Document toolboxDocument toolbox

Using NTP for Time Settings

Owned by Panna .
Oct 03, 2024
10 min read

NTP (Network Time Protocol) is a standard protocol that system clocks use to ensure their time is always accurate. Appliances that use NTP try to get their time as close as possible to UTC (Coordinated Universal Time), the standard timescale used worldwide. NTP uses UDP (User Datagram Protocol) on port 123 for communications between clients and servers.
NTP is based on a hierarchy where reference clocks are at the top. Reference clocks use different methods such as special receivers or satellite systems to synchronize their time to UTC. NTP servers on the first level of the hierarchy synchronize their time with the reference clocks, and serve time to clients as well. Each level in the hierarchy is a stratum; stratum-0 is a reference clock. Stratum-1 servers synchronize their clocks with reference clocks. Stratum-2 servers synchronize their clocks with stratum-1 servers, and so forth. The stratum number indicates the number of levels between the NTP server and the reference clock. A higher stratum number could indicate more variance between the NTP server and the reference clock.
You can configure the Multi-Grid Master to function as an NTP client that synchronizes its clock with an NTP server. NTP clients typically use time information from at least three different sources to ensure reliability and a high degree of accuracy. There are a number of public NTP servers on the Internet with which the appliance can synchronize its clock. For a list of these servers, you can access http://www.ntp.org.
The Multi-Grid Master and its members can function as NTP clients that synchronize their clocks with external NTP servers. You can configure the Multi-Grid Master and its members to use their own external NTP servers.

Authenticating NTP

To prevent intruders from interfering with the time services on your network, you can authenticate communications between the Multi-Grid Master or member and a public NTP server, and between the Multi-Grid Master or member and external NTP clients.
NTP uses symmetric key cryptography, where the server and the client use the same algorithm and key to calculate and verify a MAC (message authentication code). The MAC is a digital thumbprint of the message that the receiver uses to verify the authenticity of a message.
As shown in 19282734, the NTP client administrator must first obtain the secret key information from the administrator of the NTP server. The server and the client must have the same key ID and data. Therefore, when you configure the appliance as an NTP client and want to use authentication, you must obtain the key information from the administrator of the external NTP server and enter the information on the appliance. When you configure the appliance as an NTP server, you must create a key and send the key information to clients in a secure manner. A key consists of the following:

  • Key Number: A positive integer that identifies the key.
  • Key Type: Specifies the key format and the algorithm used to calculate the MAC (message authentication code) of a message.
    • M: The key is a 1-31 character ASCII string using MD5 (Message Digest).
    • S: The key is a 64-bit hexadecimal number in DES (Data Encryption Standard) format. The high order 7 bits of each octet form the 56-bit key, and the low order bit of each octet is given a value so that the octet maintains odd parity. You must specify leading zeros so the key is exactly 16 hexadecimal digits long and maintains odd parity.
    • A: The key is a DES key written as a 1-8 character ASCII string.
    • N: The key is a 64-bit hexadecimal number in NTP format. It is the same as the S format, but the bits in each octet have been rotated one bit right so the parity bit is in the high order bit of the octet. You must specify leading zeros and odd parity must be maintained.
  • Key String: The key data used to calculate the MAC. The format depends on the Key Type you select.


When the NTP client initiates a request for time services to the NTP server, it creates the MAC by using the agreed upon algorithm to compress the message and then encrypts the compressed message (which is also called a message digest) with the secret key. The client appends the MAC to the message it sends to the NTP server. When the NTP server receives the message from the client, it performs the same procedure on the message — it compresses the message it received, encrypts it with the secret key and generates the MAC. It then compares the MAC it created with the MAC it received. If they match, the server continues to process and respond to the message. If the MACs do not match, the receiver drops the message.

Figure 8.1 NTP Client Administrator Obtaining Secret Key from NTP Server Administrator

Multi-Grid Master and Members as NTP Clients

You can configure a Multi-Grid Master or a Master Grid member as an NTP client that synchronizes its system clock with an external NTP server.
When you enable the appliance to function as an NTP client, you must specify at least one NTP server with which the appliance can synchronize its clock. Infoblox recommends that you specify multiple NTP servers that synchronize their time with different reference clocks and that have different network paths. This increases stability and reduces risk in case a server fails. For a list of public NTP servers, you can access www.ntp.org.
When you specify multiple NTP servers, the NTP daemon on the appliance determines the best source of time by calculating round-trip time, network delay, and other factors that affect the accuracy of the time. NTP periodically polls the servers and adjusts the time on the appliance until it matches the best source of time. If the difference between the appliance and the server is less than five minutes, the appliance adjusts the time gradually until the clock time matches the NTP server. If the difference in time is more than five minutes, the appliance immediately synchronizes its time to match that of the NTP server.
To secure communications between the appliance and an NTP server, you can authenticate communications between the appliance and the NTP server. When you configure authentication, you must obtain the key information from the administrator of the NTP server and enter the key on the appliance. For information, see 19282734.
In the Master Grid, you can configure the Multi-Grid Master and Master Grid members to synchronize their clocks with external NTP servers, as shown in 19282734. If you configure the NTP server at the Master Grid level, all members (including the Multi-Grid Master) inherit the settings. For information, see 19282734.

Figure 8.2 Master Grid as NTP Client


Configuring the Master Grid to Use NTP

In the Master Grid, the Multi-Grid Master and members can synchronize their clocks with external NTP servers. In an HA pair, the active node communicates directly with an external NTP server. The passive node then synchronizes its clock with the active node.
To configure the Master Grid to use NTP, perform the following tasks:

  • If you want to enable authentication between the appliance and NTP servers, you must specify the authentication keys before enabling the NTP service. For information, see 19282734.
  • Enable the NTP service on the Master Grid and specify one or more external NTP servers. For information, see 19282734

Adding NTP Authentication Keys

To enable authentication between the appliance and the NTP servers, add the authentication keys before enabling the NTP service on the Master Grid. You can also override authentication keys at the Multi-Grid Master and member levels.
To add NTP authentication keys:

  1. Master Grid: From the Master Grid tab, select the Multi-Grid Master, expand the Toolbar and click NTP -> NTP Master Grid Config.
    Member: From the Master Grid tab, select the Members tab -> master_grid_member checkbox. Expand the Toolbar and click NTP -> NTP Master Grid Member Config.
    To override an inherited property, click Override next to it and complete the appropriate fields.
  2. Click the Add icon in the NTP Keys section and enter the following information.
    • Key Number: A positive integer that identifies a key.
    • Type: Specifies the key format and the algorithm used to calculate the MAC (message authentication code) of a message.
      • MD5 in ASCII format (M): The key is a 1-31 character ASCII string using MD5 (Message Digest).
      • DES in hex format (S): The key is a 64-bit hexadecimal number in DES (Data Encryption Standard) format. The high order 7 bits of each octet form the 56-bit key, and the low order bit of each octet is given a value so that the octet maintains odd parity. You must specify leading zeros so the key is exactly 16 hexadecimal digits long and maintains odd parity.
      • DES in ASCII format (A): The key is a DES key written as a 1-8 character ASCII string.
      • DES in NTP format (N): The key is a 64-bit hexadecimal number in NTP format. It is the same as the S format, but the bits in each octet have been rotated one bit right so the parity bit is in the high order bit of the octet. You must specify leading zeros and odd parity must be maintained.
    • String: The key data used to calculate the MAC. The format depends on the Key Type you select.
  3. Click Save to save the entry and keep the editor open so you can enable the Master Grid to synchronize its time with external NTP servers, as described in 19282734

Note that if you enter a new key, the appliance checks if the key already exists in the key list. If the key exists, but either the key type or key string does not match, the appliance sends an error message.
After you enter an authentication key, you can modify or delete it. Note that you cannot delete a key that an NTP server references. You must first delete all NTP servers that reference that key and then delete the key.

Enabling the NTP Service

To enable the Master Grid to synchronize its time with external NTP servers:

  1. From the Master Grid tab, select the Member tab -> multi-grid_master checkbox, expand the Toolbar and click NTP -> NTP Master Grid Config.
  2. In the Master Grid Properties editor, select Synchronize the Master Grid with these External NTP Servers.
  3. Click the Add icon in the External NTP Servers table.
  4. In the Add NTP Server dialog box, enter the following information, and then click Add.
    • NTP Server (FQDN or IP Address): Enter either the IP address or the resolvable host name of an NTP server. You can view a list of public NTP servers at ntp.isc.org. To check whether the appliance can resolve the NTP server host name, click Resolve Name. You must have a DNS name resolver configured. For information, see /wiki/spaces/mgmadminguide/pages/911185112 Enable Authentication: Select this option to enable authentication of NTP communications between the external NTP server and the appliance (the Multi-Grid Master or Master Grid member or the active node in an HA pair).
      Note: To prevent intruders from interfering with the time services on your network, you can authenticate communications between a Master Grid member and an external NTP server, as well as between a Master Grid member and external NTP clients. NTP communications within the Master Grid go through an encrypted VPN tunnel, so you do not have to enable authentication between the Multi-Grid Master and Master Grid members.
    • Authentication Key: Select a key that you previously entered, and then click OK. For information, see 19282734.
  5. Save the configuration.

Configuring a Master Grid Member to Use NTP

To configure the Multi-Grid Master or member to synchronize its time with external NTP servers:

  1. From the Master Grid tab, select the Members tab -> master_grid_member checkbox.
  2. Expand the Toolbar and click NTP -> NTP Master Grid Member Config.
  3. In the Master Grid Member Properties editor, do the following:
    • Synchronize this Member with other NTP Servers: Select this option to enable this Master Grid member to use external NTP servers. When you select this checkbox, you must enter at least one external NTP server for the member.
  4. Click Override, and then click the Add icon in the External NTP Servers table.
  5. In the Add NTP Server dialog box, enter the following information, and then click Add.
    • NTP Server (FQDN or IP Address): Enter either the IP address or the resolvable host name of an NTP server. You can view a list of public NTP servers at ntp.isc.org. To check whether the appliance can resolve the NTP server host name, click Resolve Name. You must have a DNS name resolver configured. For information, see /wiki/spaces/mgmadminguide/pages/911185112
    • Enable Authentication: Select this checkbox to enable authentication of NTP communications between the external NTP server and the member in the Master Grid.
      Note: To prevent intruders from interfering with the time services on your network, you can authenticate communications between a Master Grid member and an external NTP server, as well as between a member and external NTP clients. NTP communications within the Master Grid go through an encrypted VPN tunnel, so you do not have to enable authentication between the Multi-Grid Master and members.
    • Authentication Key: Select a key that you previously entered, and then click OK. For information, see 19282734.
  6. Save the configuration.

Managing External NTP Servers

You can specify multiple NTP servers for failover purposes. The appliance attempts to connect to the NTP servers in the order they are listed. You can change the order of the list by selecting an NTP server and dragging it to its new location or by clicking the up and down arrows. You can add and delete servers and modify their information as well.