Versions Compared

Old Version 7

changes.mady.by.user Arkadi_Bourkov

Saved on

compared with

New Version 8

changes.mady.by.user Arkadi_Bourkov

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

NTP (Network Time Protocol) is a standard protocol that system clocks use to ensure their time is always accurate. Appliances that use NTP try to get their time as close as possible to UTC (Coordinated Universal Time), the standard timescale used worldwide. NTP uses UDP (User Datagram Protocol) on port 123 for communications between clients and servers.
NTP is based on a hierarchy where reference clocks are at the top. Reference clocks use different methods such as special receivers or satellite systems to synchronize their time to UTC. NTP servers on the first level of the hierarchy synchronize their time with the reference clocks, and serve time to clients as well. Each level in the hierarchy is a stratum; stratum-0 is a reference clock. Stratum-1 servers synchronize their clocks with reference clocks. Stratum-2 servers synchronize their clocks with stratum-1 servers, and so forth. The stratum number indicates the number of levels between the NTP server and the reference clock. A higher stratum number could indicate more variance between the NTP server and the reference clock.
You can configure a NIOS appliance to function as an NTP client that synchronizes its clock with an NTP server. For more information, see bookmark833 NIOS Appliances as NTP Clients. NTP clients typically use time information from at least three different sources to ensure reliability and a high degree of accuracy. There are a number of public NTP servers on the Internet with which the NIOS appliance can synchronize its clock. For a list of these servers, you can access http://www.ntp.org . When NTP is configured, it listens on all interfaces, including the loopback interface on the NIOS appliance.
In a Grid, the Grid Master and Grid members can function as NTP clients that synchronize their clocks with external NTP servers. They can in turn function as NTP servers to other appliances in the network. For more information, see bookmark843 NIOS Appliances as NTP Servers. Note that when the Grid Master functions as an NTP server, it synchronizes its local clock with its NTP clients and does not synchronize time with any other external NTP server. This allows you to deploy multiple NTP servers to ensure accurate and reliable time across the network. To configure the Grid Master and Grid members as NTP clients, you must first enable the NTP service and configure external NTP servers at the Grid level. You can then configure the Grid Master and Grid members to override the Grid-level NTP servers and use their own external NTP servers. Note that a Grid member will not function as an NTP client if you do not enable the NTP service at the Grid level. A Grid member synchronizes its clock with the Grid Master if you do not configure it to use external NTP servers.
In case of leap second insertion, the Infoblox Grid handles the leap second over a period of time instead of performing a one-time adjustment. In other words, when using the Grid as the NTP server, it follows the standard NTP recovery process by slewing over a certain period of time when handling the leap second. The slewing process could therefore cause synchronization issues among NTP clients. The out-of-sync state is usually resolved when all NTP clients catch up with the server.
bookmark829 Figure 8.1 illustrates how NIOS appliances (the Grid Master and Grid members) in a Grid function as the NTP server or the NTP client, depending on your NTP configuration.

...

Anchor
Authenticating NTP
Authenticating NTP
Anchor
bookmark830
bookmark830
Anchor
bookmark831
bookmark831
Authenticating NTP
To prevent intruders from interfering with the time services on your network, you can authenticate communications between a NIOS appliance and a public NTP server, and between a NIOS appliance and external NTP clients. NTP communications within the Grid go through an encrypted VPN tunnel, so you do not have to enable authentication between members in a Grid.
NTP uses symmetric key cryptography, where the server and the client use the same algorithm and key to calculate and verify a MAC (message authentication code). The MAC is a digital thumbprint of the message that the receiver uses to verify the authenticity of a message.
As shown in bookmark832 Figure 8.2, the NTP client administrator must first obtain the secret key information from the administrator of the NTP server. The server and the client must have the same key ID and data. Therefore, when you configure the NIOS appliance as an NTP client and want to use authentication, you must obtain the key information from the administrator of the external NTP server and enter the information on the NIOS appliance. When you configure a NIOS appliance as an NTP server, you must create a key and send the key information to clients in a secure manner. A key consists of the following:

...

When you enable a NIOS appliance to function as an NTP client, you must specify at least one NTP server with which the appliance can synchronize its clock. Infoblox recommends that you specify multiple NTP servers that synchronize their time with different reference clocks and that have different network paths. This increases stability and reduces risk in case a server fails. For a list of public NTP servers, you can access www.ntp.org.
When you specify multiple NTP servers, the NTP daemon on the appliance determines the best source of time by calculating round-trip time, network delay, and other factors that affect the accuracy of the time. NTP periodically polls the servers and adjusts the time on the appliance until it matches the best source of time. If the difference between the appliance and the server is less than five minutes, the appliance adjusts the time gradually until the clock time matches the NTP server. If the difference in time is more than five minutes, the appliance immediately synchronizes its time to match that of the NTP server.
To secure communications between a NIOS appliance and an NTP server, you can authenticate communications between the appliance and the NTP server. When you configure authentication, you must obtain the key information from the administrator of the NTP server and enter the key on the appliance. For information, see bookmark830 Authenticating NTP.
In a Grid, you can configure the Grid Master and Grid members to synchronize their clocks with external NTP servers. When you enable the NTP service on the Grid, the Grid Master automatically functions as an NTP server to the Grid members. A Grid member can synchronize its time with the Grid Master, an external NTP server, or another Grid member. When Grid members synchronize their times with the Grid Master, the Grid Master and its members send NTP messages through an encrypted VPN tunnel, as shown in bookmark835 Figure 8.3. When a Grid member synchronizes its time with another Grid member, the NTP messages are not sent through a VPN tunnel.

Anchor
bookmark835
bookmark835
Figure 8.3 Grid Master as NTP Client

...


Anchor
bookmark838
bookmark838
Adding
Anchor
bookmark839
bookmark839
NTP Authentication Keys
To enable authentication between the appliance and the NTP servers, add the authentication keys before enabling the NTP service on the Grid. You can specify authentication keys at the Grid and member levels.
To add NTP authentication keys:

...

  1. From the Grid tab, select the Grid Manager tab, expand the Toolbar and click NTP -> NTP Grid Config.
  2. In the General tab of the Grid NTP Properties editor, select Synchronize the Grid with these External NTP Servers.
  3. Click the Add icon to add external NTP servers and enter the following information in the Add NTP Server dialog box:
    • NTP Server (FQDN or IP Address): Enter either the IP address or the resolvable host name of an NTP server. Entries may be an IPv4 or IPv6 address. You can view a list of public NTP servers at ntp.isc.org. To check whether the DNS server can resolve the NTP server host name, click Resolve Name. You must have a DNS name resolver configured. For information, see Enabling DNS Resolution.
    • Enable Authentication: Select this option to enable authentication of NTP communications between the external NTP server and the NIOS appliance (the Grid Master or Grid member in a Grid, an independent NIOS appliance, or the active node in an independent HA pair).
      Note: To prevent intruders from interfering with the time services on your network, you can authenticate communications between a Grid member and an external NTP server, as well as between a Grid member and external NTP clients. NTP communications within the Grid go through an encrypted VPN tunnel, so you do not have to enable authentication between the Grid Master and Grid members.
      Authentication Key: Select a key that you previously entered from the drop-down list.
    • Click Add to add the NTP server to the list or Cancel to cancel the operation. In the table, you can configure some of the following settings:
      • Preferred: Select this to mark an external NTP server as the preferred NTP server. You can select only one server as the preferred NTP server. NIOS uses the responses from this preferred server over responses from other external NTP servers. A response from a preferred server will be discarded if it differs significantly from the responses of other servers. Infoblox recommends that you select an NTP server that is known to be highly accurate as the preferred server, such as one that has special time monitoring hardware. Note that this option is enabled only when you have selected the check box Synchronize the Grid with these External NTP Servers.
      • Server: Displays the FQDN or IP address of the NTP server that you added.
      • Authentication: When you enable authentication, this column displays Yes. Otherwise, it displays No.
      • Key Number: Displays the authentication key that you have selected.
      • BURST: Select this check box to configure the NTP client to send a burst of eight packets if the external NTP server is reachable and a valid source of synchronization is available. The NTP client transmits each packet at a regular interval of two seconds. After you add an NTP server and save the configuration, the appliance will enable this option by default. When you deselect this check box, the client sends a single packet only once to the server.
      • IBURST: Select this check box to configure the NTP client to send a burst of eight packets if the external NTP server is not reachable when the client sends the first packet to the server. The NTP client transmits each packet at a regular interval of two seconds. After you add an NTP server and save the configuration, the appliance will enable this option by default. When you deselect this check box, the client sends a single packet only once to the server.
        For information about adding NTP authentication keys, see bookmark838 Adding NTP Authentication Keys.
  4. Save the configuration and click Restart if it appears at the top of the screen.

Anchor
Configuring Grid Members to Use NTP
Configuring Grid Members to Use NTP
Anchor
bookmark841
bookmark841
Configuring Grid Members to Use NTP

Once you configure a Grid member to use external NT

Anchor
bookmark842
bookmark842
P server, make sure that the NTP service is enabled at Grid level. Otherwise, the Grid member will not function as an NTP client. For information, see

...

Synchronizing the Grid with External NTP Servers.
To configure Grid members to synchronize their time with external NTP servers:

  1. From the Grid tab, select the Grid Manager tab -> Members tab -> Grid_member check box.
  2. Expand the Toolbar and click NTP -> NTP Member Config.
  3. In the General tab of the Member NTP Properties editor, do the following:
    • Enable the NTP Server on this Member: Select this check box to configure a Grid Master or a Grid member as an NTP server. If you have configured DNS anycast on the appliance, it can answer NTP requests through the anycast IP address.
    • Synchronize this Member only with the Grid Master: Select this check box to enable this Grid member to synchronize its time with the Grid Master. This is the default.
    • Synchronize this Member with other NTP Servers: Select this check box to enable this Grid member to use external NTP servers. When you select this check box, you must enter at least one external NTP server for the member.
    • Exclude the Grid Master as an NTP Server: Select this check box if you want to exclude the Grid Master from being one of the time sources. By default, the appliance automatically configures the Grid Master as the backup NTP server for a Grid member. When the member cannot reach any of its configured NTP servers, it uses the Grid Master as the NTP server. The appliance does not display the Grid Master in the NTP external server list. For a Grid Master, this check box has no meaning.
    • External NTP Servers: Click Override and then click the Add icon. In the Add NTP Server dialog box, enter the following information:
    • NTP Server (FQDN or IP Address): Enter either the IP address or the resolvable host name of an NTP server. You can view a list of public NTP servers at ntp.isc.org. To check whether the DNS server can resolve the NTP server host name, click Resolve Name. You must have a DNS name resolver configured.
    • Enable Authentication: Select this check box to enable authentication of NTP communications between the external NTP server and the NIOS appliance (the Grid Master or Grid member in a Grid, an independent NIOS appliance, or the active node in an independent HA pair).
      Note: To prevent intruders from interfering with the time services on your network, you can authenticate communications between a Grid member and an external NTP server, as well as between a Grid member and external NTP clients. NTP communications within the Grid go through an encrypted VPN tunnel, so you do not have to enable authentication between the Grid Master and Grid members.
      Authentication Key: Select a key that you previously entered from the drop-down list. Note that you must enter authentication keys at the Grid level when you configure a Grid Master or Grid member to use external NTP servers.
    • Click Add to add the NTP server to the list or Cancel to cancel the operation. In the table, click Override in the table to override configurable settings. To inherit the same properties as the Grid, click Inherit.
      • Preferred: Select this to mark an external NTP server as the preferred NTP server. You can select only one server as the preferred NTP server. NIOS uses the responses from this preferred server over responses from other external NTP servers. A response from a preferred server will be discarded if it differs significantly from the responses of other servers. Infoblox recommends that you select an NTP server that is known to be highly accurate as the preferred server, such as one that has special time monitoring hardware. Note that this option is enabled only when you have selected the check box Synchronize this Member with other NTP Servers.
      • Server: Displays the FQDN or IP address of the NTP server that you added.
      • Authentication: When you enable authentication, this column displays Yes. Otherwise, it displays No.
      • Key Number: Displays the authentication key that you have selected.
      • BURST: Select this check box to configure the NTP client to send a burst of eight packets if the external NTP server is reachable and a valid source of synchronization is available. The NTP client transmits each packet at a regular interval of two seconds. After you add an NTP server and save the configuration, the appliance will enable this option by default. When you deselect this check box, the client sends a single packet only once to the server.
      • IBURST: Select this check box to configure the NTP client to send a burst of eight packets if the external NTP server is not reachable when the client sends the first packet to the server. The NTP client transmits each packet at a regular interval of two seconds. After you add an NTP server and save the configuration, the appliance will enable this option by default. When you deselect this check box, the client sends a single packet only once to the server.
        Note: NTP members inherit NTP properties from the Grid. Click Override in the Member NTP Properties wizard to override configurable settings. To inherit the same properties as the Grid, click Inherit.
        For information about adding NTP authentication keys, see bookmark838 Adding NTP Authentication Keys.
  4. Save the configuration and click Restart if it appears at the top of the screen.

...

...

  1. From the Grid tab, select the Grid Manager tab -> Members tab -> Grid_member check box.
  2. Expand the Toolbar and click NTP -> NTP Member Config.
  3. In the General tab of the Member NTP Properties editor, do the following:
    • Enable the NTP Server on this Member: Select this option to configure a Grid Master or a Grid member as an NTP server. If you have configured DNS anycast on the appliance, it can answer NTP requests through the anycast IP address.
    • Click Override in the NTP Keys section to enter NTP authentication keys at the member level. The member uses these keys when acting as an NTP server and authenticates requests from NTP clients. Clear the check box to use the Grid-level authentication keys.
  4. Click Add in the NTP Keys section. For information, see bookmark838 Adding NTP Authentication Keys.
  5. Save the configuration and click Restart if it appears at the top of the screen.

...

  1. Grid: From the Grid tab, select the Grid Manager tab, expand the Toolbar and click NTP -> NTP Grid Config.
    Member: From the Grid tab, select the Grid Manager tab -> Members tab -> Grid_member check box. Expand the Toolbar and click NTP -> NTP Member Config.
    To override an inherited property, click Override next to it and complete the appropriate fields.
  2. In the Access Control tab of the Grid or Member NTP Properties editor, select one of the following to configure NTP access control:
    • None: Select this if you do not want to configure access control for NTP service. When you select None, the appliance allows all clients to access the NTP service. This is selected by default.
    • Use Named ACL for Time only: Select this and click Select Named ACL to select a named ACL that contains only IPv4 addresses and networks. NTP queries do not support TSIG key based ACEs. When you select this, the appliance allows clients that have the Allow permission in the named ACL to use its NTP service. You can click Clear to remove the selected named ACL. The appliance accepts ntpq queries from specified NTP clients.
    • Use Named ACL for Time + NTP Control (NTPQ): Select this and click Select Named ACL to select a named ACL that contains only IPv4 addresses and networks. NTP queries do not support TSIG key based ACEs. When you select this, the appliance allows clients that have the Allow permission in the named ACL to use its NTP service, and for the appliance to accept ntpq queries from those clients as well. You can click Clear to remove the selected named ACL.
    • Use this set of ACEs: Select this to configure individual ACEs. Click the Add icon and select one of the following from the drop-down list. Depending on the item you select, Grid Manager either adds a row for the selected item or expands the panel so you can specify additional information about the item you are adding, as follows:
      • IPv4 Address: Select this to add an IPv4 address. Click the Value field and enter the IPv4 address. The default permission is Allow, which means that the appliance allows access to and from this IPv4 client. You cannot change the default permission. In the Service field, select Time only to allow this client for using the NTP service on the appliance; or select Time + NTP Control (NTPQ) to also accept ntpq queries from this client.
      • IPv4 Network: Select this to add an IPv4 network. Click the Value field and enter the IPv4 network. The default permission is Allow, which means that the appliance allows access to and from this IPv4 network. You cannot change the default permission. In the Service field, select Time only to allow this network for using the NTP service on the appliance; or select Time + NTP Control (NTPQ) to also accept ntpq queries from this network.
      • IPv6 Address: Select this to add an IPv6 address. Click the Value field and enter the IPv6 address. The default permission is Allow, which means that the appliance allows access to and from this IPv6 client. You cannot change the default permission. In the Service field, select Time only to allow this client for using the NTP service on the appliance; or select Time + NTP Control (NTPQ) to also accept ntpq queries from this client.
      • IPv6 Network: Select this to add an IPv6 network. Click the Value field and enter the IPv6 network. The default permission is Allow, which means that the appliance allows access to and from this IPv6 network. You cannot change the default permission. In the Service field, select Time only to allow this network for using the NTP service on the appliance; or select Time + NTP Control (NTPQ) to also accept ntpq queries from this network.
      • Any Address/Network: Select this to allow access to all IPv4 and IPv6 addresses and networks. The default permission is Allow, which means that the appliance allows access to and from all IPv4 and IPv6 clients. You cannot change the default permission. In the Service field, select Time only to allow clients for using the NTP service on the appliance; or select Time + NTP Control (NTPQ) to also accept ntpq queries from all clients.
        After you have added access control entries, you can do the following:
        • Select the ACEs that you want to consolidate and put into a new named ACL. Click the Create new named ACL icon and enter a name in the Convert to Named ACL dialog box. The appliance creates a new named ACL and adds it to the Named ACL panel. Note that the ACEs you configure for this operation stay intact.
        • Reorder the list of ACEs using the up and down arrows next to the table.
        • Select an ACE and click the Edit icon to modify the entry.
        • Select an ACE and click the Delete icon to delete the entry. You can select multiple ACEs for deletion.
      • Enable KoD: When you select this check box, the appliance (when acting as an NTP server) sends a KoD (Kiss-o'-Death) packet to the NTP client if the client has exceeded the rate limit. The KoD packet contains the stratum field set to zero and the ASCII string in the Reference Source Identifier field set to RATE, indicating the packets sent by the client have been dropped by the server. When you clear the check box, the NTP server drops the packets but does not send any KoD packet to the client. This check box is deselected by default. For more information about KoD, see bookmark849 Enabling Kiss-o'-Death for NTP.
  3. Save the configuration and click Restart if it appears at the top of the screen.


Anchor
bookmark849
bookmark849
Enabling Kiss-o'-Death for NTP
When an NTP server denies service to an NTP client, which has exceeded the rate limit, it typically drops the packets without notifying the client. In this case, the client, unaware of the situation, continues to transmit packets. To notify the client so it either slows down or stops the packet transmission, you can enable the NIOS appliance (when acting as an NTP server) to transmit a KoD (Kiss-o'-Death) packet. This packet contains the stratum field which is set to zero, implying the sent packet was invalid, and the ASCII string that contains RATE in the reference identifier field, indicating the status of the transmitted packet and access control. When the client receives the KoD packet, it may reduce transmission rate or stop packet transmission to the server. For more information about KoD, refer to RFC 5905 (Network Time Protocol Version 4: Protocol and Algorithms Specification). You can enable KoD at the Grid level and override it at the member level. For more information about enabling KoD, see bookmark848 Defining NTP Access Control.

Anchor
Monitoring NTP
Monitoring NTP
Anchor
bookmark850
bookmark850
Monitoring NTP

When you enable the Grid to synchronize its time with external NTP servers, you can monitor the status of the NTP service by checking the NTP status icons in the Member Services panel. To access the panel, from the Grid tab, select the Grid Manager tab -> Members tab -> Grid_member check box, and then select the Manage Member Services icon in the table toolbar of the Members tab.
The following are descriptions of the NTP status icons in the Members Services panel. The type of information that can appear in the Description column corresponds to the SNMP trap messages. For information about the Infoblox SNMP traps, see Chapter 37, Monitoring the Appliance,.

Icon

Color

Meaning

Green

The NTP service is enabled and running properly.


Yellow

The NTP service is enabled, and the appliance is synchronizing its time.


Red

The NTP service is enabled, but it is not running properly or is out of synchronization.


Gray

The NTP service is disabled.

...