[ntp:questions] Autokey IFF

Fabien greenboww at gmail.com
Mon Jun 19 14:09:16 UTC 2017


Hello,

I’m trying to set a NTP infrastructure using the Autokey feature in IFF mode, but I have difficulties to understand how it work. I’m using NTP 4.2.6p5. I’ve set up a virtual machine lab:

                            +-----+
Stratum: S0                 |Local|
                            |Time |
                            +--+--+
                               |
                             +-+--+
         S1                  | 00 |
                       +---> |    | <---+
                       |     +----+     |
                       |                |   
                     +-+--+          +--+-+   |
         S2          | 01 |          | 02 |   |
                     |    |          |    |   |
                     +--+-+ <--+ +-> +--+-+   |
                        ^      | |      ^     |
                        | +------+      |     } IFF here
                        | |    |        |     |
                     +--+-+    +-----+--+-+   |
         S3          | 03 |          | 04 |   |
                     |    <---------->    |   |
                     +----+          +----+   |


00 is a physical ntp server.
01 and 02 are the Trusted Hosts (TH). 01 is the Trusted Agent (TA). 
03 and 04 are the clients.

On 01, I generated the group keys with:
	ntp-keygen –T –I –p azerty –i mongroup
and I have distributed the group parameters to the clients (and then created a symlink on them) with:
	ntp-keygen –e –p azerty
His ntp.conf contains:
	…
restrict XXX.XXX.XXX.0 mask 255.255.255.0 notrust //where XXX… is my subnet
	…
crypto pw azerty ident mongroup
keysdir /etc/ntp/crypto 

On 03 and 04 (the clients) I’ve generated their certificates with:
	ntp-keygen –H –p client –i mongroup
Their ntp.conf are:
	…
server XXX.XXX.XXX.XXX iburst minpoll 4 autokey ident mongroup //XXX… is the 01 address
	…
	crypto pw client
	keysdir /etc/ntp/crypto

I can verify this configuration works by checking the association flags with: ntpq –c “rv ASSOCID flags”
(Also, my flags are 5 digits long, but 4 digits long in the support guide: http://support.ntp.org/bin/view/Support/ConfiguringAutokey why?)

I want 02 in the same group and in IFF mode too but I can not make it work. I think I have to use the command:
	ntp-keygen –p azerty –q root
on 01 (root is the password on 02) and share with 02 the private group key ?

I did several tests; and on 02 I generate another group keys (but with the same group name as 01) without distribute his parameters to the clients.
On 02:
	ntp-keygens –T –I –i mongroup –p root
ntp.conf:
	…
restrict XXX.XXX.XXX.0 mask 255.255.255.0 notrust //where XXX… is my subnet
	…
crypto pw root ident mongroup
keysdir /etc/ntp/crypto 

On 03 and 04, ntp.conf are:
…
server XXX.XXX.XXX.XXX iburst minpoll 4 autokey ident mongroup //with the 01 address
server XXX.XXX.XXX.XXX iburst minpoll 4 autokey ident mongroup //with the 02 address
	…
	crypto pw client
	keysdir /etc/ntp/crypto

When I start ntpd on 02 and 03,04 the clients are able to synchronize with 02, and in IFF mode! How it-is possible ? They doesn’t share anything.
I think someone could do some MITM attack and take the place of 02 (correct me if im wrong).

I read the documentation on https://www.eecis.udel.edu/~mills/ntp/html/index.html but this is a bit confusing.

Plus, I can not make the symmetric link between 03 and 04 work in IFF mode. But here I do not know if that’s possible.

Let me know if I didn't make it clear. 

Thanks (and excuse my English).
Fabien



More information about the questions mailing list