[ntp:questions] Re: Crypto iffpar

Steve Kostecke kostecke at ntp.isc.org
Thu Dec 8 18:51:39 UTC 2005


On 2005-12-07, Serge Bets <serge.bets at NOSPAM.laposte.invalid> wrote:

>  On Wednesday, December 7, 2005 at 14:53:41 +0000, Steve Kostecke wrote:
>
>> I see messages like this in my cryptostats file:
>>
>> 53711 46391.640 ntpkey_IFFkey_ntp0.kostecke.net.3315100165 mod 384
>> 53711 46391.686 192.168.19.4 iff fs 3315100165
>
> Good. IIUC this is a sure proof that IFF key was loaded and used. Was
> IFFkey or something else also loaded at startup, between host key and
> cert? What are flags of this association, and default flags?

Test Server: ntp0
Test Client: stasis

With the following files in the client's /etc/ntp:

ntpkey_iff_ntp0.kostecke.net -> ntpkey_IFFkey_ntp0.kostecke.net.3315100165
ntpkey_cert_stasis -> ntpkey_RSA-MD5cert_stasis.3342803910        
ntpkey_host_stasis -> ntpkey_RSAkey_stasis.3342803910

And autokey specified on the server line in the client's ntp.conf:

server 192.168.19.4 iburst autokey

ntpq on the client shows:

$ ntpq -pcas
     remote       refid   st t when poll reach   delay   offset  jitter
=======================================================================
*ntp0.kostecke.n .CHU1.    1 u   63   64  177    0.846   -1.117   0.384

ind assID status  conf reach auth condition  last_event cnt
===========================================================
  1 11468  f614   yes   yes   ok   sys.peer   reachable  1

$ ntpq -c"rv 11468 flags" | tail -n1
flags=0x83f21

And cryptostats on the client shows (the default flags are in this
extract):

53712 65898.541 192.168.19.4 newpeer 11468
53712 65898.557 ntpkey_RSAkey_stasis.3342803910 mod 512
53712 65898.557 ntpkey_IFFpar_stasis.3342803910 mod 384
53712 65898.559 ntpkey_RSA-MD5cert_stasis.3342803910 0x2 len 333
53712 65899.447 refresh ts 0
53712 65899.449 192.168.19.4 flags 0x80021 host ntp0.kostecke.net \
	signature md5WithRSAEncryption
53712 65901.450 192.168.19.4 cert ntp0.kostecke.net 0x3 \
	md5WithRSAEncryption (8) fs 3315100165
53712 65903.447 ntpkey_IFFkey_ntp0.kostecke.net.3315100165 mod 384
53712 65903.491 192.168.19.4 iff fs 3315100165
53712 65905.477 192.168.19.4 cook b7b21c32 ts 3343054705 fs 3343009811
53712 65908.461 update ts 3343054708
53712 65909.510 update ts 3343054709
53712 65909.510 192.168.19.4 sign ntp0.kostecke.net 0x3 \
	md5WithRSAEncryption (8) fs 3342803910

If I remove the symlink, I don't see the IFF key lines in cryptostats.
ntpq on the client shows:

$ ntpq -p
     remote       refid   st t when poll reach   delay   offset  jitter
=======================================================================
 ntp0.kostecke.n .CRYP.   16 u    -   64    0    0.000    0.000 4000.00

$ ntpq -cas

ind assID status  conf reach auth condition  last_event cnt
===========================================================
  1  4828  e000   yes   yes   ok     reject

$ ntpq -c"rv 4828 flags" | tail -n1
No information returned for association 4828

Replacing the ntpkey_iff_server symlink with an ntpkey_iff_client
symlink does allow the Autokey/IFF authentication to occur. So does
using both symlinks at the same time.

In one sense you're correct: it is _possible_ to use an
ntpkey_iff_client symlink. But, is not _necessary_ to to so.

One of the features of NTP Authentication is that any ntpd may belong to
more than one Trust Group. Using an ntpkey_iff_client symlink (or file)
breaks this feature.

-- 
Steve Kostecke <kostecke at ntp.isc.org>
NTP Public Services Project - http://ntp.isc.org/




More information about the questions mailing list