beautypg.com

Ntp security, Ntp access control, Ntp authentication – H3C Technologies H3C MSR 5600 User Manual

Page 76

background image

63

NTP security

To improve time synchronization security, NTP provides the access control and authentication functions.

NTP access control

You can control NTP access by using an ACL. The access rights are in the following order, from least

restrictive to most restrictive:

Peer—Allows time requests and NTP control queries (such as alarms, authentication status, and time

server information) and allows the local device to synchronize itself to a peer device.

Server—Allows time requests and NTP control queries, but does not allow the local device to
synchronize itself to a peer device.

Synchronization—Allows only time requests from a system whose address passes the access list
criteria.

Query—Allows only NTP control queries from a peer device to the local device.

The device processes an NTP request, as follows:

If no NTP access control is configured, peer is granted to the local device and peer devices.

If the IP address of the peer device matches a permit statement in an ACL for more than one access
right, the least restrictive access right is granted to the peer device. If a deny statement or no ACL is

matched, no access right is granted.

If no ACL is created for a specific access right, the associated access right is not granted.

If no ACL is created for any access right, peer is granted.

This feature provides minimal security for a system running NTP. A more secure method is NTP

authentication.

NTP authentication

Use this feature to authenticate the NTP messages for security purposes. If an NTP message passes

authentication, the device can receive it and get time synchronization information. If not, the device

discards the message. This function makes sure the device does not synchronize to an unauthorized time
server.

Figure 27 NTP authentication

As shown in

Figure 27

, NTP authentication works as follows:

1.

The sender uses the MD5 algorithm to calculate the NTP message according to the key identified
by a key ID, and sends the calculated digest together with the NTP message and key ID to the

receiver.

2.

Upon receiving the message, the receiver finds the key according to the key ID in the message,
uses the MD5 algorithm to calculate the digest, and compares the digest with the digest contained

Key value

Message

Sender

Message

Sends to the

receiver

Digest

Receiver

Compare

Compute the

digest

Compute the

digest

Digest

Key ID

Message

Digest

Key ID

Key value

This manual is related to the following products: