Alcatel Carrier Internetworking Solutions Switch/Router NTP and Authentication

Page 12-4

When planning your network, it is helpful to use the following general rules:

• It is usually not a good idea to synchronize a local time server with a peer (in other words,

a server at the same stratum), unless the latter is receiving time updates from a source that

has a lower stratum then from where the former is receiving time updates. This minimizes

common points of failure.

• Peer associations should only be configured between servers at the same stratum level.

Higher Strata should configure lower Strata, not the reverse.

• It is inadvisable to configure time servers in a domain to a single time source. Doing so

invites common points of failure.

NTP and Authentication

NTP is designed to use either DES or MD5 encryption authentication to prevent outside influ-

ence upon NTP timestamp information. This is done by using a key file. The key file is loaded

into the switch memory, and consists of a text file that lists key identifiers that correspond to

particular NTP entities.

If authentication is enabled on an NTP switch, any NTP message sent to the switch must

contain the correct key ID in the message packet to use in decryption. Likewise, any message

sent from the authentication enabled switch will not be readable unless the receiving NTP

entity possesses the correct key ID.

Key files are created by a system administrator independent of the NTP protocol, and then

placed in the switch memory. An example of a key file is show below:

1 N 29233e0461ecd6ae # des key in NTP format

2 M RIrop8KPPvQvYotM # md5 key as an ASCII random string

14 M sundial # md5 key as an ASCII string

15 A sundial # des key as an ASCII string

In a key file, the first token is the key number ID, the second is the key format, and the third

is the key itself. (The text following a “#” is not counted as part of the key, and is used

merely for description.) There are 4 key formats:

NIndicates a DES key written as a hex number, in NTP standard

format with the high order bit of each octet being the odd

parity bit.

MIndicates an MD5 key written as a 1 to 31 character ASCII string

with each character standing for a key octet.

AIndicates a DES key written as a 1 to 8 character string in 7-bit

ASCII format, where each character stands for a key octet string.

SIndicates a DES key written as a hex number in the DES stan-

dard format, with the low order bit of each octet being the odd

parity bit.

For information on activating authentication, specifying the location of a key file, and config-

uring key IDs for switches, see the following sections:

•Configuring an NTP Client on page 12-6

•Configuring a New Peer Association on page 12-12

•Configuring a New Server on page 12-13

•Configuring a Broadcast Time Service on page 12-13