[ntp:questions] Re: a few questions about broadcast
Steve Kostecke
kostecke at ntp.isc.org
Wed Nov 2 14:04:07 UTC 2005
On 2005-11-02, vrkid0 at gmail.com <vrkid0 at gmail.com> wrote:
> Some how you are always a step ahead of me ;-) Adding restrictions is
> my next step (I finally added authentication the other day). With my
> current setup of: 2 broadcast servers (that peer each other) and the
> rest of the subnet being broadcast clients. What set of restrictions is
> recommended (assuming highest level of paranoia ;-))
'restrict default ignore' is the most paranoid default; it tells ntpd to
ignore all NTP packets from any source. Along with this default you need
to add exceptions for all authorized clients and remote time servers.
Please see http://ntp.isc.org/Support/AccessRestrictions for information
about setting up your restrictions.
Keep in mind that the meaning of 'notrust' changed at ntpd version 4.2
> Please take a look at the authentication I've setup (below) and let me
> know what you think:
>
> "server1" sends broadcasts with "key1".
> "server2" sends broadcasts with "key2".
> both servers peers with each other using "key3".
Why symmetric keys instead of Autokey?
> This means that
>
> "server1" trusts "key1" and "key3".
Server1 sends NTP (broadcast) packets authenticated with key 1 and
trusts NTP packets authenticated with key3.
> "server2" trusts "key2" and "key3"
Server2 sends NTP (broadcast) packets authenticated with key 2 and
trusts NTP packets authenticated with key3.
> broadcast clients trust "key2" and "key3"
The broadcast clients trust NTP packets authenticated with either key1
or key 2.
--
Steve Kostecke <kostecke at ntp.isc.org>
NTP Public Services Project - http://ntp.isc.org/
More information about the questions
mailing list