[ntp:questions] xntpd (NTPv3) "restrict" questions.

John DeDourek dedourek at unb.ca
Mon Jan 3 11:15:17 UTC 2005

Oh.  Just one more note.  You said that you were planning
to upgrade to Version 4.  So remember to take the "notrust"
out when you upgrade as per what Brad Knowles and I said
about it then requiring cryptographic authentication, unless
you are going to put the necessary cryptographic authentication
in place.  Note that this would prevent someone from
messing with your server by impersonating (spoofing) packetes
from one of the legitimate servers.

John DeDourek wrote:

> Just a warning.  Pete Stephenson specifically asked about
> ntp Version 3.0.  Most of what Brad Knowles wrote, I
> believe, may be specific to version 4!
> The comment that restrict requires IP addresses applies
> to both versions.
> At some point, the definition for "restrict notrust" was
> modified.  Originally this was required to prevent peering.
> Later, peering was limited to servers specifically
> listed in "peer" lines and "notrust" became redundant.
> Then later, notrust was reinstated, but with a new meaning,
> as described by Knowles, to require cryptographic authentication.
> I am doing this from memory.  But I believe that I was
> successful in version 3 of ntp with something like:
> restrict default notrust nomodify notrap
> server a.b.c.d  # server a.b.c.d is
> server e.f.g.h  # server e.f.g.h is
> restrict nomodify notrap
> restrict nomodify notrap
> restrict  # was my own private workstation
>                     # so I allowed ntpq and ntpdc to
>                     # do anything from the local machine
>                     # not advisable if you allow other
>                     # users on the system, unless you
>                     # have done all the necessary stuff
>                     # with the keys file
> I believe that this allows a.b.c.d and e.f.g.h to supply
> time.  Anyone in the world to get time and query the
> server.  Noone else (except the local machine itself, see
> comment) to either supply time or to modify the configuration.
> WARNING:  I am not an expert, so please confirm the above
> before using.
> NOTE:  You didn't say anything about a firewall.  Using
> Linux with IPCHAINS when I was using ntp version 3, I also
> had specific rules set in the firewall to control access
> to the ntp server.  Specifically, I limited packets to
> the ntp port (UDP 123) only from the local networks that
> I wanted to access the time server, and any of the servers
> that were listed that were not on these networks.  So,
> the "whole world" stuff above was additionally restricted
> by the firewall.
> Pete Stephenson wrote:
>> In article <mailman.3.1104686175.588.questions at lists.ntp.isc.org>,
>>  Brad Knowles <brad at stop.mail-abuse.org> wrote:
>>>     Your server will automatically be protected from people trying to 
>>> modify the time on it unless you "peer" with them.  They may try to 
>>> update your concept of time, but your server will ignore those 
>>> packets unless it is explicitly told to look for them.
>> Ah, excellent. That's precisely what I wanted to hear.
>> Thanks for the information.

More information about the questions mailing list