From 6492ca281511701c6896996c9326bf2a01db4d62 Mon Sep 17 00:00:00 2001 From: chhan11 Date: Fri, 9 Jun 2017 22:02:43 +0200 Subject: [PATCH] NTP: Replaced Secure with Simple. No new content yet --- acronyms.tex | 5 ++-- chapter/ntp.tex | 66 +++++++++++++++++++++++++------------------------ 2 files changed, 37 insertions(+), 34 deletions(-) diff --git a/acronyms.tex b/acronyms.tex index f44a522..d026296 100644 --- a/acronyms.tex +++ b/acronyms.tex @@ -49,6 +49,7 @@ \newacronym{mac}{MAC}{Media Access Control address} \newacronym{mkc}{MKC}{Mikkel Kr\char"00F8ll} \newacronym{metdst}{MET-DST}{Middle European Time Daylight Saving Time} +\newacronym{mhsrp}{MHSRP}{Multigroup Hot-Standby Routing Protocol} \newacronym{mpls}{MPLS}{Multiprotocol Label Switching} \newacronym{mst}{MST}{Multiple Spanning Tree} \newacronym{nms}{NMS}{Network Management Software} @@ -70,8 +71,8 @@ \newacronym{rpr+}{RPR+}{Route Processor Redundancy Plus} \newacronym{rspan}{RSPAN}{Remote Switch Port Analyzer} \newacronym{rstp}{RSTP}{Rapid Spanning Tree Protocol} -\newacronym{rpvst}{RPVST}{Rapid Per Vlan Spanning Tree} -\newacronym{rpvst+}{RPVST+}{Rapid Per Vlan Spanning Tree Plus} +\newacronym{rpvst}{RPVST}{Per Vlan Rapid Spanning Tree} +\newacronym{rpvst+}{RPVST+}{Per Vlan Rapid Spanning Tree Plus} \newacronym{sdm}{SDM}{Security Device Manager} \newacronym{sdsl}{SDSL}{Symmetric Digital Subscriber Line} \newacronym{sftp}{SFTP}{Secure Shell File Transfer Protocol} diff --git a/chapter/ntp.tex b/chapter/ntp.tex index 57db099..a941e79 100644 --- a/chapter/ntp.tex +++ b/chapter/ntp.tex @@ -1,4 +1,4 @@ -\chapter{NTP} +\chapter[NTP]{Network Time Protocol} \gls{ntp} is the source of all evil and \gls{sla}. A network wide source of time configuration for all network nodes, servers, clients etc. is necessary. @@ -65,35 +65,37 @@ A select number of Cisco switches support synchronization with the hardware cloc \textbf{Beware} when running a cisco node as \gls{ntp} master and are using access-list to restrict possible clients/peers. You need to allow 127.127.[0-255].1 in the access-list\footnote{The 3rd octet will vary depending on the node.}. This because the master NTP node in the network uses this \gls{ipv4} address as internal master. -\section{Secure NTP} +\section[SNTP]{Simple Network Time Protocol} -\subsection{Characteristics} - -\begin{itemize} - \item \gls{ntp} is insecure be default, whích prompted for \gls{sntp} to come along, - \item Cisco \gls{ios} devices typically only support MD5 encryption\footnote{\url{https://en.wikipedia.org/wiki/MD5}} -\end{itemize} - -\subsubsection{Configure SNTP} - -\textbf{Team Cymru} has a nice template for how to enable \gls{sntp} on \gls{ios} and \gls{junos}\footnote{\url{https://www.team-cymru.org/secure-ntp-template.html}}. Shown below is a copy of the \gls{ios} example from Cymrus website. - -\begin{cisco} -ntp authenticate ! enable NTP authentication -ntp authentication-key [key-id] md5 [hash] ! define a NTP authentication key -ntp trusted-key [key-id] ! mark a NTP authentication key as trusted -ntp peer [peer_address] key [key-id] ! form a authenticated session with a peer -ntp server [server_address] key [key-id] ! form a authenticated session with a server -\end{cisco} - -\subsection{Versions} - -Generally today \gls{ntp}v3 or v4 is found. The difference to v4 \textit{(amongst other)} is -\begin{itemize} - \item support for \gls{ipv6}. - \item The security in the protocol is upped to with support for X509 certs. - \item Automatic calculation of time-distribution\footnote{to archive high time accuracy against lowest bandwidth cost} in a network based upon specific multicast groups leveraging v6 site-local multicast addresses. - \item \cliline{ntp-server ipv6-addr version 4} -\end{itemize} - -\textbf{Beware} when using \gls{sntp} that \gls{ntp} cannot be used. The same \gls{udp} port is used. +%\section{Secure NTP} +% +%\subsection{Characteristics} +% +%\begin{itemize} +% \item \gls{ntp} is insecure be default, whích prompted for \gls{sntp} to come along, +% \item Cisco \gls{ios} devices typically only support MD5 encryption\footnote{\url{https://en.wikipedia.org/wiki/MD5}} +%\end{itemize} +% +%\subsubsection{Configure SNTP} +% +%\textbf{Team Cymru} has a nice template for how to enable \gls{sntp} on \gls{ios} and \gls{junos}\footnote{\url{https://www.team-cymru.org/secure-ntp-template.html}}. Shown below is a copy of the \gls{ios} example from Cymrus website. +% +%\begin{cisco} +%ntp authenticate ! enable NTP authentication +%ntp authentication-key [key-id] md5 [hash] ! define a NTP authentication key +%ntp trusted-key [key-id] ! mark a NTP authentication key as trusted +%ntp peer [peer_address] key [key-id] ! form a authenticated session with a peer +%ntp server [server_address] key [key-id] ! form a authenticated session with a server +%\end{cisco} +% +%\subsection{Versions} +% +%Generally today \gls{ntp}v3 or v4 is found. The difference to v4 \textit{(amongst other)} is +%\begin{itemize} +% \item support for \gls{ipv6}. +% \item The security in the protocol is upped to with support for X509 certs. +% \item Automatic calculation of time-distribution\footnote{to archive high time accuracy against lowest bandwidth cost} in a network based upon specific multicast groups leveraging v6 site-local multicast addresses. +% \item \cliline{ntp-server ipv6-addr version 4} +%\end{itemize} +% +%\textbf{Beware} when using \gls{sntp} that \gls{ntp} cannot be used. The same \gls{udp} port is used.