This is how you can use NTP authentication on Cisco IOS in order to authenticate your external NTP servers respectively their NTP packets. Though it is not able to process SHA-1 but only MD5, you’re getting an authentic NTP connection. Let’s have a look:
I am using a Cisco 2811 (revision 3.0) with IOS version 15.1(4)M12a.
Note that MD5 NTP keys are ASCII strings that are converted to a “7” encryption type when sending the CLI command on Cisco IOS. For example, this input:
1 |
ntp authentication-key 1 md5 RJdVO~L*\@D*;M0]tH%9 |
actually becomes:
1 |
ntp authentication-key 1 md5 113B3301213D15204E160B00626818722E133E4658 7 |
Furthermore, one of my NTP keys generated by ntp-keygen was this: z?_[vI~t|udu,Lss4{=Q. Do you see the problem? I wasn’t able to use this key because of the question mark. Hence I needed to change it to another one. Hmpf.
Config
Since I am operating three different stratum 1 NTP servers with different keys (Pi w/ DCF77, Pi w/ GPS, Meinberg LANTIME M200), I have to use three different key IDs. Otherwise the NTP client couldn’t distinguish between them.
That is:
- three authentication keys
- enabling NTP authentication
- trusting all three keys
- adding the three servers with the appropriate key IDs
1 2 3 4 5 6 7 8 9 10 |
ntp authentication-key 1 md5 04083B52357268181758574431132D3B140373336B 7 ntp authentication-key 2 md5 12030128291D251A3E37312C26790E001442185C67 7 ntp authentication-key 3 md5 08246B45383A0C4A4738400A292437333F60193A0E 7 ntp authenticate ntp trusted-key 1 ntp trusted-key 2 ntp trusted-key 3 ntp server ntp1.weberlab.de key 1 ntp server ntp2.weberlab.de key 2 ntp server ntp3.weberlab.de key 3 prefer |
Show
Listing the NTP associations without details at least reveals whether NTP is working at all, while not clearly whether authentication was accomplished or not:
1 2 3 4 5 6 7 8 9 10 |
router1#show ntp associations address ref clock st when poll reach delay offset disp +~2003:DE:2016:336::DCF7:123 .DCFa. 1 13 128 377 17.393 -2.510 2.216 +~2003:DE:2016:330::6B5:123 .PPS. 1 42 128 377 5.097 -1.443 1.446 *~2003:DE:2016:330::DCFB:123 .PZF. 1 50 128 377 4.711 -1.188 1.952 * sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured |
Therefore you have to use the “detail” keyword. The first line for each NTP server shows an “authenticated”. Perfect:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 |
router1#show ntp associations detail 2003:DE:2016:336::DCF7:123 configured, authenticated, sane, valid, stratum 1 ref ID .DCFa., time E03F6CBA.E15770BE (15:16:26.880 CET Fri Mar 22 2019) our mode client, peer mode server, our poll intvl 128, peer poll intvl 128 root delay 0.00 msec, root disp 2.88, reach 377, sync dist 38.98 delay 17.39 msec, offset -2.5101 msec, dispersion 2.03 precision 2**18, version 4 org time E03F6CF2.B23FF8A0 (15:17:22.696 CET Fri Mar 22 2019) rec time E03F6CF2.BEA1A19E (15:17:22.744 CET Fri Mar 22 2019) xmt time E03F6CF2.B19EAEF3 (15:17:22.693 CET Fri Mar 22 2019) filtdelay = 50.27 74.66 17.39 59.46 54.50 52.68 60.42 83.21 filtoffset = -23.22 -31.61 -2.51 -22.12 -25.88 -23.87 -25.44 -33.36 filterror = 0.00 0.98 1.92 2.89 3.88 4.87 5.83 6.81 minpoll = 6, maxpoll = 10 2003:DE:2016:330::6B5:123 configured, authenticated, sane, valid, stratum 1 ref ID .PPS., time E03F6CCB.D7EB7358 (15:16:43.843 CET Fri Mar 22 2019) our mode client, peer mode server, our poll intvl 128, peer poll intvl 128 root delay 0.00 msec, root disp 1.14, reach 377, sync dist 7.28 delay 5.09 msec, offset -1.4430 msec, dispersion 1.92 precision 2**18, version 4 org time E03F6CD6.B20B2568 (15:16:54.695 CET Fri Mar 22 2019) rec time E03F6CD6.B30F6E5B (15:16:54.699 CET Fri Mar 22 2019) xmt time E03F6CD6.B1763AD6 (15:16:54.693 CET Fri Mar 22 2019) filtdelay = 5.69 5.09 5.35 5.43 5.51 5.44 5.58 5.66 filtoffset = -1.12 -1.44 -1.36 -1.30 -1.25 -1.23 -1.28 -1.26 filterror = 0.00 0.99 1.95 2.94 3.93 4.87 5.83 6.82 minpoll = 6, maxpoll = 10 2003:DE:2016:330::DCFB:123 configured, authenticated, our_master, sane, valid, stratum 1 ref ID .PZF., time E03F6CCB.0962FE07 (15:16:43.036 CET Fri Mar 22 2019) our mode client, peer mode server, our poll intvl 128, peer poll intvl 128 root delay 0.00 msec, root disp 0.13, reach 377, sync dist 8.06 delay 4.71 msec, offset -1.1885 msec, dispersion 2.83 precision 2**18, version 4 org time E03F6CCB.B1E0CC1D (15:16:43.694 CET Fri Mar 22 2019) rec time E03F6CCB.B311916E (15:16:43.699 CET Fri Mar 22 2019) xmt time E03F6CCB.B1662A13 (15:16:43.692 CET Fri Mar 22 2019) filtdelay = 5.86 4.71 5.24 5.37 5.85 5.04 4.90 10.58 filtoffset = -1.71 -1.18 -1.35 -1.36 -0.94 -1.56 -1.59 1.19 filterror = 0.00 0.94 1.92 2.89 3.88 4.86 5.82 6.79 minpoll = 6, maxpoll = 10 |
Debug
For debug output you can use the debug ntp packet or even debug ntp all. However, this does not show whether the packets itself are authenticated or not. Sample output:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
Mar 22 2019 14:23:07.701 UTC: NTP IPv6 message sent to 2003:DE:2016:330::DCFB:123, from 2001:470:1F0A:101A::2, table = 0, interface Tunnel0. Mar 22 2019 14:23:07.705 UTC: NTP message received from 2003:DE:2016:330::DCFB:123 on interface 'Tunnel0', (2001:470:1F0A:101A::2), table 0. Mar 22 2019 14:23:07.705 UTC: NTP Core(DEBUG): ntp_receive: message received Mar 22 2019 14:23:07.705 UTC: NTP Core(DEBUG): ntp_receive: peer is 0x483F87A8, next action is 1. Mar 22 2019 14:23:07.705 UTC: NTP Core(DEBUG): receive: packet given to process_packet Mar 22 2019 14:23:18.701 UTC: NTP IPv6 message sent to 2003:DE:2016:330::6B5:123, from 2001:470:1F0A:101A::2, table = 0, interface Tunnel0. Mar 22 2019 14:23:18.705 UTC: NTP message received from 2003:DE:2016:330::6B5:123 on interface 'Tunnel0', (2001:470:1F0A:101A::2), table 0. Mar 22 2019 14:23:18.705 UTC: NTP Core(DEBUG): ntp_receive: message received Mar 22 2019 14:23:18.705 UTC: NTP Core(DEBUG): ntp_receive: peer is 0x483F8A18, next action is 1. Mar 22 2019 14:23:18.705 UTC: NTP Core(DEBUG): receive: packet given to process_packet Mar 22 2019 14:23:51.702 UTC: NTP IPv6 message sent to 2003:DE:2016:336::DCF7:123, from 2001:470:1F0A:101A::2, table = 0, interface Tunnel0. Mar 22 2019 14:23:51.738 UTC: NTP message received from 2003:DE:2016:336::DCF7:123 on interface 'Tunnel0', (2001:470:1F0A:101A::2), table 0. Mar 22 2019 14:23:51.738 UTC: NTP Core(DEBUG): ntp_receive: message received Mar 22 2019 14:23:51.742 UTC: NTP Core(DEBUG): ntp_receive: peer is 0x483F8C88, next action is 1. Mar 22 2019 14:23:51.742 UTC: NTP Core(DEBUG): receive: packet given to process_packet |
That’s it. :D
Featured image “Golden Gate Sunrise” by Bastian Hoppe is licensed under CC BY-NC-ND 2.0.
Hi Johannes,
I have not read all posts of the serie, even so I wonder, can I authenticate my stratum 1 NTP with a stratum 0 NTP?
Best
Hi Gerardo,
a “stratum 0” is not an NTP server, but a “high-precision timekeeping devices such as atomic clocks, GPS or other radio clocks”, https://en.wikipedia.org/wiki/Network_Time_Protocol#Clock_strata
Hence no “NTP authentication” here, since it’s not NTP running but receiving radio waves, for example.
As far as I known you can’t authenticate these GPS/Galileo/DCF77/whatever sources via some kind of cryptographic stuff. This is why you should use three different stratum 0 sources, to minimize the attack vector, refer to: https://weberblog.net/why-should-i-run-own-ntp-servers/
Cheers
Johannes
Dear Johannes,
I am running an EMC Professional 3001 NTP server for my network.
https://www.gude.info/funkuhrsysteme/zeitserver/emc-professional-3001.html
Unfortunately i am unable to find the following information:
– Does it support authentication?
– Does it use the amplitude or phase-modulated variant of the DCF77 signal?
Are you familiar with this device?
Hi Arnout,
sorry, but I am not familiar with these devices. I just had a quick look at the manual of this EMC Professional 3001 NTP server, but none of your questions are answered there as well. Hm.
Please send your questions directly to the Support team from EMC. Thanks.
Cheers
Johannes
Question marks can be entered into passwords/etc in IOS by preceding with Control+V.
Is the key # relevant for authentication? Assuming I’m configuring a switch to get time from a router, can I designate my authentication key as key #1 on the switch and Key #2 on the router and have the config work?
Thanks!
No, you MUST use the same key number along with the same key value on all involved devices. The key # is transferred in the NTP network protocol (along with the MAC) to match the corresponding key. Otherwise, the server would not know which symmetric key to use for the MAC. (The MAC in this case is the message authentication code, kind of a verification code.)
Refer to my packet capture of NTP packets: https://weberblog.net/packet-capture-network-time-protocol-ntp/
Hello Johannes,
I am running into some problems trying to authenticate NTP servers on my Cisco ISR920:
ntp authentication-key 1 md5 000F1F090F0A 7
ntp authentication-key 2 md5 1102150A1C40 7
ntp authenticate
ntp trusted-key 1 – 2
ntp master
ntp update-calendar
ntp server 0.be.pool.ntp.org key 1
ntp server 1.be.pool.ntp.org key 2
When I configure these last 2 ntp servers (which function fine unautenticated) I suddenly get the error: Mar 12 11:48:39: NTP Core (ERROR): Invalid-NAK error at 1212118 84.196.74.66<-185.153.41.4
So I have found two ntp servers which do not generate this error, namely:
ntp server europe.pool.ntp.org key 2
ntp server de.pool.ntp.org key 1
But is no real solution as they remain 'insane':
194.25.134.196 configured, ipv4, authenticated, insane, invalid, unsynced, stratum 16
ref ID .STEP., time 00000000.00000000 (01:00:00.000 CET Mon Jan 1 1900)
our mode client, peer mode unspec, our poll intvl 512, peer poll intvl 1024
root delay 0.00 msec, root disp 0.00, reach 0, sync dist 15939.58
delay 0.00 msec, offset 0.0000 msec, dispersion 15937.50, jitter 0.00 msec
precision 2**17, version 4
assoc id 14055, assoc name de.pool.ntp.org
assoc in packets 0, assoc out packets 24, assoc error packets 0
org time E5D71616.66CE1170 (13:52:38.401 CET Sat Mar 12 2022)
rec time 00000000.00000000 (01:00:00.000 CET Mon Jan 1 1900)
xmt time 00000000.00000000 (01:00:00.000 CET Mon Jan 1 1900)
filtdelay = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
filtoffset = 0.00 0.00 0.00 0.00 0.00 0.00 0.00 0.00
filterror = 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0
minpoll = 6, maxpoll = 10
Do you have a hint for what I could do? I need to move to NTP authentication as I want to activate the Autosecure and this requires NTP authentication.
Kind regards,
Steven
Hey Steven.
I’m sorry, but I don’t have an idea right now. Are you sure that the NTP keys are correct? Have you tested them with some other NTP clients?
What does Cisco support say about this?
Cheers,
Johannes