Configuration Guide Contivity Secure IP Services Gateway

Transcription

1 Contents Contents... 1 Overview... 1 NTP feature on Contivity... 5 Configuring NTP... 6 Configuration via GUI... 6 Configuration via CLI Event Log messages Checking the status of NTP Checking the status via GUI Checking the status via CLI Sample configuration Setup Configuring NTPS Configuring CES Testing the configuration Sample using authentication Configuring NTPS Configuring CES Testing the configuration Sample multicast NTP Configuring NTPS Configuring CES Testing the configuration Appendix. Sample NTP traces Initial packet to NTP server Server response NTP packet with authentication Broadcast/Multicast NTP packet Overview Network Time Protocol (NTP) is used to synchronize clocks of various devices across networks using a set of distributed clients and servers. NTP is evolved from the Time Protocol and the ICMP Timestamp message, and is specifically designed to maintain accuracy and robustness, even when used over typical Internet paths involving multiple gateways, highly dispersive delays and unreliable networks. CG March 2004 Page: 1 of 47

2 The intent of the service for which this protocol is designed is to connect a few primary reference clocks, synchronized by wire or radio to national standards, to centrally accessible resources such as gateways. These gateways would use NTP between them to cross-check the primary clocks and mitigate errors due to equipment or propagation failures. Some number of local-net hosts, serving as secondary reference clocks, would run NTP with one or more of these gateways. In order to reduce the protocol overhead, these hosts would redistribute time to the remaining local-net hosts (Figure 1). Primary NTP Server Primary NTP Server Secondary NTP Server Figure 1 In the normal configuration a subnetwork of primary and secondary clocks will assume a hierarchical organization with the more accurate clocks near the top and the less accurate below. NTP operates in a client/server mode. In the most common (asymmetrical) mode a client sends an NTP message to one or more servers and processes the replies as they are received. The server interchanges addresses and ports, fills in or overwrites certain fields in the message, recalculates the checksum and returns it immediately. Information included in the NTP message allows each client/server peer to determine the timekeeping characteristics of its other peers, including the expected accuracies of their clocks. Using this information each peer is able to select the best time from possibly several other clocks, update the local clock and estimate its accuracy. CG March 2004 Page: 2 of 47

3 The format of NTP packet (version 4) is depicted in Figure 2 with the explanation of each field followed: LI VN Mode Stratum Poll Precision Root Delay Root Dispersion Reference Identifier Reference Timestamp (64 bits) Originate Timestamp (64 bits) Receive Timestamp (64 bits) Transmit Timestamp (64 bits) Key Identifier (optional) (32 bits) Message Digest (optional) (128 bits) Figure 2 LI Leap Indicator two bit code warning of impending leap-second to be inserted at the end of the last day of the current month. Bits are coded as follows: 00 no warning second (following minute has 61 seconds) 10-1 second (following minute has 59 seconds) 11 reserved for future use VN Version Number, 3 bit integer indicating the NTP version. Mode 3 bit integer indicating the mode of operation with the values as follows: 0 reserved 1 symmetric active 2 symmetric passive 3 client 4 server 5 broadcast 6 reserved for NTP control message 7 reserved for private use In unicast client sets the mode to 3, server to 4. In multicast/broadcast the mode is set to 5 (broadcast). CG March 2004 Page: 3 of 47

4 Stratum 8 bit integer indicating the stratum level of the clock, with values defined as follows: 0 unspecified or unavailable 1 primary reference (for example, radio clock) 2-15 secondary reference reserved Poll poll interval, indicates the maximum interval between the successive messages in seconds to the nearest power of two. Precision 16 bit signed integer in the range +32 to -32 indicating the precision of the local clock, in seconds to the nearest power of two. Root Delay 32 bit fixed-point number indicating a total roundtrip delay to the primary reference source, in seconds. The variable could take both negative and positive values. Root Description 32 bit fixed-point number indicating the nominal error relative to the primary reference source in seconds. Reference Identifier 32 bit code identifying the particular reference clock. In the case of type 1 (primary reference), this is a string identifying the clock, for example: WWVB WWVB radio clock (60 KHz) GOES GOES satellite clock (468 MHz) WWV WWV radio clock (2.5/5/10/15/20 MHz) (and others as necessary) In the case of type 2 (secondary reference) this is the 32-bit Internet address of the reference host. In other cases this field is reserved for future use and should be set to zero. Reference Timestamp 64 bit local timestamp at which the local clock was last set or corrected. Originate Timestamp 64 bit local time at which the request departed the client host for the service host. Receive Timestamp 64 bit local time at which the request arrived at the service host. Transmit Timestamp 64 bit local time at which the reply departed the service host for the client host. Key Identifier and Message Digest optional fields; if NTP authentication is implemented, fields contain the message authentication code (MAC). CG March 2004 Page: 4 of 47

5 For sample NTP packets refer to the Appendix section of this document. For more information on NTP please consult the following RFCs: RFC 2030 SNTP version 4 RFC 1305 NTP version 3 RFC 1059 NTP version 1 RFC 958 NTP NTP feature on Contivity Contivity supports NTP protocol and acts as an NTP client to synchronize its clock to available NTP servers when the feature is enabled. NTP is disabled by default. Unicasts, multicasts or broadcasts could be used to synchronize the clock on Contivity. In unicast mode, Contivity (NTP client) sends periodic query messages to NTP server. The server responds by filling in the required information and returning the message to the client. By measuring the round-trip time and looking at the time stamp in the return message, Contivity computes the server time and correct local clock. Contivity could be configured to send unicast NTP messages to up to 8 NTP servers. In broadcast/multicast modes Contivity will listen for and respond to broadcast/multicast messages. Upon hearing a broadcast/multicast message for the first time, NTP measures the nominal network delay using a brief client/server exchange with the remote server, then enters the broadcast-client/multicast-client mode, in which it listens for and synchronizes to succeeding broadcast/multicast messages. In multicast-client mode, NTP will listen for multicast messages at the group address of the global network. IP multicast address for NTP is that assigned to Note that, in order to avoid accidental or malicious disruption in broadcast/multicast mode, both the client and servers should operate using authentication and the same trusted key and key identifier. NTP packets could be sent via private or public interface. MD5 authentication could be used to secure the synchronization. Contivity supports the optional authentication procedure specified in the RFC When a client/server association runs in authenticated mode, each packet transmitted has appended to it a 32-bit key ID and a 64/128-bit cryptographic checksum of the packet contents computed using Message Digest (MD5) algorithm. With MD5 the receiving peer re-computes the checksum and compares it with the one included in the packet. For this to work, the peers must share at least one MD5 key (Trusted Key) and, furthermore, must associate the shared key with the same key ID. NOTE: NTP uses UDP port 123 for both source and destination, so when NTP is required and firewall is used a care must be taken to allow NTP traffic in order for the NTP to operate successfully. CG March 2004 Page: 5 of 47

6 Configuring NTP NTP on Contivity could be configured via GUI or CLI. Configuration via GUI Navigate System Date & Time to configure NTP client on Contivity. The Date and Time screen appears. Click on the Configure Network Time Protocol link: CG March 2004 Page: 6 of 47

7 The Network Time Protocol screen appears: Check the box next to Enable to enable NTP feature on Contivity: To synchronize Contivity clock to NTP broadcast server, check the box next to Synchronize time with Broadcast Server, this will enable Contivity to listen to broadcast messages: To synchronize Contivity clock to NTP multicast server, check the box next to Synchronize time with Multicast Server, this will enable Contivity to listen to multicast messages: CG March 2004 Page: 7 of 47

8 To specify the NTP servers to be used for unicast click Add under the Servers section. By default no servers are defined: The Add/Edit Server screen appears: Enter an IP Address of NTP Server: Select from which interface the selected NTP server is accessible Private or Public: CG March 2004 Page: 8 of 47

9 If configured, select the Key ID to be used for this server from the drop down list. By default no Key ID is configured and thus no ID is listed: Select if the Bursting should be Enabled or Disabled (default value). When bursting is enabled a burst of 8 packets is sent instead of a usual one packet to speed up the synchronization process: Select the Version of the NTP protocol from the drop-down list, the choices are 1,2,3,4 or Default (Default value is equivalent to version 3): CG March 2004 Page: 9 of 47

10 Once all the appropriate parameters have been set, click OK to save the configuration or Cancel not to: The configured NTP unicast server is listed under the Servers section: CG March 2004 Page: 10 of 47

11 Once configured the NTP server parameters could be edited by clicking the Edit button next to the appropriate server: To delete the server click Delete next to the appropriate NTP server: The confirmation screen appears. Click OK to delete the NTP server definition or Cancel not to: CG March 2004 Page: 11 of 47

12 Another server could be added by clicking the Add button and specifying the appropriate parameters. Up to 8 servers could be added in this manner. Note: Once 8 servers have been added the Add button in the Servers section disappears and no more servers could be configured: Click Add under the Trusted Keys section if configuration requires the use of Trusted Keys for authentication: CG March 2004 Page: 12 of 47

13 The Add/Edit Trusted Key screen appears: Enter the Key ID to be used between Contivity and NTP server (a number between 0 and 65535): Enter and confirm the Password associated with the Key ID: Once the appropriate parameters have been entered click OK to save the configuration or Cancel not to: The configured Key ID is listed under the Trusted Keys section: CG March 2004 Page: 13 of 47

14 Once configured, Key ID could be edited or deleted by clicking the appropriate button next to the key. A new key could be added by clicking on the Add button in the Trusted Keys section. When deleting a confirmation screen appears. Click OK to delete the key or Cancel not to: Once all the appropriate parameters have been set click OK at the bottom of the page. To return to the Date and Time screen click on the Return to the Date and Time page link: CG March 2004 Page: 14 of 47

15 Note, once Contivity has been configured to use NTP the Date and Time sections are updated only via NTP and could not be changed through the Date and Time screen as long as NTP is enabled: Configuration via CLI To configure Contivity using CLI you need to either telnet to Contivity or connect to it through the serial interface -> option L on the menu. Enter the privileged mode: CES>enable Password: Enter configuration mode: CES#configure terminal Enter configuration commands, one per line. End with Ctrl/z. CES(config)# CG March 2004 Page: 15 of 47

16 To view all configuration commands for the NTP: CES(config)#ntp? authentication-key broadcast multicast server <cr> The authentication key for Network Time Protocol(NTP) Enables system to listen for and respond to NTP broadcast messages Enables system to listen for and respond to NTP multicast messages Adds a server To enable NTP client on Contivity: CES(config)#ntp To disable the NTP globally: CES(config)#no ntp To enable Contivity to listen to NTP broadcasts: CES(config)#ntp broadcast server To enable Contivity to listen to NTP multicasts: CES(config)#ntp multicast server To specify an NTP server (for example, ) accessible from the private interface (private source) without any key (key none) with disabled bursting and supported version 3: CES(config)#ntp server source private key none bursting disable version 3 To configure the authentication key for NTP with for example, 17 as the key number and, for example, the word secret as a password: CES(config)#ntp authentication-key 17 password secret Exit the configuration menu: CES(config)#exit CES# CG March 2004 Page: 16 of 47

17 Event Log messages The NTP has been globally enabled: 01/06/ :23:41 0 thttpd [33] NTPGlobal.Enable changed from 'FALSE' to 'TRUE' by user ' ' Changes have been applied to the configuration: 01/06/ :23:42 0 thttpd [33] NtpGlobal.ApplyChange changed from 'FALSE' to 'TRUE' by user ' ' NTP daemon version is : 01/06/ :23:42 0 NTP [12] ntpd Tue Feb 9 14:56: (0) NTP precision value used is microseconds: 01/06/ :23:42 0 NTP [11] precision = usec Contivity has been enabled to listen to broadcast messages: 01/06/ :27:21 0 thttpd [33] NTPGlobal.Broadcast changed from 'FALSE' to 'TRUE' by user ' ' Contivity has been enabled to listen to multicast messages: 01/06/ :29:45 0 thttpd [33] NTPGlobal.Multicast changed from 'FALSE' to 'TRUE' by user ' ' NTP daemon has been shut down due to re-initialization or disabling the NTP: 01/06/ :27:21 0 NTP [12] NTP shutdown... NTP server with the IP address of has been created: 01/06/ :32:12 0 thttpd [35] NtpServer[ ] created by user ' ' The default NTP version is used to contact the created server: 01/06/ :32:12 0 thttpd [33] NtpServer[ ].Version changed from '0' to '0' by user ' ' The NTP version has been changed to 2: 01/06/ :38:51 0 thttpd [33] NTPServer[ ].Version changed from '0' to '2' by user ' ' No authentication key has been configured for the server: 01/06/ :32:12 0 thttpd [33] NtpServer[ ].Authkey changed from '0' to '0' by user ' ' CG March 2004 Page: 17 of 47

18 No burst has been enabled: 01/06/ :32:12 0 thttpd [33] NtpServer[ ].Burst changed from 'FALSE' to 'FALSE' by user ' ' The burst has been enabled: 01/06/ :38:51 0 thttpd [33] NTPServer[ ].Burst changed from 'FALSE' to 'TRUE' by user ' ' The public interface will not be used to contact the server: 01/06/ :32:12 0 thttpd [33] NtpServer[ ].public changed from 'FALSE' to 'FALSE' by user ' ' The public interface will be used to contact the server: 01/06/ :38:51 0 thttpd [33] NTPserver[ ].public changed from 'FALSE' to 'TRUE' by user ' ' The default local interface will be used: 01/06/ :32:12 0 thttpd [33] NtpServer[ ].devloc changed from '0' to '0' by user ' ' 01/06/ :32:12 0 thttpd [33] NtpServer[ ].LocInterfaceIP changed from ' ' to ' ' by user ' ' NTP authentication key with ID 17 has been created: 01/06/ :36:14 0 thttpd [35] NtpAuthKey[17] created by user ' ' The password for the key has been set to test : 01/06/ :36:14 0 thttpd [33] NtpAuthKey[17].AuthKey changed from '' to 'test' by user ' ' The Key ID has been deleted: 01/06/ :38:05 0 thttpd [35] NTPAuthKey[17] destroyed by user ' ' The NTP has been globally disabled on Contivity: 01/06/ :42:10 0 thttpd [33] NTPGlobal.Enable changed from 'TRUE' to 'FALSE' by user ' ' The time has been adjusted: 01/06/ :42:53 0 NTP [12] time set s 01/06/ :42:53 0 NTP [11] Clock_Update :- clock step adjusted. Synchronization has been lost: 01/06/ :46:00 0 NTP [11] Clock_Select :- synchronization lost Clocks have been synchronized: 01/07/ :55:07 0 NTP [11] clock synchronized Contivity has received the request for clock adjustments and being a client and not a server drops the request: 01/07/ :20:06 0 NTP [00] drop active mode packet CG March 2004 Page: 18 of 47

19 Checking the status of NTP The status of the NTP could be verified via GUI or CLI. Checking the status via GUI Navigate Status Health Check to check the status of NTP. Scroll down to Network Time Protocol. The Status section shows the status of NTP and the Description section explains the meaning of the status. If everything is configured properly and there are no problems with NTP the OK status is displayed. The Network Time Protocol link in the More Information section leads to the NTP configuration screen: If there are problems or changes the warning is displayed with the explanation of the warning in the Description field. For example, when NTP has just been enabled but the clock has not been synchronized yet the following message appears: CG March 2004 Page: 19 of 47

20 The statistics for the NTP could be checked by navigating Status Statistics and clicking on NTP Stats button: CG March 2004 Page: 20 of 47

21 The Statistics NTP Stats screen appears showing the statistics for the NTP: Checking the status via CLI To view the status of NTP via CLI you need to either telnet into Contivity or connect to it through the serial interface -> option L on the menu. The statistics could be viewed in normal or privileged mode; the same commands apply for both modes. Enter the privileged mode: CES>enable Password: CG March 2004 Page: 21 of 47

22 To view the configuration for the NTP: CES#show ntp NTP: enable Synchronize time with Broadcast Server: enable Synchronize time with Multicast Server: enable Servers: Server IP Address Interface Private Key ID 0 Bursting Disabled Version 3 Authentication keys: 17 To view NTP associations: CES#show ntp associations NTP Servers: (* active server) remote local st poll reach delay offset disp ====================================================================== To view the current time and time source: CES#show clock detail 16:54:19 EST Wed Jan Time source is NTP CG March 2004 Page: 22 of 47

23 To view NTP statistics: CES#show status statistics system ntp-stats Date 01/08/2004 Time 14:09:27 NTP Servers: (* active server) remote local st poll reach delay offset disp ======================================================================= * NTP packet: Packet received: 9 Packet processed: 9 Packet sent: 21 Packet not sent: 0 Packet dropped: 0 Packet ignored: 0 Bad stratum: 0 Bad authentication: 0 Bad length: 0 Old version: 9 New version: 0 CG March 2004 Page: 23 of 47

24 Sample configuration Setup /24 CES NTPS CES, NTP client, management IP /24, private IP /24; NTPS Linux RedHat 9 with NTP daemon ntp installed, IP address /24 The goal of the configuration is to configure CES to use NTP to synchronize its clock with NTPS (NTP Server). Configuring NTPS This configuration assumes that ntpd software has been successfully installed on the Linux box. For the information on NTP daemon please consult the official NTP web site The root privileges are required for the configuration: $su Password: [root@linux user]# Configure the IP address for the Ethernet interface ( /24): [root@linux user]# /sbin/ifconfig eth netmask CG March 2004 Page: 24 of 47

25 To automatically assign the Ethernet interface the IP address at reboot, modify the /etc/sysconfig/network-scripts/ifcfg-eth0 file: more /etc/sysconfig/network-scripts/ifcfg-eth0 DEVICE=eth0 IPADDR= NETMASK= NETWORK= BROADCAST= ONBOOT=yes NAME=eth0 Make sure interface is properly configured: user]# /sbin/ifconfig a eth0 Link encap:ethernet HWaddr 00:50:56:42:81:C5 inet addr: Bcast: Mask: UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:552 errors:0 dropped:0 overruns:0 frame:0 TX packets:412 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:39756 (38.8 Kb) TX bytes:34087 (33.2 Kb) Interrupt:11 Base address:0x1080 lo Link encap:local Loopback inet addr: Mask: UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:12 errors:0 dropped:0 overruns:0 frame:0 TX packets:12 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:838 (838.0 b) TX bytes:838 (838.0 b) [root@linux user]# Modify the NTP configuration file to allow requests. By default all request are denied. Open the /etc/ntp.conf file for editing: [root@linux ntp]# vi /etc/ntp.conf Comment in the restrict default ignore parameter, uncommented this parameter ignores NTP requests: #restrict default ignore Comment in the authentication parameter as we are not using authentication in this example: #authenticate yes CG March 2004 Page: 25 of 47

26 Comment in the keys location parameter as we are not using keys in this example: #keys /etc/ntp/keys This would leave only the following parameters uncommented: restrict server # local clock fudge stratum 10 driftfile /etc/ntp/drift broadcastdelay Save the /etc/ntp.conf file. Verify the drift file contains the default drift value of 0.0: [root@linux ntp]# more /etc/ntp/drift 0.0 [root@linux ntp] Note: In this configuration Linux box is synchronized to itself, not to other NTP servers. Add the server for synchronization to the /etc/ntp.conf file to synchronize Linux box to it in the real life setup. Consult the default /etc/ntp.conf file and help available at for more information on NTP configuration file. Check the time on Linux machine: [root@linux ntp]# date Tue Jan 6 14:50:30 EST 2004 Set the correct time if necessary, for example to set the time to 15:08: [root@linux ntp]# date -s 1508 Tue Jan 6 15:08:00 EST 2004 Start the NTP daemon. There are several ways to start the NTP daemon. We will use the following: [root@linux ntp]# /etc/init.d/ntpd start Starting ntpd: [ OK ] CG March 2004 Page: 26 of 47

27 Configuring CES Configure the IP address ( /24) for the management and private ( /24) interfaces: CG March 2004 Page: 27 of 47

28 Navigate System Date & Time. Click on the Configure Network Time Protocol link: CG March 2004 Page: 28 of 47

29 The Network Time Protocol screen appears. Check the box next to Enable. Click Add under the Server section: CG March 2004 Page: 29 of 47

30 The Add/Edit Server appears. Enter the IP Address of the NTPS ( ), make sure the Private interface is selected as the NTPS is located on the private side in this example. Leave the Key ID to None, select Enable for the Bursting to speed up the synchronization and leave the Default value for the Version. Click OK to save the configuration: CG March 2004 Page: 30 of 47

31 The configured server is listed under the Servers section. Click OK at the bottom of the page. Follow the link at the bottom of the page to return to the Date and Time screen: CG March 2004 Page: 31 of 47

32 Note the Date and Time fields are not configurable at this point. Select the correct Time Zone the CES is located in, US Eastern in this example and click OK: At this point the configuration of the CES is complete. Testing the configuration Once both NTP server and NTP client has been configured, check the Health Check on CES. Navigate Status Health Check. Scroll to the Network Time Protocol and check the status. Note the warning next to the NTP as the clock has not been synchronized yet: CG March 2004 Page: 32 of 47

33 Check the date on CES: Check the date on NTPS: ntp]# date Tue Jan 6 15:36:18 EST 2004 Note the difference in dates. Wait for the synchronization to complete and check the dates again. Note: The process of synchronization and time adjustments may take several minutes to complete. Check the dates again: [root@linux ntp]# date Tue Jan 6 15:59:22 EST 2004 The time has been synchronized. Note: The difference in seconds in the example is due to latency in collecting the data only. Check the log on CES: 01/06/ :56:31 0 NTP [12] time set s 01/06/ :56:31 0 NTP [11] Clock_Update :- clock step adjusted. Once fully synchronized the following message appears in the log on CES: 01/07/ :58:07 0 NTP [11] clock synchronized CG March 2004 Page: 33 of 47

34 Check the status of the NTP on CES. Scroll down to the Network Time Protocol on the Status Health Check screen and verify the status is OK clock is synchronized: Sample using authentication The configuration is based on the previous example. Only the differences in the configuration will be pointed out. The goal of the configuration is to configure CES to synchronize its time to NTPS and use authentication. Configuring NTPS Configure NTPS to use authentication for the CES. For this to work, CES should be specified as a peer of NTPS and a key should be selected for the authentication. Open /etc/ntp.conf file in the editor. Let s say we decided to use key ID 77 (any number in range of will do) to authenticate CES. Adding the following line into the /etc/ntp.conf file will associate key ID 77 with peer (CES): peer key 77 The selected key will be trusted, so we ll add the following line into the NTP config file: trustedkey 77 Now we need to tell NTP daemon where it should look for a password associated with this Key ID, so we add the following line specifying the location of the keys file (/etc/ntp/keys in this example): keys /etc/ntp/keys CG March 2004 Page: 34 of 47

35 Save the /etc/ntp.conf file. The /etc/ntp.conf will now contain the following config: restrict server # local clock fudge stratum 10 driftfile /etc/ntp/drift broadcastdelay peer key 77 trustedkey 77 keys /etc/ntp/keys Modify the keys file to contain the password for the selected key. Open the keys file in text editor: [root@linux ntp]# vi /etc/ntp/keys Add the following line to keys file to associate password (test) with the key ID (77) and to use MD5 (M): 77 M test Save the /etc/ntp/keys file. Restart the NTP daemon: [root@linux ntp]# /etc/init.d/ntpd restart Shutting down ntpd: [ OK ] Starting ntpd: [ OK ] CG March 2004 Page: 35 of 47

36 Configuring CES Add a Trusted Key on the Network Time Protocol screen; click Add under the Trusted Keys section: Enter the Key ID (the same ID configured on NTPS, 77), Password (same password as on NTPS, test), confirm the password and click OK: CG March 2004 Page: 36 of 47

37 The configured key ID is displayed under the Trusted Keys section. Edit the configured NTP server, click Edit next to server: Select the configured Key ID (77) from the drop down box and click OK: CG March 2004 Page: 37 of 47

38 CES will use the configured Key ID for the authentication with NTPS: Testing the configuration Check the time on CES: CES#show clock 09:33:59 EST Thu Jan Check the time on NTPS: ntp]# date Thu Jan 8 09:38:08 EST 2004 Note: If the times are the same use the date command and shift the time a bit to note the synchronization, for example to set the time to 9:20 AM: [root@linux ntp]# date -s 0920 Thu Jan 8 09:20:08 EST 2004 Wait for the synchronization to complete and check the time again. Note: It may take several minutes for time to adjust. Check the log on CES: 01/08/ :40:43 0 NTP [12] time set s 01/08/ :40:43 0 NTP [11] Clock_Update :- clock step adjusted. 01/08/ :43:14 0 NTP [11] clock synchronized CG March 2004 Page: 38 of 47

39 Sample multicast NTP The configuration is based on previous example. Only the differences in the configuration will be noted. The goal of the configuration is to configure CES to adjust to multicast NTP server. Configuring NTPS Open /etc/ntf.conf file for editing: ntp]# vi /etc/ntp.conf Comment in the association between the peer and the key : #peer key 77 Enable NTP daemon to send multicast messages secured by key ID (key id 77 is used as in previous example) by adding the following line: broadcast key 77 Save the file. The file contains now the following config: restrict server # local clock fudge stratum 10 driftfile /etc/ntp/drift broadcastdelay broadcast key 77 trustedkey 77 keys /etc/ntp/keys We need to specify the routing for the multicast messages. So we tell Linux (NTPS) to use its Ethernet interface ( ) to send out the messages: [root@linux ntp]# /sbin/route add -net /4 gw Verify the routing table on NTPS: [root@linux ntp]# netstat -nr Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface U eth U lo UG eth0 CG March 2004 Page: 39 of 47

40 Restart the NTP daemon: ntp]# /etc/init.d/ntpd restart Shutting down ntpd: [ OK ] Starting ntpd: [ OK ] Configuring CES Delete the defined NTP server on the Network Time Protocol screen: CG March 2004 Page: 40 of 47

41 Once NTP server is deleted, check the box next to Synchronize time with Multicast Server box and click OK at the bottom of the screen: Testing the configuration Wait for the synchronization to complete and check the log on CES: 01/09/ :37:48 0 NTP [12] time set s 01/09/ :37:48 0 NTP [11] Clock_Update :- clock step adjusted. 01/09/ :42:42 0 NTP [11] clock synchronized CG March 2004 Page: 41 of 47

42 Check the statistics on NTP by navigating Status Statistics and clicking NTP stats button: NTP statistics is displayed, note the NTP sever is active: CG March 2004 Page: 42 of 47

43 Appendix. Sample NTP traces Initial packet to NTP server Below is a sample NTP trace of clock not synchronized condition. Note the NULL value for the Originate, Receive and Reference Time Stamps and client Mode (3), this indicates that this is an initial packet of synchronization: CG March 2004 Page: 43 of 47

44 Server response Below is a sample NTP trace of server answer to the client. Note the server Mode (4), no warnings in Leap indicator, the clock stratum is set to secondary reference (11). Note the Reference Clock ID ( as in the sample configuration NTP server was consulting its system clock for the synchronization), the clocks are updated: CG March 2004 Page: 44 of 47

45 NTP packet with authentication Below is a sample of NTP server packet with authentication section, note the presence of Key ID and Message Authentication Code parameters: CG March 2004 Page: 45 of 47

46 Broadcast/Multicast NTP packet Below is a trace for the NTP broadcast message sent by server. Note the broadcast Mode and broadcast address. The difference between broadcast and multicast packet is in the Destination Address field, compare to the snapshots below: CG March 2004 Page: 46 of 47

47 Sample multicast packet: Copyright 2005 Nortel Networks Limited - All Rights Reserved. Nortel, Nortel Networks, the Nortel logo, Globemark, and Contivity are trademarks of Nortel Networks Limited. The information in this document is subject to change without notice. The statements, configurations, technical data, and recommendations in this document are believed to be accurate and reliable, but are presented without express or implied warranty. Users must take full responsibility for their applications of any products specified in this document. The information in this document is proprietary to Nortel Networks Limited. To access more technical documentation, search our knowledge base, or open a service request online, please visit Nortel Networks Technical Support on the web at: If after following this guide you are still having problems, please ensure you have carried out the steps exactly as in this document. If problems still persist, please contact Nortel Networks Technical Support (contact information is available online at: We welcome you comments and suggestions on the quality and usefulness of this document. If you would like to leave a feedback please send your comments to: CRCONT@nortel.com Author: Kristina Senkova CG March 2004 Page: 47 of 47