Configuring NTP Security Mechanisms

This section describes how to ensure the security of NTP sessions through NTP security mechanisms.

NTP supports two security mechanisms: access authority and NTP authentication.

Access authority

Access authority is a type of simple security method provided by the NetEngine 8000 F to protect local NTP services.
NTP authentication

NTP authentication is required in some networks with high security demands.

The configuration of NTP authentication involves configuring NTP authentication on both, the client and the server.

During the configuration of NTP authentication, pay attention to the following rules:
- Configure NTP authentication on both the client and the server. Otherwise, the authentication does not take effect.
- If NTP authentication is enabled, a reliable key needs to be configured at the client side.
- The authentication key configured on the server and that on the client must be consistent.
- In NTP peer mode, the symmetric active end equals the client, and the symmetric passive end equals the server.

Before configuring NTP security mechanisms, complete the following tasks:

Configure the link layer protocol for the interface.
Configure the link layer protocol and routing protocol to make the server and client reachable.
Configure ACL rules if the access authority is configured.

Setting NTP Access Authorities: When receiving an access request packet, the NTP server matches the request packet with the access authority in descending order (from peer, server, synchronization, query to limited). The first matched authority takes effect.

Enabling NTP Authentication: Both the NTP server and the NTP client must be enabled with NTP authentication and configured with the same authentication key, and the authentication key must be declared as reliable on the client side. Otherwise, NTP authentication will fail.

(Optional) Configuring NTP Authentication in Unicast Server/Client Mode: By configuring the authentication key ID used in the synchronization with the specific NTP server on the NTP client, you can apply NTP authentication in client/server mode. Perform the following steps on the NTP unicast client.

(Optional) Configuring NTP Authentication in Peer Mode: By configuring the authentication key ID used in the synchronization with the peer on the local end, you can apply NTP authentication in peer mode. Perform the following steps on the symmetric active end.

(Optional) Configuring NTP Authentication in Broadcast Mode: After NTP authentication is enabled, you can configure the authentication key ID used in synchronization with the NTP broadcast server on the local router to apply NTP authentication in broadcast mode. Perform the following steps on the NTP broadcast server.

(Optional) Configuring NTP Authentication in Multicast Mode: By configuring the authentication key ID used in the synchronization with the NTP multicast server on the local router, you can apply NTP authentication in multicast mode. Perform the following steps on the NTP multicast server.

(Optional) Configuring NTP Authentication in Manycast Mode: By configuring the authentication key ID used in the synchronization with the NTP manycast client on the local router, you can apply NTP authentication in manycast mode.

Verifying the NTP Security Configuration: After configuring NTP security mechanisms, check details about the status of the NTP service and the status of NTP sessions.