ntp_acc
ntp_acc(5) ntp_acc(5)
NAME
ntp_acc - Access Control Options
ACCESS CONTROL SUPPORT
The ntpd daemon implements a general purpose address/mask based
restriction list. The list contains address/match entries sorted first
by increasing address values and and then by increasing mask values. A
match occurs when the bitwise AND of the mask and the packet source
address is equal to the bitwise AND of the mask and address in the
list. The list is searched in order with the last match found defining
the restriction flags associated with the entry. Additional informa-
tion and examples can be found in the Notes on Configuring NTP and
Setting up a NTP Subnet page. The restriction facility was imple-
mented in conformance with the access policies for the original NSFnet
backbone time servers. Later the facility was expanded to deflect
cryptographic and clogging attacks. While this facility may be useful
for keeping unwanted or broken or malicious clients from congesting
innocent servers, it should not be considered an alternative to the
NTP authentication facilities. Source address based restrictions are
easily circumvented by a determined cracker.
Clients can be denied service because they are explicitly included in
the restrict list created by the restrict command or implicitly as the
result of cryptographic or rate limit violations. Cryptographic viola-
tions include certificate or identity verification failure; rate limit
violations generally result from defective NTP implementations that
send packets at abusive rates. Some violations cause denied service
only for the offending packet, others cause denied service for a timed
period and others cause the denied service for an indefinate period.
When a client or network is denied access for an indefinate period,
the only way at present to remove the restrictions is by restarting
the server.
THE KISS-OF-DEATH PACKET
Ordinarily, packets denied service are simply dropped with no further
action except incrementing statistics counters. Sometimes a more
proactive response is needed, such as a server message that explicitly
requests the client to stop sending and leave a message for the system
operator. A special packet format has been created for this purpose
called the "kiss-o’-death" (KoD) packet. KoD packets have the leap
bits set unsynchronized and stratum set to zero and the reference
identifier field set to a four-byte ASCII code. If the noserve or
notrust flag of the matching restrict list entry is set, the code is
"DENY"; if the limited flag is set and the rate limit is exceeded, the
code is "RATE". Finally, if a cryptographic violation occurs, the code
is "CRYP".
A client receiving a KoD performs a set of sanity checks to minimize
security exposure, then updates the stratum and reference identifier
peer variables, sets the access denied (TEST4) bit in the peer flash
variable and sends a message to the log. As long as the TEST4 bit is
set, the client will send no further packets to the server. The only
way at present to recover from this condition is to restart the proto-
col at both the client and server. This happens automatically at the
client when the association times out. It will happen at the server
only if the server operator cooperates.
ACCESS CONTROL COMMANDS
discard [ average avg ][ minimum min ] [ monitor prob ]
Set the parameters of the limited facility which protects the
server from client abuse. The average subcommand specifies the
minimum average packet spacing, while the minimum subcommand
specifies the minimum packet spacing. Packets that violate
these minima are discarded and a kiss-o’-death packet returned
if enabled. The default minimum average and minimum are 5 and
2, respectively. The monitor subcommand specifies the proba-
bility of discard for packets that overflow the rate-control
window.
restrict address [mask mask] [flag][...]
The address argument expressed in dotted-quad form is the
address of a host or network. Alternatively, the address argu-
ment can be a valid host DNS name. The mask argument expressed
in dotted-quad form defaults to 255.255.255.255, meaning that
the address is treated as the address of an individual host. A
default entry (address 0.0.0.0, mask 0.0.0.0) is always
included and is always the first entry in the list. Note that
text string default, with no mask option, may be used to indi-
cate the default entry. In the current implementation, flag
always restricts access, i.e., an entry with no flags indi-
cates that free access to the server is to be given. The flags
are not orthogonal, in that more restrictive flags will often
make less restrictive ones redundant. The flags can generally
be classed into two catagories, those which restrict time ser-
vice and those which restrict informational queries and
attempts to do run-time reconfiguration of the server. One or
more of the following flags may be specified:
ignore Deny packets of all kinds, including ntpq and ntpdc
queries.
kod If this flag is set when an access violation occurs, a
kiss-o’-death (KoD) packet is sent. KoD packets are
rate limited to no more than one per second. If
another KoD packet occurs within one second after the
last one, the packet is dropped
limited Deny service if the packet spacing violates the lower
limits specified in the discard command. A history of
clients is kept using the monitoring capability of
ntpd. Thus, monitoring is always active as long as
there is a restriction entry with the limited flag.
lowpriotrap
Declare traps set by matching hosts to be low prior-
ity. The number of traps a server can maintain is lim-
ited (the current limit is 3). Traps are usually
assigned on a first come, first served basis, with
later trap requestors being denied service. This flag
modifies the assignment algorithm by allowing low pri-
ority traps to be overridden by later requests for
normal priority traps.
nomodify
Deny ntpq and ntpdc queries which attempt to modify
the state of the server (i.e., run time reconfigura-
tion). Queries which return information are permitted.
noquery Deny ntpq and ntpdc queries. Time service is not
affected.
nopeer Deny packets which would result in mobilizing a new
association. This includes broadcast and symmetric
active packets when a configured association does not
exist.
noserve Deny all packets except ntpq and ntpdc queries.
notrap Decline to provide mode 6 control message trap service
to matching hosts. The trap service is a subsystem of
the ntpdq control message protocol which is intended
for use by remote event logging programs.
notrust Deny service unless the packet is cryptographically
authenticated.
ntpport This is actually a match algorithm modifier, rather
than a restriction flag. Its presence causes the
restriction entry to be matched only if the source
port in the packet is the standard NTP UDP port (123).
Both ntpport and non-ntpport may be specified. The
ntpport is considered more specific and is sorted
later in the list.
version Deny packets that do not match the current NTP ver-
sion.
Default restriction list entries with the flags ignore, interface,
ntpport, for each of the local host’s interface addresses are inserted
into the table at startup to prevent the server from attempting to
synchronize to its own time. A default entry is also always present,
though if it is otherwise unconfigured; no flags are associated with
the default entry (i.e., everything besides your own NTP server is
unrestricted).
SEE ALSO
ntp.conf(5)
Primary source of documentation: /usr/share/doc/ntp-*
This file was automatically generated from HTML source.
ntp_acc(5)
