[ntp:questions] Problem using ntp autokey with the trusted certificate identity s cheme

Bartholome, Alain alain.bartholome at eads.com
Wed Feb 4 15:51:34 UTC 2009


Hi,

I am currently trying to run the ntp autokey protocol with the Trusted
Certificate identity scheme.

I use 3 systems (serverT1, server2,server3) all running   ntp-4.2.4p6  on
windows 2003. 

 

#####

1)The stratum 1 system , serverT1  is trusted.

#####

ntp.conf of serverT1:

 

 

driftfile "d:\appli\NTP\ntp.drift"

keysdir "D:\appli\ntp\etc"

crypto

server 127.127.1.0

fudge 127.127.1.0 stratum 1

 

#end of ntp.conf

 

ServerT1 is trusted. I run on serverT1 the following ntp-keygen command:

ntp-keygen  -T

 

ntpq returns the following informations:

 

ntpq> rv

assID=0 status=0544 leap_none, sync_local_proto, 4 events,
event_peer/strat_chg,

 

version="ntpd 4.2.4p6 at vegas-v2-o Jan 12 15:27:46 (UTC+01:00) 2009  (4)",

processor="unknown", system="WINDOWS/NT", leap=00, stratum=2,

precision=-20, rootdelay=0.000, rootdispersion=11.370, peer=60933,

refid=LOCAL(0),

reftime=cd34294d.ecd4a22c  Wed, Feb  4 2009 14:48:45.925, poll=10,

clock=cd34296b.49445fe5  Wed, Feb  4 2009 14:49:15.286, state=4,

offset=0.000, frequency=0.000, jitter=0.001, noise=0.001,

stability=0.000, hostname="serverT1", signature="md5WithRSAEncryption",

flags=0x80001, update=200902041304, tai=0, cert="serverT1 serverT1 0x1",

expire=201001281615

ntpq> rv 60933

assID=60933 status=9614 reach, conf, sel_sys.peer, 1 event, event_reach,

srcadr=LOCAL(0), srcport=123, dstadr=127.0.0.1, dstport=123, leap=00,

stratum=1, precision=-20, rootdelay=0.000, rootdispersion=10.000,

refid=LOCL, reach=377, unreach=0, hmode=3, pmode=4, hpoll=6, ppoll=10,

flash=00 ok, keyid=0, ttl=0, offset=0.000, delay=0.000,

dispersion=0.942, jitter=0.001,

reftime=cd3432f2.ecd4e67b  Wed, Feb  4 2009 15:29:54.925,

org=cd3432f2.ecd4e67b  Wed, Feb  4 2009 15:29:54.925,

rec=cd3432f2.ecd50a41  Wed, Feb  4 2009 15:29:54.925,

xmt=cd3432f2.ecd4c6eb  Wed, Feb  4 2009 15:29:54.925,

filtdelay=     0.00    0.00    0.00    0.00    0.00    0.00    0.00    0.00,

filtoffset=    0.00    0.00    0.00    0.00    0.00    0.00    0.00    0.00,

filtdisp=      0.00    0.98    1.97    2.91    3.90    4.88    5.84    6.83

 

 

#####

2) serveur server2 is not trusted , synchronization is successful with
serverT1

######

ntp.conf of server2:

 

keysdir "D:\appli\ntp\etc"

crypto

server serverT1 autokey iburst

 

 #end of ntp.conf

 

Server2 is not  trusted. I run on server2  the following ntp-keygen command:

ntp-keygen  

 

 The synchronization with serverT1 is OK.

 

I get the following ntpq informations:

 

ntpq> rv 25408

assID=25408 status=f614 reach, conf, auth, sel_sys.peer, 1 event,
event_reach,

srcadr=serverT1, srcport=123, dstadr=192.168.1.20, dstport=123, leap=00,

stratum=2, precision=-20, rootdelay=0.000, rootdispersion=11.780,

refid=LOCAL(0), reach=377, unreach=0, hmode=3, pmode=4, hpoll=8,

ppoll=8, flash=00 ok, keyid=2530961316, ttl=0, offset=-5.406,

delay=0.538, dispersion=7.295, jitter=7.284,

reftime=cd342132.ec945c28  Wed, Feb  4 2009 14:14:10.924,

org=cd34216b.6a7954cf  Wed, Feb  4 2009 14:15:07.415,

rec=cd34216b.6bed4439  Wed, Feb  4 2009 14:15:07.421,

xmt=cd34216b.6bc631af  Wed, Feb  4 2009 14:15:07.420,

filtdelay=     0.54    0.73    0.62   24.35    0.54    0.57    0.50    0.51,

filtoffset=   -5.41   -3.59    2.06    5.67    1.19    0.93    3.51    4.64,

filtdisp=      0.00    3.86    7.68   11.51   15.35   19.17   23.01   24.96,

hostname="serverT1", signature="md5WithRSAEncryption", flags=0x83f01,

trust="serverT1"

ntpq> rv

assID=0 status=0644 leap_none, sync_ntp, 4 events, event_peer/strat_chg,

version="ntpd 4.2.4p6 at vegas-v2-o Jan 12 15:27:46 (UTC+01:00) 2009  (4)",

processor="unknown", system="WINDOWS/NT", leap=00, stratum=3,

precision=-18, rootdelay=0.373, rootdispersion=36.531, peer=25408,

refid=192.168.1.1,

reftime=cd342770.7be454cf  Wed, Feb  4 2009 14:40:48.483, poll=9,

clock=cd3428e6.49fff906  Wed, Feb  4 2009 14:47:02.289, state=4,

offset=-10.760, frequency=20.908, jitter=4.156, noise=10.913,

stability=0.048, hostname="server2", signature="md5WithRSAEncryption",

flags=0x80001, update=200902041308, tai=0, cert="serverT1 serverT1 0x7",

expire=201001281615, cert="server2 server2 0x2",

expire=201002041023

 

######

3) server3 is not trusted and should synchronize with server2

######

   ntp.conf of server3

 

keysdir "D:\appli\ntp\etc"

crypto

server server2 autokey  iburst prefer

#end of ntp.conf

 

Server3 is not trusted. I run on server3  the following ntp-keygen command:

ntp-keygen  

 

server3 does not synchronize with server2

 

ntpq gives the following informations:

ntpq> rv 50257

assID=50257 status=e000 unreach, conf, auth, no events,

srcadr=server2, srcport=123, dstadr=192.168.2.11, dstport=123,

leap=00, stratum=3, precision=-18, rootdelay=0.519,

rootdispersion=32.700, refid=192.168.1.1, reach=000, unreach=27,

hmode=3, pmode=4, hpoll=10, ppoll=9, flash=80 pkt_autokey,

keyid=1380897353, ttl=0, offset=0.000, delay=0.000,

dispersion=15937.500, jitter=0.000,

reftime=cd3417e7.59d3f4e0  Wed, Feb  4 2009 13:34:31.350,

org=cd34186d.a8e79f46  Wed, Feb  4 2009 13:36:45.659,

rec=cd34186d.95b2f617  Wed, Feb  4 2009 13:36:45.584,

xmt=cd34186d.954f37dd  Wed, Feb  4 2009 13:36:45.583,

filtdelay=     0.00    0.00    0.00    0.00    0.00    0.00    0.00    0.00,

filtoffset=    0.00    0.00    0.00    0.00    0.00    0.00    0.00    0.00,

filtdisp=   16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0,

hostname="server2", signature="md5WithRSAEncryption", flags=0x80001,

trust="server2"

ntpq> rv

assID=0 status=c011 sync_alarm, sync_unspec, 1 event, event_restart,

version="ntpd 4.2.4p6 at vegas-v2-o Jan 12 15:27:46 (UTC+01:00) 2009  (4)",

processor="unknown", system="WINDOWS/NT", leap=11, stratum=16,

precision=-18, rootdelay=0.000, rootdispersion=64.065, peer=0,

refid=INIT, reftime=00000000.00000000  Thu, Feb  7 2036  6:28:16.000,

poll=6, clock=cd342253.1a895515  Wed, Feb  4 2009 14:18:59.103, state=1,

offset=0.000, frequency=16.562, jitter=0.004, noise=0.004,

stability=0.000, hostname="server3", signature="md5WithRSAEncryption",

flags=0x80001, update=203602070628, tai=0,

cert="server2 server2 0x2", expire=201002041023,

cert="server3 server3 0x2", expire=201002041058

 


 


 

Could you tell me if  my use of autokey with  trusted certificate identity
scheme is correct?

 

Do you see something wrong?

 

Thanks for your help.

 

Alain BARTHOLOMÉ




More information about the questions mailing list