NTP white paper

NTP Overview

The Network Time Protocol (NTP) was first described in RFC 958 and has developed into the standard Internet time synchronization protocol. It is extremely efficient and needs no more than about one packet a minute to synchronize systems on a LAN to within 1 millisecond, and systems across WANs to within about 10 milliseconds.

Without proper time synchronization between your routers, you may not only have trouble with correlating log files, but inaccurate time may also affect your ability to perform accounting, fault analysis, network management, and even time-based AAA authentication and authorization. So good time management is a necessary part of keeping your network healthy and secure.

TIP:   While NTP Version 4 is the latest and preferred version of NTP, Cisco routers currently only support through Version 3.

NTP can operate in four different modes--client, server, peer, and broadcast. These modes provide NTP with a great amount of flexibility in how you configure synchronization on your network.

NTP modes differ based on how NTP allows communication between systems. NTP communication consists of time requests and control queries. Time requests provide the standard client/server relationship in which a client requests time synchronization from an NTP server. Control queries provide ways for remote systems to get configuration information and reconfigure NTP servers. Here is a short explanation of the NTP modes:

Client

An NTP client is configured to let its clock be set and synchronized by an external NTP timeserver. NTP clients can be configured to use multiple servers to set their local time and are able to give preference to the most accurate time sources. They will not, however, provide synchronization services to any other devices.

 

Server

An NTP server is configured to synchronize NTP clients. Servers can be configured to synchronize any client or only specific clients. NTP servers, however, will accept no synchronization information from their clients and therefore will not let clients update or affect the server's time settings.

 

Peer

With NTP peers, one NTP-enabled device does not have authority over the other. With the peering model, each device shares its time information with the other, and each device can also provide time synchronization to the other.

 

Broadcast/multicast

Broadcast/multicast mode is a special server mode with which the NTP server broadcasts its synchronization information to all clients. Broadcast mode requires that clients be on the same subnet as the server, and multicast mode requires that clients and servers have multicast access available and configured.

 

Configuring NTP

The three most common configurations for NTP are the use of a central server, a hierarchical model, or a flat configuration. Each of these configurations has advantages and disadvantages, discussed next.

 

NTP Accuracy and Reliability

 

For maximum time reliability, you can set up what is called a stratum one server, an NTP server directly connected to radio receivers or atomic clocks that are extremely accurate. An NTP stratum two server is one that gets its time information from a stratum one server, and so on. You can synchronize your systems on the Internet to several stratum two and three servers. Some of these servers are free, and others offer slightly greater accuracy and reliability at a cost.

NTP experts recommend that for the greatest reliability and accuracy, you need a minimum of three internal NTP servers with each server synchronized with three different external NTP servers. These internal servers are then set up to peer one another in case one of the servers loses contact with its external NTP servers. Internal NTP clients are then configured to synchronize with all three of the internal NTP servers. The recommendations extend further to putting each NTP server in different buildings and providing different paths to the Internet for each server.

For many smaller networks, the cost of such reliability is difficult to justify, and in the absence of other mitigating factors, many smaller networks run NTP successfully with one or two NTP servers synchronized through a single Internet connection.

Central Server

The central server configuration is probably the easiest for small- to medium-sized networks. With this configuration, you set up one or two centralized NTP servers that use the Internet (or other authoritative source) to synchronize their time. All clients on the network are then configured to synchronize their time to those servers. This type of configuration is easy to administer and simplifies authorization and access control. However, because it relies on a few central servers, it doesn't scale as well as the hierarchical model on larger networks.

TIP:   There are several publicly accessible NTP timeservers on the Internet. Do a search on the Internet for public NTP servers or see http://www.eecis.udel.edu/~mills/ntp/servers.htm.

Existing timeserver

If you already have an existing NTP server set up on your network, it is relatively easy to configure your routers to use that server for time synchronization. The command ntp server, followed by the IP address or hostname of the NTP server, is used to configure your router to use an existing NTP server:

Router#config terminalEnter configuration commands, one per line.  End with CNTL/Z.Router(config)#ntp server 129.237.32.2Router(config)#^Z

To specify additional timeservers for redundancy, simply repeat the ntp server command with the IP address of each additional server.

TIP:   If your router has an internal clock chip, once you have NTP configured, you can use it to synchronize the time of the internal clock with the ntp update-calendar command.

Synchronized router as a timeserver

Once a router is synchronized with another time source, either as a client or a peer, that router will automatically provide time synchronization for other systems. This allows you to use one or more routers as the primary time synchronization sources for your LAN. To do this:

1. Pick one, two, or three routers and have them synchronize to separate external time sources.

    

2. Configure your internal servers and systems to use these routers for their time synchronization.

    

   TIP:   Some low-end routers, such as the 1600 and 1700 series, don't support the full NTP protocol. They support only a stripped-down version called SNTP. SNTP is a client-only version of NTP and can be configured with the sntp server command.

Unsynchronized router as a timeserver

If you do not have an existing timeserver, you should synchronize your routers to public NTP servers on the Internet and use them as timeservers for your internal network. In situations in which this is not possible, such as isolated networks, you can configure an unsynchronized router to act as an authoritative NTP source using the ntp master command. Cisco and NTP experts discourage the use of this command if any other NTP time sources are available because it violates NTP's hierarchical trust model. When using this command, you should choose a high stratum number, such as 10, so time associations through the fake master clock are ignored if more trustworthy NTP information is made available.

To enable an unsynchronized Cisco router to act as an authoritative NTP clock at stratum 10, type:

Router#config terminalEnter configuration commands, one per line.  End with CNTL/Z.Router(config)#ntp master 10Router(config)#^Z

Again, once a router's clock is synchronized to an NTP source or configured to serve as a master, it will, in turn, act as an NTP server to any system that requests synchronization. It is important to use authentication and access lists to avoid providing time synchronization service to the entire Internet.

Flat

The flat structure configures all routers to peer with one another; each router acts as both a client and a server with every other router. Then two or three routers that are geographically separated are configured to point to external timeservers.

The primary advantage of this model is that it is very stable; each router has the ability to provide synchronizing information to every other router. The disadvantages are lack of scalability, difficulty of administration, and a slow time to convergence. When you configure a full mesh in which every router peers with every other router, all routers have a say in the final time synchronization. Therefore, it takes longer to get all the routers to agree on the exact time. On larger networks, the most serious disadvantages are the lack of scalability and difficulty of administration. Whenever you add a router to the mesh, you must reconfigure every router on that mesh to peer with the new router.

If you have a smaller network and choose to use the flat model, use the ntp peer command to configure each router to peer with all other routers. If your network consists of five routers--RouterOne through RouterFive--to configure an NTP mesh, the commands on RouterOne would be:

Router#config terminalEnter configuration commands, one per line.  End with CNTL/Z.Router(config)#ntp peer RouterTwoRouter(config)#ntp peer RouterThreeRouter(config)#ntp peer RouterFour Router(config)#ntp peer RouterFiveRouter(config)#^Z

To complete the flat NTP mesh, each router must be configured with similar commands, peering it with all other routers on the network. Finally, to synchronize the mesh with external NTP servers, you would pick two or three geographically separated routers and use the ntp server command to synchronize them to the external timeservers.

Hierarchical

For larger networks, the hierarchical model is probably the most scalable and easiest to administer. This model is typically used by ISPs that have multiple stratum one servers that synchronize all internal ISP systems and routers. These routers, in turn, provide time synchronization for customer routers. The customer routers then provide time synchronization to the customer's internal systems. With this tree-like model, both administration and time to convergence is minimized.

If the top of your NTP network consisted of RouterOne, RouterTwo, and RouterThree, you would synchronize these routers to external servers. For example, using external timeservers 129.237.32.2, 128.249.2.2, and 128.118.25.3 would each be configured with:

Router#config terminalEnter configuration commands, one per line.  End with CNTL/Z.Router(config)#ntp server 129.237.32.2Router(config)#ntp server 128.249.2.2Router(config)#ntp server 128.118.25.3Router(config)#^Z

Next, each of these three routers would be configured to peer with the others. This would provide consistent and accurate time, even if a router lost connectivity to the Internet. RouterOne would be configured to peer with RouterTwo and RouterThree with the following commands:

Router#config terminalEnter configuration commands, one per line.  End with CNTL/Z.Router(config)#ntp peer RouterTwoRouter(config)#ntp peer RouterThreeRouter(config)#^Z

Next, each customer's gateway router would be configured to use the internal ISP routers for NTP synchronization:

Router#config terminalEnter configuration commands, one per line.  End with CNTL/Z.Router(config)#ntp server RouterOneRouter(config)#ntp server RouterTwoRouter(config)#ntp server RouterThreeRouter(config)#^Z

Finally, the customer's internal systems and routers would be configured to use the customer's gateway router for time synchronization.

NTP Options

NTP on Cisco routers support additional options that may be useful for synchronization, keeping the router from being overwhelmed by NTP requests, and disabling NTP on only specific interfaces.

Preferred server

A router can be configured to prefer an NTP source over another. A preferred server's responses are discarded only if they vary dramatically from the other time sources. Otherwise, the preferred server is used for synchronization without consideration of the other time sources. Preferred servers are usually specified when they are known to be extremely accurate. To specify a preferred server, use the prefer keyword appended to the ntp server command. The following example tells the router to prefer TimeServerOne over TimeServerTwo:

Router#config terminalEnter configuration commands, one per line.  End with CNTL/Z.Router(config)#ntp server TimeServerOne preferRouter(config)#ntp server TimeServerTwoRouter(config)#^Z

ntp max-associations

NTP also allows you to define the maximum number of peer and client associations that your router will serve. This helps ensure that your router isn't overwhelmed by huge numbers of NTP synchronization requests. The ntp max-associations command is used to set this limit. For example:

RouterOne#config terminalEnter configuration commands, one per line.  End with CNTL/Z.RouterOne(config)#ntp max-associations 20RouterOne(config)#^Z

ntp disable

The ntp disable command can be used on a per-interface basis. When applied to an interface, the command keeps the interface from acting as an NTP server, but still allows it to serve as an NTP client. This is the recommended configuration for external interfaces. If Serial 0/0 is the external interface, you can keep it from acting as an NTP server with:

RouterOne#config terminalEnter configuration commands, one per line.  End with CNTL/Z.RouterOne(config)#interface serial 0/0RouterOne(config-if)#ntp disableRouterOne(config-if)#^Z

Time Zones

NTP uses Coordinated Universal Time for all time synchronizations so it is not affected by different time zones. To have your router report the time in your local time zone, you need to use the clock timezone and clock summer-time commands. The clock timezone command needs to be followed by the time zone abbreviation and the time zone offset. For example, to set your routers' local time zone to eastern standard time, enter:

Router#config terminalEnter configuration commands, one per line.  End with CNTL/Z.Router(config)#clock timezone EST -05Router(config)#^Z

To enable daylight saving time, the clock summer-time command requires the daylight savings time abbreviation of your time zone followed by the keyword recurring. Configuring eastern daylight time would require:

Router#config terminalEnter configuration commands, one per line.  End with CNTL/Z.Router(config)#clock summer-time EDT recurringRouter(config)#^Z

TIP:  Cisco routers are configured to U.S. time zone standards. If you are in a location with different time standards, you can still use the clock timezone and the clock summer-time commands to customize the time zone and daylight saving time settings. Refer to Cisco documentation for more details.

Viewing Status

To verify that your router is synchronizing correctly, use the show ntp command. First, the show ntp status command tells you that you are synchronized, the stratum level of your router, and the IP of the server to which you are synchronized. For example, a show ntp status on a system synchronized to 128.249.2.2 shows:

Router#show ntp statusClock is synchronized, stratum 3, reference is 128.249.2.2nominal freq is 250.0000 Hz, actual freq is 249.9961 Hz, precision is 2**16reference time is BF454660.7CCA9683 (22:37:36.487 EDT Sat Sep 8 2001)clock offset is 4.3323 msec, root delay is 136.28 msecroot dispersion is 37.69 msec, peer dispersion is 1.14 msec

The first line shows the system to which the router is synchronized and that it is acting as a stratum 3 NTP server.

Next, the show ntp associations command lists all the NTP servers to which the router is configured to synchronize. An example show ntp associations would display:

Router#show ntp associations       address         ref clock     st  when  poll reach  delay  offset    disp  *~128.249.2.2      192.5.41.40     2    4    64   377    76.9    5.49     0.4  -~130.218.100.5    198.72.72.10    3   33   128   377     7.1   13.13     0.6  +~129.237.32.2     192.43.244.18   2   16    64   377    44.8    3.05     0.9  +~128.118.25.3     128.118.25.12   2   48    64   377    39.7    5.50     1.4 * master (synced), # master (unsynced), + selected, - candidate, ~ configured

The asterisk (*) next to the 128.249.2.2 address indicates that the router is synchronized to this server. It is very important that at least one address have an asterisk by it. NTP dictates that a server cannot synchronize another system unless the server itself is synchronized.

WARNING:  After configuring a router to act as an NTP server, it may take five to ten minutes before that router becomes synchronized with other time sources. Until the router is synchronized, it does not provide time synchronization for other systems. This is important to remember so you can avoid troubleshooting problems that don't exist. After you configure a router as an NTP server, you may need to wait a few minutes before it successfully provides synchronization for other systems.

Access Lists

Once a router is synchronized to an NTP time source, it automatically acts as an NTP for any client that requests synchronization or informational control queries. Many network administrators leave their routers open to NTP requests from the Internet. The problem with this is that Murphy (of Murphy's law) guarantees that the day you say "There is no harm in letting people get time information off the routers, so I won't bother restricting access" is the same day a new security vulnerability in NTP will be discovered. Also, if your routers get listed as public timeservers on the Web, you can get overwhelmed with public time synchronization requests. Finally, with a sophisticated attack, an attacker could use NTP informational queries to discover the timeservers to which your router is synchronized, and then through an attack such as DNS cache poisoning, redirect your router to a system under his control. Manipulating the time on your routers this way could make it difficult to identify when incidents truly happened and could also be used to confuse any time-based security measures you have in place.

NTP allows you to configure ACLs to restrict access to the NTP services on the router. These ACLs can be configured to restrict access based on IP and the following four restrictions:

peer

Allows time synchronization requests and control queries and allows the router to synchronize itself to remote systems that pass the ACL

 

serve

Allows time synchronization requests and control queries, but does not allow the router to synchronize itself to remote systems that pass the ACL

 

serve-only

Allows only time synchronization requests from systems that pass the ACL

 

query-only

Allows only NTP control queries from systems that pass the ACL

 

The two ACLs generally used to restrict access for security reasons are the peer and serve-only options--for example, if you are using the hierarchical model with the core routers RouterOne and RouterTwo providing NTP services for the rest of the routers in your network.

First, configure RouterOne:

1. To use three external NTP servers with the ntp server command.

    

2. To peer with RouterTwo with the ntp peer command.

    

3. To peer only with RouterTwo. Assuming RouterTwo's IP is 135.26.2.1, you:

    

   1. Configure an ACL to restrict access only to RouterTwo.

       

   2. Configure NTP to use the ACL with the ntp access-group peer command.

    

4. To provide time services only to internal systems. For this example, assume your internal network is 135.26.x.x.

    

   1. Configure an ACL to restrict access to internal systems:

       

   2. Configure NTP to use the ACL with the ntp access-group serve-only command:

       

      RouterOne#config terminalEnter configuration commands, one per line.  End with CNTL/Z.RouterOne(config)#ntp server 128.250.36.2RouterOne(config)#ntp server 140.79.17.101RouterOne(config)#ntp server 138.194.21.154RouterOne(config)#ntp peer RouterTwoRouterOne(config)#access-list 20 permit 135.26.2.1 0.0.0.0RouterOne(config)#access-list 20 deny anyRouterOne(config)#ntp access-group peer 20RouterOne(config)#access-list 21 permit 135.26.0.0 0.0.255.255RouterOne(config)#access-list 21 deny anyRouterOne(config)#ntp access-group serve-only 21RouterOne(config)#^Z

RouterTwo would be configured the same way with references to RouterTwo replaced by RouterOne. For optimal redundancy, you should have RouterTwo configured to use different public NTP servers than RouterOne.

NTP Source Address

On a router with multiple interfaces, the source address of the NTP packet is the same as the interface the packet it sent out on. This arrangement can complicate things when you are trying to create simple ACLs and use authentication. To make administration easier, use the ntp source command.

For example, if your Fast Ethernet 0/0 interface has the IP address 135.26.100.1 and you want all NTP packets from this router to use this as their source address, type:

RouterOne#config terminalEnter configuration commands, one per line.  End with CNTL/Z.RouterOne(config)#ntp source FastEthernet0/0RouterOne(config)#^Z

Now you can configure all of your ACLs to allow or deny access based on the 135.26.100.1 IP address.

TIP:   Many administrators choose to use the loopback interface as the source. The loopback never fails and therefore isn't affected if another interface goes down.

Authentication

For additional security, you can configure your NTP servers and clients to use authentication. Cisco routers support only MD5 authentication for NTP. To enable a router to do NTP authentication:

1. Enable NTP authentication with the ntp authenticate command.

    

2. Define an NTP authentication key with the ntp authentication-key command. A unique number identifies each NTP key. This number is the first argument to the ntp authentication-key command.

    

3. Use the ntp trusted-key command to tell the router which keys are valid for authentication. The ntp trusted-key command's only argument is the number of the key defined in the previous step.

    

To enable authentication on RouterOne and define key number 10 as MySecretKey, type:

RouterOne#config terminalEnter configuration commands, one per line.  End with CNTL/Z.RouterOne(config)#ntp authenticateRouterOne(config)#ntp authentication-key 10 md5 MySecretKeyRouterOne(config)#ntp trusted-key 10RouterOne(config)#^Z

WARNING:   Configuring NTP authentication does not require all clients to use NTP authentication; it enables clients to use authentication. Your router will still respond to unauthenticated requests, so be sure to use ACLs to limit NTP access.

If your external NTP servers require authentication, you need to configure your router to use authentication when contacting those servers. To do this, perform the same steps listed previously to add an NTP authentication key; then use the ntp server command with the key argument to tell the router what key to use when authenticating with the NTP server:

RouterOne#config terminalEnter configuration commands, one per line.  End with CNTL/Z.RouterOne(config)#ntp authenticate  RouterOne(config)#ntp authentication-key 11 md5 MyOtherKeyRouterOne(config)#ntp trusted-key 11RouterOne(config)#ntp server 130.218.59.4 key 11RouterOne(config)#^Z

Finally, to authenticate NTP peers, configure the same key on both systems and use the ntp peer command with the key argument to configure authentication:

RouterOne#config terminalEnter configuration commands, one per line.  End with CNTL/Z.RouterOne(config)#ntp authenticateRouterOne(config)#ntp authentication-key 12 md5 MyPeeringKeyRouterOne(config)#ntp trusted-key 12RouterOne(config)#ntp peer 135.26.100.2 key 12RouterOne(config)#^Z

NTP Checklist

This checklist summarizes the important security information presented in this chapter. A complete security checklist is provided in Appendix A.

• Make sure all routers use NTP to synchronize their time.

   

• On larger networks requiring more accurate time, use redundant timeservers and synchronize routers to multiple servers to prevent a single point of failure.

   

• Use the ntp master command only when external time synchronization is not possible--i.e., in networks not connected to the Internet.

   

• Make sure all routers have ACLs preventing them from becoming public time synchronization servers. These ACLs should restrict what servers the router synchronizes to and systems the router will synchronize.

   

• Use NTP authentication between clients, servers, and peers to ensure that time is synchronized to approved servers only.