\url{https://en.wikipedia.org/wiki/MD5}}
\end{itemize} \end{itemize}
\subsubsection{Configure SNTP}
\textbf{Team Cymru} has a nice template for how to enable \gls{sntp} on \gls{ios} and \gls{junos}\footnote{\url{https://www.team-cymru.org/secure-ntp-template.html}}. Shown below is a copy of the \gls{ios} example from Cymrus website.
\begin{cisco}
ntp authenticate ! enable NTP authentication
ntp authentication-key [key-id] md5 [hash] ! define a NTP authentication key
ntp trusted-key [key-id] ! mark a NTP authentication key as trusted
ntp peer [peer_address] key [key-id] ! form a authenticated session with a peer
ntp server [server_address] key [key-id] ! form a authenticated session with a server
\end{cisco}
\subsection{Versions}
Generally today \gls{ntp}v3 or v4 is found. The difference to v4 \textit{(amongst other)} is
\begin{itemize}
\item support for \gls{ipv6}.
\item The security in the protocol is upped to with support for X509 certs.
\item Automatic calculation of time-distribution\footnote{to archive high time accuracy against lowest bandwidth cost} in a network based upon specific multicast groups leveraging v6 site-local multicast addresses.
\end{itemize}