This is how you can use NTP authentication on Cisco IOS in order to authenticate your external NTP servers respectively their NTP packets. Though it is not able to process SHA-1 but only MD5, you’re getting an authentic NTP connection. Let’s have a look:
This article is one of many blogposts within this NTP series. Please have a look!
I am using a Cisco 2811 (revision 3.0) with IOS version 15.1(4)M12a.
Note that MD5 NTP keys are ASCII strings that are converted to a “7” encryption type when sending the CLI command on Cisco IOS. For example, this input:
ntp authentication-key 1 md5 RJdVO~L*\@D*;M0]tH%9
actually becomes:
ntp authentication-key 1 md5 113B3301213D15204E160B00626818722E133E4658 7
Furthermore, one of my NTP keys generated by ntp-keygen was this:
z?_[vI~t|udu,Lss4{=Q. Do you see the problem? I wasn’t able to use this key because of the question mark. Hence I needed to change it to another one. Hmpf.
Config
Since I am operating three different stratum 1 NTP servers with different keys (Pi w/ DCF77, Pi w/ GPS, Meinberg LANTIME M200), I have to use three different key IDs. Otherwise the NTP client couldn’t distinguish between them.
That is:
- three authentication keys
- enabling NTP authentication
- trusting all three keys
- adding the three servers with the appropriate key IDs
ntp authentication-key 1 md5 04083B52357268181758574431132D3B140373336B 7 ntp authentication-key 2 md5 12030128291D251A3E37312C26790E001442185C67 7 ntp authentication-key 3 md5 08246B45383A0C4A4738400A292437333F60193A0E 7 ntp authenticate ntp trusted-key 1 ntp trusted-key 2 ntp trusted-key 3 ntp server ntp1.weberlab.de key 1 ntp server ntp2.weberlab.de key 2 ntp server ntp3.weberlab.de key 3 prefer
Show
Listing the NTP associations without details at least reveals whether NTP is working at all, while not clearly whether authentication was accomplished or not:
router1#show ntp associations
address ref clock st when poll reach delay offset disp
+~2003:DE:2016:336::DCF7:123
.DCFa. 1 13 128 377 17.393 -2.510 2.216
+~2003:DE:2016:330::6B5:123
.PPS. 1 42 128 377 5.097 -1.443 1.446
*~2003:DE:2016:330::DCFB:123
.PZF. 1 50 128 377 4.711 -1.188 1.952
* sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configuredTherefore you have to use the “detail” keyword. The first line for each NTP server shows an “authenticated”. Perfect:
router1#show ntp associations detail 2003:DE:2016:336::DCF7:123 configured, authenticated, sane, valid, stratum 1 ref ID .DCFa., time E03F6CBA.E15770BE (15:16:26.880 CET Fri Mar 22 2019) our mode client, peer mode server, our poll intvl 128, peer poll intvl 128 root delay 0.00 msec, root disp 2.88, reach 377, sync dist 38.98 delay 17.39 msec, offset -2.5101 msec, dispersion 2.03 precision 2**18, version 4 org time E03F6CF2.B23FF8A0 (15:17:22.696 CET Fri Mar 22 2019) rec time E03F6CF2.BEA1A19E (15:17:22.744 CET Fri Mar 22 2019) xmt time E03F6CF2.B19EAEF3 (15:17:22.693 CET Fri Mar 22 2019) filtdelay = 50.27 74.66 17.39 59.46 54.50 52.68 60.42 83.21 filtoffset = -23.22 -31.61 -2.51 -22.12 -25.88 -23.87 -25.44 -33.36 filterror = 0.00 0.98 1.92 2.89 3.88 4.87 5.83 6.81 minpoll = 6, maxpoll = 10 2003:DE:2016:330::6B5:123 configured, authenticated, sane, valid, stratum 1 ref ID .PPS., time E03F6CCB.D7EB7358 (15:16:43.843 CET Fri Mar 22 2019) our mode client, peer mode server, our poll intvl 128, peer poll intvl 128 root delay 0.00 msec, root disp 1.14, reach 377, sync dist 7.28 delay 5.09 msec, offset -1.4430 msec, dispersion 1.92 precision 2**18, version 4 org time E03F6CD6.B20B2568 (15:16:54.695 CET Fri Mar 22 2019) rec time E03F6CD6.B30F6E5B (15:16:54.699 CET Fri Mar 22 2019) xmt time E03F6CD6.B1763AD6 (15:16:54.693 CET Fri Mar 22 2019) filtdelay = 5.69 5.09 5.35 5.43 5.51 5.44 5.58 5.66 filtoffset = -1.12 -1.44 -1.36 -1.30 -1.25 -1.23 -1.28 -1.26 filterror = 0.00 0.99 1.95 2.94 3.93 4.87 5.83 6.82 minpoll = 6, maxpoll = 10 2003:DE:2016:330::DCFB:123 configured, authenticated, our_master, sane, valid, stratum 1 ref ID .PZF., time E03F6CCB.0962FE07 (15:16:43.036 CET Fri Mar 22 2019) our mode client, peer mode server, our poll intvl 128, peer poll intvl 128 root delay 0.00 msec, root disp 0.13, reach 377, sync dist 8.06 delay 4.71 msec, offset -1.1885 msec, dispersion 2.83 precision 2**18, version 4 org time E03F6CCB.B1E0CC1D (15:16:43.694 CET Fri Mar 22 2019) rec time E03F6CCB.B311916E (15:16:43.699 CET Fri Mar 22 2019) xmt time E03F6CCB.B1662A13 (15:16:43.692 CET Fri Mar 22 2019) filtdelay = 5.86 4.71 5.24 5.37 5.85 5.04 4.90 10.58 filtoffset = -1.71 -1.18 -1.35 -1.36 -0.94 -1.56 -1.59 1.19 filterror = 0.00 0.94 1.92 2.89 3.88 4.86 5.82 6.79 minpoll = 6, maxpoll = 10
Debug
For debug output you can use the
debug ntp packetor even
debug ntp all. However, this does not show whether the packets itself are authenticated or not. Sample output:
Mar 22 2019 14:23:07.701 UTC: NTP IPv6 message sent to 2003:DE:2016:330::DCFB:123, from 2001:470:1F0A:101A::2, table = 0, interface Tunnel0. Mar 22 2019 14:23:07.705 UTC: NTP message received from 2003:DE:2016:330::DCFB:123 on interface 'Tunnel0', (2001:470:1F0A:101A::2), table 0. Mar 22 2019 14:23:07.705 UTC: NTP Core(DEBUG): ntp_receive: message received Mar 22 2019 14:23:07.705 UTC: NTP Core(DEBUG): ntp_receive: peer is 0x483F87A8, next action is 1. Mar 22 2019 14:23:07.705 UTC: NTP Core(DEBUG): receive: packet given to process_packet Mar 22 2019 14:23:18.701 UTC: NTP IPv6 message sent to 2003:DE:2016:330::6B5:123, from 2001:470:1F0A:101A::2, table = 0, interface Tunnel0. Mar 22 2019 14:23:18.705 UTC: NTP message received from 2003:DE:2016:330::6B5:123 on interface 'Tunnel0', (2001:470:1F0A:101A::2), table 0. Mar 22 2019 14:23:18.705 UTC: NTP Core(DEBUG): ntp_receive: message received Mar 22 2019 14:23:18.705 UTC: NTP Core(DEBUG): ntp_receive: peer is 0x483F8A18, next action is 1. Mar 22 2019 14:23:18.705 UTC: NTP Core(DEBUG): receive: packet given to process_packet Mar 22 2019 14:23:51.702 UTC: NTP IPv6 message sent to 2003:DE:2016:336::DCF7:123, from 2001:470:1F0A:101A::2, table = 0, interface Tunnel0. Mar 22 2019 14:23:51.738 UTC: NTP message received from 2003:DE:2016:336::DCF7:123 on interface 'Tunnel0', (2001:470:1F0A:101A::2), table 0. Mar 22 2019 14:23:51.738 UTC: NTP Core(DEBUG): ntp_receive: message received Mar 22 2019 14:23:51.742 UTC: NTP Core(DEBUG): ntp_receive: peer is 0x483F8C88, next action is 1. Mar 22 2019 14:23:51.742 UTC: NTP Core(DEBUG): receive: packet given to process_packet
That’s it. :D
Featured image “Golden Gate Sunrise” by Bastian Hoppe is licensed under CC BY-NC-ND 2.0.