Task 10.1 & Task 10.2

I didn't get the points for these two because I didn't configured the NTP trusted-key. Since when do you need to have ntp trusted key configured on NTP peers? I had done all my NTP verifications all neighbors were synchronized and where needed authenticated. per the output of "sh ntp associations detail".

Comments

  • <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">





    Synchronization happens independent of authentication.  The clients
    SHOULD need the trusted-key to make that work.  Are you sure the "sh
    ntp assoc detail" shows they were authenticated?






     



    Scott Morris, CCIEx4
    (R&S/ISP-Dial/Security/Service Provider) #4713,

    JNCIE-M #153, JNCIS-ER, CISSP, et al.

    JNCI-M, JNCI-ER

    [email protected]



    Internetwork Expert, Inc.

    http://www.InternetworkExpert.com

    Toll Free: 877-224-8987

    Outside US: 775-826-4344



    Knowledge is power.

    Power corrupts.

    Study hard and be Eeeeviiiil......






    andreiarnautu wrote:

    I didn't get the points for these two because I didn't configured
    the NTP trusted-key. Since when do you need to have ntp trusted key
    configured on NTP peers? I had done all my NTP verifications all
    neighbors were synchronized and where needed authenticated. per the
    output of "sh ntp associations detail".







    Internetwork Expert - The Industry Leader in CCIE Preparation

    http://www.internetworkexpert.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx

  • Thanks again for your reply here !!

    Ok, NTP Server R4 :

    R4#sh run | i ntp
    ntp authentication-key 1 md5 14343B382F2B 7
    ntp authenticate
    ntp trusted-key 1
    ntp master 3

     

    NTP Client R3:

    R3#sh run | i ntp
    ntp authentication-key 1 md5 032772382520 7
    ntp clock-period 17179867
    ntp server 10.0.0.2 key 1

    R3#sh ntp associations detail
    10.0.0.2 configured, authenticated, our_master, sane, valid, stratum 3
    ref ID 127.127.7.1, time CE080AA6.8F943831 (07:58:30.560 UTC Wed Jul 15 2009)
    our mode client, peer mode server, our poll intvl 64, peer poll intvl 64
    root delay 0.00 msec, root disp 0.03, reach 377, sync dist 24.963
    delay 46.42 msec, offset -2.2710 msec, dispersion 1.72
    precision 2**18, version 3
    org time CE080AAF.C04F2EEF (07:58:39.751 UTC Wed Jul 15 2009)
    rcv time CE080AAF.C83276CF (07:58:39.782 UTC Wed Jul 15 2009)
    xmt time CE080AAF.B9C62D82 (07:58:39.725 UTC Wed Jul 15 2009)
    filtdelay =    56.12   46.42   46.31   45.78   45.94   46.11   45.82   46.10
    filtoffset =   -2.75   -2.27   -1.79   -1.23   -1.32   -1.13   -1.17   -1.25
    filterror =     0.02    0.99    1.97    2.94    2.96    2.98    2.99    3.01

    There is no need for ntp trusted key on the peers, that just tells the server which key the peers should use when they authenticate.

    -Andrei

     

  • <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">





    There is supposed to be.  Interesting though.



    http://blog.ine.com/2007/12/28/how-does-ntp-authentication-work/



    I'll see if I can look at other versions about what has or hasn't
    changed.






     



    Scott Morris, CCIEx4
    (R&S/ISP-Dial/Security/Service Provider) #4713,

    JNCIE-M #153, JNCIS-ER, CISSP, et al.

    JNCI-M, JNCI-ER

    [email protected]



    Internetwork Expert, Inc.

    http://www.InternetworkExpert.com

    Toll Free: 877-224-8987

    Outside US: 775-826-4344



    Knowledge is power.

    Power corrupts.

    Study hard and be Eeeeviiiil......






    andreiarnautu wrote:

    Thanks again for your reply here !!

    Ok, NTP Server R4 :

    R4#sh run | i ntp

    ntp authentication-key 1 md5 14343B382F2B 7

    ntp authenticate

    ntp trusted-key 1

    ntp master 3

     

    NTP Client R3:

    R3#sh run | i ntp

    ntp authentication-key 1 md5 032772382520 7

    ntp clock-period 17179867

    ntp server 10.0.0.2 key 1

    R3#sh ntp associations detail

    10.0.0.2 configured, authenticated, our_master, sane,
    valid, stratum 3

    ref ID 127.127.7.1, time CE080AA6.8F943831 (07:58:30.560 UTC Wed Jul 15
    2009)

    our mode client, peer mode server, our poll intvl 64, peer poll intvl 64

    root delay 0.00 msec, root disp 0.03, reach 377, sync dist 24.963

    delay 46.42 msec, offset -2.2710 msec, dispersion 1.72

    precision 2**18, version 3

    org time CE080AAF.C04F2EEF (07:58:39.751 UTC Wed Jul 15 2009)

    rcv time CE080AAF.C83276CF (07:58:39.782 UTC Wed Jul 15 2009)

    xmt time CE080AAF.B9C62D82 (07:58:39.725 UTC Wed Jul 15 2009)

    filtdelay =    56.12   46.42   46.31   45.78   45.94   46.11   45.82  
    46.10

    filtoffset =   -2.75   -2.27   -1.79   -1.23   -1.32   -1.13   -1.17  
    -1.25

    filterror =     0.02    0.99    1.97    2.94    2.96    2.98    2.99   
    3.01

    There is no need for ntp trusted key on the peers.

     

    -Andrei

     







    Internetwork Expert - The Industry Leader in CCIE Preparation

    http://www.internetworkexpert.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx

  • Andrei,

    Task 10.1: Both the ntp authenticate and the ntp trusted-key commands should be configured on NTP client, while the ntp authentication-key command should be used on both NTP client and server.
    There's an old but still good article that might help you better understand the NTP authentication process:
    http://www.internetworkexpert.com/resources/ntp-authentication.htm

    Your configuration for these tasks was:

    Rack19R4#show run | i ntp

    ntp authentication-key 1 md5 032772382520 7
    ntp clock-period 17208095
    ntp access-group peer 21
    ntp access-group serve-only 22
    ntp master 6
    ntp server 192.10.19.254 prefer
    ntp server 204.12.19.254 key 1

    Rack19R4#show ntp association detail | i configured

    127.127.7.1 configured, our_master, sane, valid, stratum 5
    192.10.19.254 configured, sane, invalid, stratum 4
    204.12.19.254 configured, authenticated, selected, sane, valid, stratum 5

    Moreover, R6 isn't configured to authenticate NTP updates from BB1:

    Rack19R6#show run | i ntp

    ntp clock-period 17207680
    ntp source Loopback0
    ntp access-group peer 21
    ntp access-group serve-only 22
    ntp master 6
    ntp server 54.19.2.254

    Task 10.2:

    Rack19R3#show ntp status | i Clock
    Clock is unsynchronized, stratum 16, no reference clock

    Rack19R3#show ntp association detail | i 150.19.4.4
    150.19.4.4 configured, insane, invalid, stratum 6

    Rack19R5#show ntp status | i Clock
    Clock is unsynchronized, stratum 16, no reference clock

    Rack19R5#show ntp association detail | i 150.9.4.4
    150.19.4.4 configured, insane, invalid, stratum 6

    Rack19SW2#show ntp status | i Clock
    Clock is unsynchronized, stratum 16, no reference clock

    Rack19SW2#show ntp association detail | i 150.19.4.4
    150.19.4.4 configured, insane, invalid, stratum 6

  • You just proved I do not need th trusted-key at the end:

     

    Rack19R4#show run | i ntp

    ntp authentication-key 1 md5 032772382520 7
    ntp clock-period 17208095
    ntp access-group peer 21
    ntp access-group serve-only 22
    ntp master 6
    ntp server 192.10.19.254 prefer
    ntp server 204.12.19.254 key 1

    Rack19R4#show ntp association detail | i configured

    127.127.7.1 configured, our_master, sane, valid, stratum 5
    192.10.19.254 configured, sane, invalid, stratum 4
    204.12.19.254 configured, authenticated, selected, sane, valid, stratum 5

     

    Look at 204.12.19.254 it is authenticated. There is no trusted key in my config.  The only reason my config didn't work for 192.10.19.254 is that i omitted the key 1 at the end. There is no need for "ntp trusted-key 1" configured on the NTP peers.

     

    From the cisco doc:

    "

    Usage Guidelines

    If authentication is enabled, use this command to define one or more key numbers (corresponding to the keys defined with the ntp authentication-key command) that a peer NTP system must provide in its NTP packets, in order for this system to synchronize to it. This function provides protection against accidentally synchronizing the system to a system that is not trusted, because the other system must know the correct authentication ke"

     

    "

     

    ntp trusted-key is only used on ntp masters, the only reason for the command is to tell which authentication key it should expect from the peers.

  •  Andrei,

    Your logic for configuring NTP authentication is incorrect. The NTP client must authenticate the NTP server, not versa (like in your configuration).

    The ntp authenticate command is required on the router requesting time synchronization. It globally enables authentication. The ntp authentication-key command is required on both routers. This command defines an authentication string and assigns it a number.

    The router requesting time synchronization is configured with the ntp trusted-key command. This command lists key numbers that have already been defined with the ntp authentication-key command, which the server must include in its NTP packets, before this router will synchronize to it. The ntp trusted-key command is therefore only required on the client router.

    The key number option must also be included in the client's ntp server command. This adds the key to the NTP packets from the client to the server. When the server sees the key, if the key has been defined on the server, the server includes it in its NTP packets to the client.


    You did just the opposite (both in your example and mock lab):

    >Ok, NTP Server R4 :

    >R4#sh run | i ntp
    >ntp authentication-key 1 md5 14343B382F2B 7
    >ntp authenticate
    >ntp trusted-key 1
    >ntp master 3

    >NTP Client R3:

    >R3#sh run | i ntp
    >ntp authentication-key 1 md5 032772382520 7
    >ntp clock-period 17179867
    >ntp server 10.0.0.2 key 1

    >Rack19R4#show run | i ntp

    >ntp authentication-key 1 md5 032772382520 7
    >ntp clock-period 17208095
    >ntp access-group peer 21
    >ntp access-group serve-only 22
    >ntp master 6
    >ntp server 192.10.19.254 prefer
    >ntp server 204.12.19.254 key 1

  • Ok, I'll make it real simple; please explain this:

    R3#sh run | i ntp
    ntp authentication-key 1 md5 032772382520 7
    ntp clock-period 17179659
    ntp server 10.0.0.2 key 1

    R3#sh ntp ass det | i uth
    10.0.0.2 configured, authenticated, our_master, sane, valid, stratum 3

    What does the keyword "authenticated" mean on the output of "sh ntp associations detail"?

    -Andrei

  • It means that the key included in the NTP update by the server matches the key configured on the client. However, NTP authentication isn't actually enabled on the NTP client with the ntp authenticate command.

    If you still don't believe me do the following:

    - configure the ntp authenticate command on the client (R3)

    - enable NTP event, authentication and peer validity debugging (on R3)

    - change time on the NTP server, i.e. clock set 11:11:11 1 aug 2011 (R4)

    - enjoy ;-)

    You will see the 'Authentication failed' messages on R3. Also, in a few minutes the show ntp status command output will tell you that R3's clock is unsynced and the show ntp ass det command output will prove that the the NTP server is insane.

    Now disable the NTP authentication command on R3 (remove the ntp authenticate command). In a few moments R3 will be synced with R4 again.

    If it happens I'll be expecting your apologies for saying that the proctor "took a dump" on grading your mock lab ;-)

  • Hi Vadim

     

    You are correct here, I completely missed this; I was considering sh nt associations details as a ultimate verification my NTP config.

    -Andrei

Sign In or Register to comment.