Ntp and authentication, Ntp and authentication -4 – Alcatel Carrier Internetworking Solutions Omni Switch/Router User Manual
Page 282
Page 12-4
When planning your network, it is helpful to use the following general rules:
• It is usually not a good idea to synchronize a local time server with a peer (in other words,
a server at the same stratum), unless the latter is receiving time updates from a source that
has a lower stratum then from where the former is receiving time updates. This minimizes
common points of failure.
• Peer associations should only be configured between servers at the same stratum level.
Higher Strata should configure lower Strata, not the reverse.
• It is inadvisable to configure time servers in a domain to a single time source. Doing so
invites common points of failure.
NTP and Authentication
NTP
is designed to use either
DES
or MD5 encryption authentication to prevent outside influ-
ence upon
NTP
timestamp information. This is done by using a key file. The key file is loaded
into the switch memory, and consists of a text file that lists key identifiers that correspond to
particular
NTP
entities.
If authentication is enabled on an
NTP
switch, any
NTP
message sent to the switch must
contain the correct key
ID
in the message packet to use in decryption. Likewise, any message
sent from the authentication enabled switch will not be readable unless the receiving
NTP
entity possesses the correct key
ID
.
Key files are created by a system administrator independent of the
NTP
protocol, and then
placed in the switch memory. An example of a key file is show below:
1
N
29233e0461ecd6ae
# des key in NTP format
2
M
RIrop8KPPvQvYotM
# md5 key as an ASCII random string
14
M
sundial
# md5 key as an ASCII string
15
A
sundial
# des key as an ASCII string
In a key file, the first token is the key number
ID
, the second is the key format, and the third
is the key itself. (The text following a “#” is not counted as part of the key, and is used
merely for description.) There are 4 key formats:
N
Indicates a
DES
key written as a hex number, in
NTP
standard
format with the high order bit of each octet being the odd
parity bit.
M
Indicates an MD5 key written as a 1 to 31 character
ASCII
string
with each character standing for a key octet.
A
Indicates a
DES
key written as a 1 to 8 character string in 7-bit
ASCII
format, where each character stands for a key octet string.
S
Indicates a
DES
key written as a hex number in the
DES
stan-
dard format, with the low order bit of each octet being the odd
parity bit.
For information on activating authentication, specifying the location of a key file, and config-
uring key
ID
s for switches, see the following sections:
• Configuring an NTP Client on page 12-6
• Configuring a New Peer Association on page 12-12