1
0
Fork 0
mirror of https://gitlab.com/netravnen/NetworkLabNotes.git synced 2024-12-23 20:57:53 +00:00

NTP: Replaced Secure with Simple. No new content yet

This commit is contained in:
chhan11 2017-06-09 22:02:43 +02:00
parent b653998b2c
commit 6492ca2815
2 changed files with 37 additions and 34 deletions

View file

@ -49,6 +49,7 @@
\newacronym{mac}{MAC}{Media Access Control address} \newacronym{mac}{MAC}{Media Access Control address}
\newacronym{mkc}{MKC}{Mikkel Kr\char"00F8ll} \newacronym{mkc}{MKC}{Mikkel Kr\char"00F8ll}
\newacronym{metdst}{MET-DST}{Middle European Time Daylight Saving Time} \newacronym{metdst}{MET-DST}{Middle European Time Daylight Saving Time}
\newacronym{mhsrp}{MHSRP}{Multigroup Hot-Standby Routing Protocol}
\newacronym{mpls}{MPLS}{Multiprotocol Label Switching} \newacronym{mpls}{MPLS}{Multiprotocol Label Switching}
\newacronym{mst}{MST}{Multiple Spanning Tree} \newacronym{mst}{MST}{Multiple Spanning Tree}
\newacronym{nms}{NMS}{Network Management Software} \newacronym{nms}{NMS}{Network Management Software}
@ -70,8 +71,8 @@
\newacronym{rpr+}{RPR+}{Route Processor Redundancy Plus} \newacronym{rpr+}{RPR+}{Route Processor Redundancy Plus}
\newacronym{rspan}{RSPAN}{Remote Switch Port Analyzer} \newacronym{rspan}{RSPAN}{Remote Switch Port Analyzer}
\newacronym{rstp}{RSTP}{Rapid Spanning Tree Protocol} \newacronym{rstp}{RSTP}{Rapid Spanning Tree Protocol}
\newacronym{rpvst}{RPVST}{Rapid Per Vlan Spanning Tree} \newacronym{rpvst}{RPVST}{Per Vlan Rapid Spanning Tree}
\newacronym{rpvst+}{RPVST+}{Rapid Per Vlan Spanning Tree Plus} \newacronym{rpvst+}{RPVST+}{Per Vlan Rapid Spanning Tree Plus}
\newacronym{sdm}{SDM}{Security Device Manager} \newacronym{sdm}{SDM}{Security Device Manager}
\newacronym{sdsl}{SDSL}{Symmetric Digital Subscriber Line} \newacronym{sdsl}{SDSL}{Symmetric Digital Subscriber Line}
\newacronym{sftp}{SFTP}{Secure Shell File Transfer Protocol} \newacronym{sftp}{SFTP}{Secure Shell File Transfer Protocol}

View file

@ -1,4 +1,4 @@
\chapter{NTP} \chapter[NTP]{Network Time Protocol}
\gls{ntp} is the source of all evil and \gls{sla}. A network wide source of time configuration for all network nodes, servers, clients etc. is necessary. \gls{ntp} is the source of all evil and \gls{sla}. A network wide source of time configuration for all network nodes, servers, clients etc. is necessary.
@ -65,35 +65,37 @@ A select number of Cisco switches support synchronization with the hardware cloc
\textbf{Beware} when running a cisco node as \gls{ntp} master and are using access-list to restrict possible clients/peers. You need to allow 127.127.[0-255].1 in the access-list\footnote{The 3rd octet will vary depending on the node.}. This because the master NTP node in the network uses this \gls{ipv4} address as internal master. \textbf{Beware} when running a cisco node as \gls{ntp} master and are using access-list to restrict possible clients/peers. You need to allow 127.127.[0-255].1 in the access-list\footnote{The 3rd octet will vary depending on the node.}. This because the master NTP node in the network uses this \gls{ipv4} address as internal master.
\section{Secure NTP} \section[SNTP]{Simple Network Time Protocol}
\subsection{Characteristics} %\section{Secure NTP}
%
\begin{itemize} %\subsection{Characteristics}
\item \gls{ntp} is insecure be default, whích prompted for \gls{sntp} to come along, %
\item Cisco \gls{ios} devices typically only support MD5 encryption\footnote{\url{https://en.wikipedia.org/wiki/MD5}} %\begin{itemize}
\end{itemize} % \item \gls{ntp} is insecure be default, whích prompted for \gls{sntp} to come along,
% \item Cisco \gls{ios} devices typically only support MD5 encryption\footnote{\url{https://en.wikipedia.org/wiki/MD5}}
\subsubsection{Configure SNTP} %\end{itemize}
%
\textbf{Team Cymru} has a nice template for how to enable \gls{sntp} on \gls{ios} and \gls{junos}\footnote{\url{https://www.team-cymru.org/secure-ntp-template.html}}. Shown below is a copy of the \gls{ios} example from Cymrus website. %\subsubsection{Configure SNTP}
%
\begin{cisco} %\textbf{Team Cymru} has a nice template for how to enable \gls{sntp} on \gls{ios} and \gls{junos}\footnote{\url{https://www.team-cymru.org/secure-ntp-template.html}}. Shown below is a copy of the \gls{ios} example from Cymrus website.
ntp authenticate ! enable NTP authentication %
ntp authentication-key [key-id] md5 [hash] ! define a NTP authentication key %\begin{cisco}
ntp trusted-key [key-id] ! mark a NTP authentication key as trusted %ntp authenticate ! enable NTP authentication
ntp peer [peer_address] key [key-id] ! form a authenticated session with a peer %ntp authentication-key [key-id] md5 [hash] ! define a NTP authentication key
ntp server [server_address] key [key-id] ! form a authenticated session with a server %ntp trusted-key [key-id] ! mark a NTP authentication key as trusted
\end{cisco} %ntp peer [peer_address] key [key-id] ! form a authenticated session with a peer
%ntp server [server_address] key [key-id] ! form a authenticated session with a server
\subsection{Versions} %\end{cisco}
%
Generally today \gls{ntp}v3 or v4 is found. The difference to v4 \textit{(amongst other)} is %\subsection{Versions}
\begin{itemize} %
\item support for \gls{ipv6}. %Generally today \gls{ntp}v3 or v4 is found. The difference to v4 \textit{(amongst other)} is
\item The security in the protocol is upped to with support for X509 certs. %\begin{itemize}
\item Automatic calculation of time-distribution\footnote{to archive high time accuracy against lowest bandwidth cost} in a network based upon specific multicast groups leveraging v6 site-local multicast addresses. % \item support for \gls{ipv6}.
\item \cliline{ntp-server ipv6-addr version 4} % \item The security in the protocol is upped to with support for X509 certs.
\end{itemize} % \item Automatic calculation of time-distribution\footnote{to archive high time accuracy against lowest bandwidth cost} in a network based upon specific multicast groups leveraging v6 site-local multicast addresses.
% \item \cliline{ntp-server ipv6-addr version 4}
\textbf{Beware} when using \gls{sntp} that \gls{ntp} cannot be used. The same \gls{udp} port is used. %\end{itemize}
%
%\textbf{Beware} when using \gls{sntp} that \gls{ntp} cannot be used. The same \gls{udp} port is used.