NTP Access Control
On a synchronization subnet, timekeeping on other clock servers within the subnet should not be affected by either a faulty time server or a malicious attack. To meet this requirement, NTP provides advanced security mechanisms: access authority, Kiss-o'-Death (KOD) and NTP authentication.
Access Authority
To protect local clocks, devices provide access authority, which is both simple and secure.
NTP access control is implemented based on an access control list (ACL). NTP supports up to five levels of access authority. An ACL rule may be specified for each level of access authority. If an NTP access request matches an ACL rule, a match occurs and the device requesting access is given access authority on that level.
Peer: This indicates that a time request may be made and a control query may be performed on the local clock. The local clock can also be synchronized to a remote server.
Server: This indicates that a time request may be made and a control query may be performed on the local clock. The local clock cannot be synchronized with the clock of a remote server.
Synchronization: This indicates that time requests may be made of the local clock.
Query: This indicates that control queries may be performed on the local clock.
Limited: When the rate of NTP packets exceeds the upper limit, incoming NTP packets are discarded.
Kiss-of-Death
The KOD function can perform access control if enabled on the server. This is useful when a server's loadbearing capabilities are exceeded by receiving a significant number of client access packets within a specified time period. KOD is a modern access control technology implemented in NTPv4. It is used by the server to provide information to the client. Information provided includes status reports and access control.
A KOD packet is a unique variety of NTP packet. The packet is termed a KOD packet when the stratum field in an NTP packet is 0. The ASCII message it conveys is called a kiss code and represents access control information. Two types of kiss codes are supported: DENY and RATE.
With the KOD function enabled on a server, the server sends kiss code DENY or RATE to the client based on configuration. These codes perform the following:
- When the client receives kiss code DENY, the client terminates all connections to the server and stops sending packets to the server.
- When the client receives kiss code RATE, the client immediately reduces its polling interval to the server and continues to reduce the interval if receiving subsequent RATE kiss codes.
After the KOD function is enabled, the corresponding ACL rule needs to be configured. With the ACL rule configured to deny, the server sends the DENY kiss code. When the ACL rule is configured as permit and the number of NTP packets received reaches configured upper limits, the server sends the RATE kiss code.
Authentication
NTP authentication is applicable to the networks requiring high security. Different keys may be configured for different operating modes.
When NTP authentication is enabled in certain NTP operating modes, the system records the key ID in that operating mode. Sending and receiving processes are operating modes in authentication, and are defined as follows:
Sending process
The system determines whether authentication is required in this operating mode. If authentication is not required, the system directly sends a packet. If authentication is required, the system encrypts the packet using both the key ID and an encryption algorithm before sending it.
Receiving process
In this operating mode, the system determines whether the packet needs to be authenticated after receiving that packet. If authentication is not required, the system subsequently processes the packet. If authentication is required, the system authenticates the packet using the key ID and a decryption algorithm. If authentication fails, the system discards the packet. If authentication succeeds, the system processes the received packet.