[ntp:questions] Re: a few questions about broadcast

Steve Kostecke kostecke at ntp.isc.org
Wed Nov 2 14:04:07 UTC 2005

On 2005-11-02, vrkid0 at gmail.com <vrkid0 at gmail.com> wrote:

> Some how you are always a step ahead of me ;-) Adding restrictions is
> my next step (I finally added authentication the other day). With my
> current setup of: 2 broadcast servers (that peer each other) and the
> rest of the subnet being broadcast clients. What set of restrictions is
> recommended (assuming highest level of paranoia ;-))

'restrict default ignore' is the most paranoid default; it tells ntpd to
ignore all NTP packets from any source. Along with this default you need
to add exceptions for all authorized clients and remote time servers.

Please see http://ntp.isc.org/Support/AccessRestrictions for information
about setting up your restrictions.

Keep in mind that the meaning of 'notrust' changed at ntpd version 4.2

> Please take a look at the authentication I've setup (below) and let me
> know what you think:
> "server1" sends broadcasts with "key1".
> "server2" sends broadcasts with "key2".
> both servers peers with each other using "key3".

Why symmetric keys instead of Autokey?

> This means that
> "server1" trusts "key1" and "key3".

Server1 sends NTP (broadcast) packets authenticated with key 1 and
trusts NTP packets authenticated with key3.

> "server2" trusts "key2" and "key3"

Server2 sends NTP (broadcast) packets authenticated with key 2 and
trusts NTP packets authenticated with key3.

> broadcast clients trust "key2" and "key3"

The broadcast clients trust NTP packets authenticated with either key1
or key 2.

Steve Kostecke <kostecke at ntp.isc.org>
NTP Public Services Project - http://ntp.isc.org/

More information about the questions mailing list