[ntp:questions] Re: NTS multicast response on IPv6
kostecke at ntp.isc.org
Wed Jan 18 19:57:40 UTC 2006
On 2006-01-18, Danny Mayer <mayer at ntp.isc.org> wrote:
> Mauricio Schramm wrote:
>> I'm trying to set up an NTP server that answers multicast requests
>> Ifrom Pv6 clients without any success.
> Please understand that is not how multicast works. The clients are
> passive and only receive multicast packets from the server (modulo the
> authentication keydance).
The "dance" occurs during a temporary unicast association with the
server. Once the authentication is set up the client start listening on
the multicast address.
Information about setting up NTP Authentication is available at
>> I just don't know if the problem is with the client or with the
>> server and I don't have a reliable test tool to make sure if any of
>> them is correctly set. Does someone already tried this with success?
>> I tried it with up to date Red Hat Linux and Free BSD and Open BSD
>> servers and it never worked. Does someone know if I can use tools
>> like ntpq to do my tests?
You can use ntpq to monitor the progress of the association between a
client ans a server. On the client, run 'watch ntpq -p' immediately
after starting ntpd. Within 64 seconds after starting the client ntpd
you should see a unicast assocation with the server. 64 seconds after
that you should see the association change from unicast to multicast
(see the 't' column):
remote refid st t when poll reach delay offset jitter
+ntp0.kostecke.n .GPS. 1 m 45 64 2 0.917 -2.583 0.753
ntpq -cas will show you if crypto is working (look for the 'ok' in the
ind assID status conf reach auth condition last_event cnt
1 45799 7414 no yes ok candidat reachable 1
ntpq -c"rv 0 cert" will show you what certificates are held by ntpd:
assID=0 status=06a4 leap_none, sync_ntp, 10 events, event_peer/strat_chg,
cert="ntp0.kostecke.net ntp0.kostecke.net 0x3 3315100165",
cert="stasis imp.kostecke.net 0x3 3343787146",
cert="imp.kostecke.net ntp0.kostecke.net 0x3 3344713570",
cert="stasis stasis 0x3 3343787146"
To see the authentication details (e.g. which Identity Scheme is in use)
you need to look at the flags for that association:
$ ntpq -c"rv 45799 flags"
assID=45799 status=7614 reach, auth, sel_sys.peer, 1 event, event_reach,
In this case:
#define CRYPTO_FLAG_ENAB 0x0001 /* crypto enable */
#define CRYPTO_FLAG_IFF 0x0020 /* IFF identity scheme */
#define CRYPTO_FLAG_VALID 0x0100 /* public key verified */
#define CRYPTO_FLAG_VRFY 0x0200 /* identity verified */
#define CRYPTO_FLAG_PROV 0x0400 /* signature verified */
#define CRYPTO_FLAG_AGREE 0x0800 /* cookie verifed */
The flags are documented in ./include/ntp_crypto.h
Steve Kostecke <kostecke at ntp.isc.org>
NTP Public Services Project - http://ntp.isc.org/
More information about the questions