[ntp:questions] xntpd (NTPv3) "restrict" questions.

Brad Knowles brad at stop.mail-abuse.org
Sun Jan 2 17:14:14 UTC 2005


At 8:24 AM +0000 2005-01-02, Pete Stephenson wrote:

>  I googled for an example configuration and located the following from
>  http://www.xs4all.nl/~xpeterxq/suse_conf_files/ntp.conf.html:
>
>  restrict default notrust lowpriotrap nopeer nomodify
>  restrict 209.204.159.18 mask 255.255.255.0 nopeer nomodify
>  restrict 204.152.184.72 mask 255.255.255.0 nopeer nomodify
>  restrict 216.218.192.202 mask 255.255.255.0 nopeer nomodify
>  restrict 216.218.254.202 mask 255.255.255.0 nopeer nomodify

	Note that "notrust" means that the clients have to authenticate 
the server cryptographically.  If you haven't set up cryptographic 
authentication keys, then this isn't going to work.

>  restrict default notrust lowpriotrap nopeer nomodify
>  restrict time.sonic.net mask 255.255.255.0 nopeer nomodify
>  restrict clock.isc.org mask 255.255.255.0 nopeer nomodify
>  restrict clock.fmt.he.net mask 255.255.255.0 nopeer nomodify
>  restrict clock.sjc.he.net mask 255.255.255.0 nopeer nomodify

	The "restrict" keyword only works with IP addresses, not 
hostnames.  This is a known weakness in the configuration file 
parsing, where everything else prefers hostnames (because the IP 
address could always change) but this requires IP addresses.

	Generally speaking, you probably don't want to try to do things 
which require "restrict" unless you're using exclusively your own 
time servers on your own network, and you can guarantee that no names 
ever change and no IP addresses ever change.

	Your server will automatically be protected from people trying to 
modify the time on it unless you "peer" with them.  They may try to 
update your concept of time, but your server will ignore those 
packets unless it is explicitly told to look for them.

-- 
Brad Knowles, <brad at stop.mail-abuse.org>

"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."

     -- Benjamin Franklin (1706-1790), reply of the Pennsylvania
     Assembly to the Governor, November 11, 1755

   SAGE member since 1995.  See <http://www.sage.org/> for more info.



More information about the questions mailing list