[ntp:questions] NTP access restrictions IPv6

Philippe Maechler pmaechler-ml at glattnet.ch
Thu Feb 28 10:48:36 UTC 2019


Hello List

 

I'm setting up a few pairs of new ntp servers for our network. The setup is
like that:

 

             +---------+    +---------+

    +--------| s1-ntp1 |    | s1-ntp2 |--------+

    |        +---------+    +---------+        |

    |             |              |             |

    |             |              |             |

+--------+    +--------+    +--------+    +--------+    

| ntp1-1 |    | ntp1-2 |    | ntp2-1 |    | ntp2-2 |    

+--------+    +--------+    +--------+    +--------+    

 

 

The S1-Servers are talking to 4-10 public NTP Servers in the net. Our and
our customers gear should use the ntpN-N Servers

IPv4 and IPv6 is enabled on all servers. A, AAAA and PTR Records are in
place

 

Unfortunately the ntpn-n Servers can't sync to the s1 servers over v6 and
I'm having a hard time to figure out why.

tcpdump on s1 shows, that the request come in but are discarded/ignored.

 

 

 

Configuration on S1:

#

# $FreeBSD: releng/11.2/etc/ntp.conf 314531 2017-03-02 01:23:17Z ian $

#

#

 

# default access restrictions (ignore everything)

restrict default ignore

restrict -6 default ignore 

 

# allow unrestricted access from localhost

restrict 127.0.0.1 

restrict -6 ::1 

 

# NTP servers geographically close to you.

server x1.x2.x3.x4 iburst maxpoll 9

server y1.y2.y3.y4 iburst maxpoll 9

.

.

 

# allow remote servers

restrict x1.x2.x3.x4 nomodify notrap noquery nopeer

restrict y1.y3.y3.y4 nomodify notrap noquery nopeer

.

.

 

# who will gets timeservices from us

restrict 10.3.5.0 mask 255.255.255.0 nomodify notrap noquery nopeer

restrict 10.20.0.0 mask 255.255.0.0 nomodify notrap noquery nopeer

restrict 10.21.0.0 mask 255.255.0.0 nomodify notrap noquery nopeer

restrict 192.168.3.0 mask 255.255.255.0 nomodify notrap noquery nopeer

restrict 192.168.6.0 mask 255.255.255.0 nomodify notrap noquery nopeer

restrict 10.75.2.0 mask 255.255.255.0 nomodify notrap noquery nopeer

.

.

 

 

restrict -6 2001:0DB8::/32 nomodify notrap noquery nopeer

restrict 2001:0DB8::/32 nomodify notrap noquery nopeer

restrict -4 127.0.0.1 

 

server 127.127.1.0

fudge 127.127.1.0 stratum 10

 

statistics loopstats

statsdir /var/log/ntp/

filegen peerstats file peers type day link enable

filegen loopstats file loops type day link enable

 

# MRU (Most Recently Used)

mru maxdepth 1200

mru mindepth 60

mru maxage 600

 

#leapfile "/etc/ntp/leap-seconds"

leapfile "/var/db/ntpd.leap-seconds.list"

 

 

 

 

The server is starting fine and the log contains nothing special. 

 

Questions:

a.	What do you think about the setup? Should S1-NTP1 and S1-NTP2 sync
to each other or not?
b.	Did I get the access part (in general) right? 
c.	Why can't my ntp1-1 host (2001:0DB8:21:10e3::2) not get any time
information from this host? Checked with ntpdate <ipv6 address> -> timeout
d.	Where is the difference between "restrict -6 <IPv6 address>" and
"restric <IPv6 address>"? I guess both variants are working (historical
reasons)

 

 

 

NTP Version:

S1 has: ntpd - NTP daemon program - Ver. 4.2.8p11 (will update this to
4.2.8p12 later this week)

ntpN-N already has 4.2.8p11

 

OS:

FreeBSD 12.0-p3

 

The IP addresses are obfuscated, I'll hope there are no fat-finger-failures
because of that

 

 

Tia for any hints pointing me into the right direction

 

Best regards

Philippe

 



More information about the questions mailing list