[ntp:questions] Can I stop authenticated peers from mobilizing symmetric associations

Charles Elliott elliott.ch at comcast.net
Mon Jan 23 17:17:45 UTC 2017


> Do you know if there are any means to configure server B so that it does
not allow server A to mobilize > a dynamic symmetric association (meaning B
should still provide time services to A, but should not > consider A as a
time source)? Maybe there is a similar option to nopeers, but I cannot find
any in NTP >documentation.

But this is the normal (Unicast) situation.  Unless I am missing something
here, just don't tell B that A exists.  B does not have to know anything
about A for NTPD to work correctly.  The peer relationship is rarely used.
In fact, I don't remember anyone ever asking about the peer option before.

Charles Elliott



-----Original Message-----
From: questions
[mailto:questions-bounces+elliott.ch=comcast.net at lists.ntp.org] On Behalf Of
Moser, Stefan
Sent: Monday, January 23, 2017 3:53 AM
To: questions at lists.ntp.org
Subject: [ntp:questions] Can I stop authenticated peers from mobilizing
symmetric associations

Hello everyone,

for unauthenticated peers, there is the restrict nopeer directive that stops
unknown peers to initialize dynamic symmetric associations with an NTP
server. However, from my own tests in my lab (and from NTP documentation),
it seems that nopeer does not pertain to authenticated peers. In my lab, I
saw this: If server A knows the authentication key of Server B and has a
peer IP_address_of_server_B directive in its ntp.conf, A is able to form a
dynamic symmetric association with server B even if server B has no
configuration for server A at all, and server B lists server A in its
association table (ntpq -p, type shown as S).

Do you know if there are any means to configure server B so that it does not
allow server A to mobilize a dynamic symmetric association (meaning B should
still provide time services to A, but should not consider A as a time
source)? Maybe there is a similar option to nopeers, but I cannot find any
in NTP documentation.

Stefan

_______________________________________________
questions mailing list
questions at lists.ntp.org
http://lists.ntp.org/listinfo/questions



More information about the questions mailing list