[ntp:questions] Re: NTS multicast response on IPv6

Steve Kostecke kostecke at ntp.isc.org
Wed Jan 18 19:57:40 UTC 2006

On 2006-01-18, Danny Mayer <mayer at ntp.isc.org> wrote:

> Mauricio Schramm wrote:
>> I'm trying to set up an NTP server that answers multicast requests
>> Ifrom Pv6 clients without any success.
> Please understand that is not how multicast works. The clients are
> passive and only receive multicast packets from the server (modulo the
> authentication keydance).

The "dance" occurs during a temporary unicast association with the
server. Once the authentication is set up the client start listening on
the multicast address.

Information about setting up NTP Authentication is available at

>> I just don't know if the problem is with the client or with the
>> server and I don't have a reliable test tool to make sure if any of
>> them is correctly set. Does someone already tried this with success?
>> I tried it with up to date Red Hat Linux and Free BSD and Open BSD
>> servers and it never worked. Does someone know if I can use tools
>> like ntpq to do my tests?

You can use ntpq to monitor the progress of the association between a
client ans a server. On the client, run 'watch ntpq -p' immediately
after starting ntpd. Within 64 seconds after starting the client ntpd
you should see a unicast assocation with the server. 64 seconds after
that you should see the association change from unicast to multicast
(see the 't' column):

     remote       refid      st t when poll reach   delay   offset  jitter
+ntp0.kostecke.n .GPS.        1 m   45   64    2    0.917   -2.583   0.753

ntpq -cas will show you if crypto is working (look for the 'ok' in the
auth column:

ind assID status  conf reach auth condition  last_event cnt
  1 45799  7414    no   yes   ok   candidat   reachable  1

ntpq -c"rv 0 cert" will show you what certificates are held by ntpd:

assID=0 status=06a4 leap_none, sync_ntp, 10 events, event_peer/strat_chg,
cert="ntp0.kostecke.net ntp0.kostecke.net 0x3 3315100165",
cert="stasis imp.kostecke.net 0x3 3343787146",
cert="imp.kostecke.net ntp0.kostecke.net 0x3 3344713570",
cert="stasis stasis 0x3 3343787146"

To see the authentication details (e.g. which Identity Scheme is in use)
you need to look at the flags for that association:

$ ntpq -c"rv 45799 flags"

assID=45799 status=7614 reach, auth, sel_sys.peer, 1 event, event_reach,

In this case:

#define CRYPTO_FLAG_ENAB  0x0001 /* crypto enable */
#define CRYPTO_FLAG_IFF   0x0020 /* IFF identity scheme */
#define CRYPTO_FLAG_VALID 0x0100 /* public key verified */
#define CRYPTO_FLAG_VRFY  0x0200 /* identity verified */
#define CRYPTO_FLAG_PROV  0x0400 /* signature verified */
#define CRYPTO_FLAG_AGREE 0x0800 /* cookie verifed */

The flags are documented in ./include/ntp_crypto.h

Steve Kostecke <kostecke at ntp.isc.org>
NTP Public Services Project - http://ntp.isc.org/

More information about the questions mailing list