...
Figure 8.1 Infoblox Appliances as NTP Servers| Drawio |
|---|
| border | true1 |
|---|
| viewerToolbar | true |
|---|
| fitWindow | false |
|---|
| baseUrl | https://infoblox-docs.atlassian.net/wiki |
|---|
| diagramName | 8.1 |
|---|
| simpleViewer | false |
|---|
| widthzoom | 1 |
|---|
| pageId | 22250610 |
|---|
| custContentId | 8656126 |
|---|
| lbox | 1 |
|---|
| contentVer | 1 |
|---|
| revision | 1 |
|---|
|
| Anchor |
|---|
| Authenticating NTP |
|---|
| Authenticating NTP |
|---|
|
Authenticating NTP To prevent intruders from interfering with the time services on your network, you can authenticate communications between a NIOS appliance and a public NTP server, and between a NIOS appliance and external NTP clients. NTP communications within the Grid go through an encrypted VPN tunnel, so you do not have to enable authentication between members in a Grid.
NTP uses symmetric key cryptography, where the server and the client use the same algorithm and key to calculate and verify a MAC (message authentication code). The MAC is a digital thumbprint of the message that the receiver uses to verify the authenticity of a message.
As shown in
Figure 8.2, the NTP client administrator must first obtain the secret key information from the administrator of the NTP server. The server and the client must have the same key ID and data. Therefore, when you configure the NIOS appliance as an NTP client and want to use authentication, you must obtain the key information from the administrator of the external NTP server and enter the information on the NIOS appliance. When you configure a NIOS appliance as an NTP server, you must create a key and send the key information to clients in a secure manner. A key consists of the following:
...
Figure 8.2 NTP Client Administrator Obtaining Secret Key from NTP Server Administrator | Drawio |
|---|
| border | true1 |
|---|
| viewerToolbar | true |
|---|
| fitWindow | false |
|---|
| baseUrl | https://infoblox-docs.atlassian.net/wiki |
|---|
| diagramName | 8.2 |
|---|
| simpleViewer | false |
|---|
| widthzoom | 1 |
|---|
| pageId | 22250610 |
|---|
| custContentId | 7345632 |
|---|
| lbox | 1 |
|---|
| contentVer | 1 |
|---|
| revision | 1 |
|---|
|
| Anchor |
|---|
| NIOS Appliances as NTP Clients |
|---|
| NIOS Appliances as NTP Clients |
|---|
|
NIOS Appliances as NTP Clients
...
When you enable a NIOS appliance to function as an NTP client, you must specify at least one NTP server with which the appliance can synchronize its clock. Infoblox recommends that you specify multiple NTP servers that synchronize their time with different reference clocks and that have different network paths. This increases stability and reduces risk in case a server fails. For a list of public NTP servers, you can access www.ntp.org.
When you specify multiple NTP servers, the NTP daemon on the appliance determines the best source of time by calculating round-trip time, network delay, and other factors that affect the accuracy of the time. NTP periodically polls the servers and adjusts the time on the appliance until it matches the best source of time. If the difference between the appliance and the server is less than five minutes, the appliance adjusts the time gradually until the clock time matches the NTP server. If the difference in time is more than five minutes, the appliance immediately synchronizes its time to match that of the NTP server.
To secure communications between a NIOS appliance and an NTP server, you can authenticate communications between the appliance and the NTP server. When you configure authentication, you must obtain the key information from the administrator of the NTP server and enter the key on the appliance. For information, see Authenticating NTP.
In a Grid, you can configure the Grid Master and Grid members to synchronize their clocks with external NTP servers. When you enable the NTP service on the Grid, the Grid Master automatically functions as an NTP server to the Grid members. A Grid member can synchronize its time with the Grid Master, an external NTP server, or another Grid member. When Grid members synchronize their times with the Grid Master, the Grid Master and its members send NTP messages through an encrypted VPN tunnel, as shown in Figure 8.3. When a Grid member synchronizes its time with another Grid member, the NTP messages are not sent through a VPN tunnel.
Figure 8.3 Grid Master as NTP Client| Drawio |
|---|
| border | true1 |
|---|
| viewerToolbar | true |
|---|
| fitWindow | false |
|---|
| baseUrl | https://infoblox-docs.atlassian.net/wiki |
|---|
| diagramName | 8.3 |
|---|
| simpleViewer | false |
|---|
| widthzoom | 1 |
|---|
| pageId | 22250610 |
|---|
| custContentId | 8656132 |
|---|
| lbox | 1 |
|---|
| contentVer | 1 |
|---|
| revision | 1 |
|---|
|
| Anchor |
|---|
| Configuring the Grid to Use NTP |
|---|
| Configuring the Grid to Use NTP |
|---|
|
Configuring the Grid to Use
NTP
...
Figure 8.4 Grid Members as NTP Servers
| Drawio |
|---|
| border | true1 |
|---|
| viewerToolbar | true |
|---|
| fitWindow | false |
|---|
| baseUrl | https://infoblox-docs.atlassian.net/wiki |
|---|
| diagramName | 8.4 |
|---|
| simpleViewer | false |
|---|
| widthzoom | 1 |
|---|
| pageId | 22250610 |
|---|
| custContentId | 7083271 |
|---|
| lbox | 1 |
|---|
| contentVer | 1 |
|---|
| revision | 1 |
|---|
|
To configure a NIOS appliance as an NTP server, perform the following tasks:
...
- Grid: From the Grid tab, select the Grid Manager tab, expand the Toolbar and click NTP -> NTP Grid Config.
Member: From the Grid tab, select the Grid Manager tab -> Members tab -> Grid_member check box. Expand the Toolbar and click NTP -> NTP Member Config.
To override an inherited property, click Override next to it and complete the appropriate fields. - In the Access Control tab of the Grid or Member NTP Properties editor, select one of the following to configure NTP access control:
- None: Select this if you do not want to configure access control for NTP service. When you select None, the appliance allows all clients to access the NTP service. This is selected by default.
- Use Named ACL for Time only: Select this and click Select Named ACL to select a named ACL that contains only IPv4 addresses and networks. NTP queries do not support TSIG key based ACEs. When you select this, the appliance allows clients that have the Allow permission in the named ACL to use its NTP service. NTPqueries NTP queries from the named ACL entries specified here are denied. You can click Clear to remove the selected named ACL and the appliance accepts ntpq queries from those NTP clients
. - Use Named ACL for Time + NTP Control (NTPQ): Select this and click Select Named ACL to select a named ACL that contains only IPv4 addresses and networks. NTP queries do not support TSIG key based ACEs. When you select this, the appliance allows clients that have the Allow permission in the named ACL to use its NTP service, and for the appliance to accept ntpq queries from those clients as well. You can click Clear to remove the selected named ACL.
- Use this set of ACEs: Select this to configure individual ACEs. Click the Add icon and select one of the following from the drop-down list. Depending on the item you select, Grid Manager either adds a row for the selected item or expands the panel so you can specify additional information about the item you are adding, as follows:
- IPv4 Address: Select this to add an IPv4 address. Click the Value field and enter the IPv4 address. The default permission is Allow, which means that the appliance allows access to and from this IPv4 client. You cannot change the default permission. In the Service field, select Time only to allow this client for using the NTP service on the appliance; or select Time + NTP Control (NTPQ) to also accept ntpq queries from this client.
- IPv4 Network: Select this to add an IPv4 network. Click the Value field and enter the IPv4 network. The default permission is Allow, which means that the appliance allows access to and from this IPv4 network. You cannot change the default permission. In the Service field, select Time only to allow this network for using the NTP service on the appliance; or select Time + NTP Control (NTPQ) to also accept ntpq queries from this network.
- IPv6 Address: Select this to add an IPv6 address. Click the Value field and enter the IPv6 address. The default permission is Allow, which means that the appliance allows access to and from this IPv6 client. You cannot change the default permission. In the Service field, select Time only to allow this client for using the NTP service on the appliance; or select Time + NTP Control (NTPQ) to also accept ntpq queries from this client.
- IPv6 Network: Select this to add an IPv6 network. Click the Value field and enter the IPv6 network. The default permission is Allow, which means that the appliance allows access to and from this IPv6 network. You cannot change the default permission. In the Service field, select Time only to allow this network for using the NTP service on the appliance; or select Time + NTP Control (NTPQ) to also accept ntpq queries from this network.
- Any Address/Network: Select this to allow access to all IPv4 and IPv6 addresses and networks. The default permission is Allow, which means that the appliance allows access to and from all IPv4 and IPv6 clients. You cannot change the default permission. In the Service field, select Time only to allow clients for using the NTP service on the appliance; or select Time + NTP Control (NTPQ) to also accept ntpq queries from all clients.
After you have added access control entries, you can do the following:- Select the ACEs that you want to consolidate and put into a new named ACL. Click the Create new named ACL icon and enter a name in the Convert to Named ACL dialog box. The appliance creates a new named ACL and adds it to the Named ACL panel. Note that the ACEs you configure for this operation stay intact.
- Reorder the list of ACEs using the up and down arrows next to the table.
- Select an ACE and click the Edit icon to modify the entry.
- Select an ACE and click the Delete icon to delete the entry. You can select multiple ACEs for deletion.
- Enable KoD: When you select this check box, the appliance (when acting as an NTP server) sends a KoD (Kiss-o'-Death) packet to the NTP client if the client has exceeded the rate limit. The KoD packet contains the stratum field set to zero and the ASCII string in the Reference Source Identifier field set to RATE, indicating the packets sent by the client have been dropped by the server. When you clear the check box, the NTP server drops the packets but does not send any KoD packet to the client. This check box is deselected by default. For more information about KoD, see Enabling Kiss-o'-Death for NTP.
- Save the configuration and click Restart if it appears at the top of the screen.
...
