NTP Authentication
Problem
You want to authenticate your NTP packets.
Solution
Use the ntp authentication command to authenticate NTP traffic between associations. To configure an NTP enabled router to require authentication when other devices connect to it, use the following commands:
Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#ntp authentication-key 2 md5 oreilly Router1(config)#ntp authenticate Router1(config)#ntp trusted-key 2 Router1(config)#end Router1#
Then you must configure the same authentication-key on the client router:
Router2#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router2(config)#ntp authentication-key 2 md5 oreilly Router2(config)#ntp authenticate Router2(config)#ntp trusted-key 2 Router2(config)#ntp server 172.25.1.5 key 2 Router2(config)#end Router2#
Discussion
People often confuse authentication with encryption. Authentication proves the authenticity of a packet's source, whereas encryption encodes or enciphers the packet contents. For the purposes of NTP, proving the authenticity of the packet is critical, whereas encrypting the contents of the packet is unnecessary, since it only contains time information, which isn't terribly sensitive in itself.
Cisco fully supports NTP authentication defined in RFC 1305. NTP authentication ensures that NTP associations synchronize time only to known and trusted NTP servers. This prevents servers from masquerading as legitimate timeservers either accidentally or intentionally.
Time services and the ability to manipulate time services are critical to organizations that may depend on accurate time for billing, business regulatory issues, fault isolation, or security purposes. In such organizations, there is at least a theoretical danger that somebody could put a false NTP server on the network to change the clocks, which could be useful in some larger nefarious scheme. To prevent such problems and enhance security, many organizations only allow authenticated NTP relationships within their corporate networks.
The NTP protocol uses the RSA Message Digest 5 (MD5) algorithm to provide cryptographic authentication of NTP packets. Although the NTP packet is not encrypted, a one-way hash, created using pre-shared keys, ensures the authenticity of the sender and packet. The contents of the NTP packet's time and date information do not warrant secrecy, so no encryption is required.
The example above shows a single client/server pair, enabling authentication between them. The NTP client and server pair must share the same key number and value ("oreilly," in this case) before authentication will work. Note that routers support multiple keys and can assign a different key for each association, if required. You can also configure the router to accept time updates from a mixture of authenticated and nonauthenticated servers. This example shows portions of a NTP debug trace:
Router1#debug ntp packet NTP packets debugging is on Router1#debug ntp authentication NTP authentication debugging is on Mar 18 22:39:12 EST: NTP: rcv packet from 172.16.2.2 to 172.25.1.7 Mar 18 22:39:12 EST: leap 0, mode 3, version 3, stratum 4, ppoll 256 Mar 18 22:39:12 EST: Authentication key 2 Mar 18 22:39:12 EST: NTP: stateless xmit packet to 172.16.2.2: Mar 18 22:39:12 EST: leap 0, mode 4, version 3, stratum 3, ppoll 256 Mar 18 22:39:12 EST: Authentication key 2
Notice that the client polled the server with authentication key 2 and the server responded with its NTP response and authentication key 2 as well. Assuming that both key 2 strings are also equal, the client will form an association with the server and synchronize its internal clock with the server's.
Broadcast and multicast NTP associations also support NTP authentication:
Router3#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router3(config)#clock timezone EST -5 Router3(config)#clock summer-time EDT recurring Router3(config)#ntp authentication-key 2 md5 oreilly Router3(config)#ntp trusted-key 2 Router3(config)#ntp server 172.25.1.1 Router3(config)#interface Ethernet0 Router3(config-if)#ntp multicast key 2 Router3(config-if)#end Router3#
This example shows the configuration for an NTP multicast server that sends multicast packets by using the default NTP address 224.0.1.1 with authentication enabled. You can configure authentication for NTP broadcast mode similarly with the only difference being the command:
Router3(config-if)#ntp broadcast key 2
It is important to note that NTP broadcast and multicast modes use a single key for the entire multicast domain.
Organizations that receive NTP feeds from the Internet usually cannot rely on NTP authentication because few public servers support authentication functionality. This is not a major concern, since NTP algorithms ignore timeservers with outrageous dates and time. Reduce the risk of synchronizing to illegitimate NTP providers by configuring your NTP servers with multiple NTP Stratum 1 servers.