[ntp:questions] NTP access restrictions IPv6

Dan Geist dan at polter.net
Thu Feb 28 14:02:24 UTC 2019


Hi, Philippe. First, off, the following pages are very useful for understanding security controls in detail:
https://support.ntp.org/bin/view/Support/AccessRestrictions
https://www.eecis.udel.edu/~mills/ntp/html/accopt.html

I'll try to answer the questions:
a) Generally, it looks pretty good. You may want to refine which groups of devices have which access rights and reorganize things a bit. If you have 2 or more hosts that are on equal footing, then yes, making them "peers" can be helpful when one that is normally authoritative becomes impaired. I host multiple sites of pairs of servers and each pair is setup as "peers" of each other.

b) Some of your controls may be too restrictive for trusted hosts to work correctly. Read on...

c) It could be a few things. Add a restrict line with no arguments for the host while troubleshooting then add them back slowly as you work. Check the mask format first, though. v6 masks on ntpd are odd. For example, mine:
# Clients within my IPv6 ARIN Allocations
# 2001:579::/30
restrict 2001:579:: mask ffff:fffc:: nomodify notrap nopeer noquery

d) the stack switch is required for the default statement, but not for the "by IP" ones. It's obviously safer to explicitly call out -4 or -6 but I chose not to for simplicity of reading and cleaner integration with some automation tools


Keep in mind the following. I may be misunderstanding your setup, but it looks like you may not be permitting your managed (and trusted) ntp servers adequate communication to each other:
ignore:
  Deny packets of all kinds, including ntpq and ntpdc queries.

nomodify:
  Deny ntpq and ntpdc queries which attempt to modify the state of the server (i.e., run time reconfiguration). Queries which return information are permitted.

noquery:
  Deny ntpq and ntpdc queries. Time service is not affected.

nopeer:
  Deny packets that might mobilize an association unless authenticated. This includes broadcast, symmetric-active and manycast server packets when a configured association does not exist. It also includes pool associations, so if you want to use servers from a pool directive and also want to use nopeer by default, you'll want a "restrict source ..." line as well that does not include the nopeer directive. Note that this flag does not apply to packets that do not attempt to mobilize an association.

notrap:
  Decline to provide mode 6 control message trap service to matching hosts. The trap service is a subsystem of the ntpdc control message protocol which is intended for use by remote event logging programs.


Dan



----- On Feb 28, 2019, at 5:48 AM, Philippe Maechler pmaechler-ml at glattnet.ch wrote:

> 
> 
> The S1-Servers are talking to 4-10 public NTP Servers in the net. Our and
> our customers gear should use the ntpN-N Servers
> 
> IPv4 and IPv6 is enabled on all servers. A, AAAA and PTR Records are in
> place
> 
> 
> 
> Unfortunately the ntpn-n Servers can't sync to the s1 servers over v6 and
> I'm having a hard time to figure out why.
> 
> tcpdump on s1 shows, that the request come in but are discarded/ignored.
> 

> 
> Configuration on S1:
> 

> 
> # default access restrictions (ignore everything)
> 
> restrict default ignore
> 
> restrict -6 default ignore
> 
> 
> # allow unrestricted access from localhost
> 
> restrict 127.0.0.1
> 
> restrict -6 ::1 
> 
> # NTP servers geographically close to you.
> 
> server x1.x2.x3.x4 iburst maxpoll 9
> 
> server y1.y2.y3.y4 iburst maxpoll 9
>  
>
> # allow remote servers
> 
> restrict x1.x2.x3.x4 nomodify notrap noquery nopeer
> 
> restrict y1.y3.y3.y4 nomodify notrap noquery nopeer
>  
> 
> # who will gets timeservices from us
> 
> restrict 10.3.5.0 mask 255.255.255.0 nomodify notrap noquery nopeer
> 
> restrict 10.20.0.0 mask 255.255.0.0 nomodify notrap noquery nopeer
> 

> 
> restrict -6 2001:0DB8::/32 nomodify notrap noquery nopeer
> 
> restrict 2001:0DB8::/32 nomodify notrap noquery nopeer
>  
> restrict -4 127.0.0.1
> 
> 
> 
> 
> The server is starting fine and the log contains nothing special.
> 
> 
> 
> Questions:
> 
> a.	What do you think about the setup? Should S1-NTP1 and S1-NTP2 sync
> to each other or not?
> b.	Did I get the access part (in general) right?
> c.	Why can't my ntp1-1 host (2001:0DB8:21:10e3::2) not get any time
> information from this host? Checked with ntpdate <ipv6 address> -> timeout
> d.	Where is the difference between "restrict -6 <IPv6 address>" and
> "restric <IPv6 address>"? I guess both variants are working (historical
> reasons)
> 
> 
> 
> 
> 
> 
> 
> NTP Version:
> 
> S1 has: ntpd - NTP daemon program - Ver. 4.2.8p11 (will update this to
> 4.2.8p12 later this week)
> 
> ntpN-N already has 4.2.8p11
> 
> 
> 
> OS:
> 
> FreeBSD 12.0-p3
> 
> 
> 
> The IP addresses are obfuscated, I'll hope there are no fat-finger-failures
> because of that
> 
> 
> 
> 
> 
> Tia for any hints pointing me into the right direction
> 
> 
> 
> Best regards
> 
> Philippe
> 
> 
> 
> _______________________________________________
> questions mailing list
> questions at lists.ntp.org
> http://lists.ntp.org/listinfo/questions




More information about the questions mailing list