Appendix B: MD5 Authentication and NTP Broadcast Mode

NTP Broadcast Mode without Authentication

B.3 NTP Broadcast Mode without Authentication

Authentication was configured off by default for NTP version 3, but is configured on by default for version 4. This means that NTP version 4 must use authentication, like MD5, for broadcast time to work. To have it otherwise, you must specifically turn authentication off in the “ntp.conf” file of the NTP time client.

The method outlined below should only be used when the LAN that the two NTP hosts are on is a secure network. Otherwise, it is all too easy for an NTP time imposter to broadcast the incorrect time to the NTP time client.

B.3.1 Configuration of NTP on the Timeserver

For the NTP timeserver, authentication may be on or off - it does not matter. As an example, here is a sample “ntp.conf” file.

server 192.168.1.49

server 206.54.0.20

server 206.54.0.21

broadcast 192.168.1.255

This file is stored on the Symmetricom timeserver in its Flash disk drive in the “/etc” directory.

The critical line is: broadcast 192.168.1.255.

This line turns on the periodic broadcast of NTP time packets to the local LAN. This IP address (the first three octets: 192.168.1) is a network address.

The LAN portion of the address, the last octet in this case, is set to all ones. You may use all zeros for most LANs as the LAN address, instead of all ones. This address allows NTP time packets to be received by all hosts on the local LAN including the NTP time client. Ask your system administrator what your LAN broadcast address is for your particular network and substitute it for the address in this example.

B-102

TimeVault™ User’s Manual

6000-100AppB.fm Rev. D

Page 116
Image 116
Symmetricom Time Server user manual NTP Broadcast Mode without Authentication