1
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
4
<meta name="generator" content="HTML Tidy, see www.w3.org">
5
<title>Access Control Options</title>
8
<h3>Access Control Options</h3>
10
<img align="left" src="pic/pogo6.gif" alt="gif"><a href=
11
"http://www.eecis.udel.edu/~mills/pictures.htm">from <i>Pogo</i>,
14
<p>The skunk watches for intruders and sprays.<br clear="left">
18
<h4>Access Control Support</h4>
20
<tt>ntpd</tt> implements a general purpose address-and-mask based
21
restriction list. The list is sorted by address and by mask, and
22
the list is searched in this order for matches, with the last match
23
found defining the restriction flags associated with the incoming
24
packets. The source address of incoming packets is used for the
25
match, with the 32- bit address being and'ed with the mask
26
associated with the restriction entry and then compared with the
27
entry's address (which has also been and'ed with the mask) to look
28
for a match. Additional information and examples can be found in
29
the <a href="notes.htm">Notes on Configuring NTP and Setting up a
32
<p>The restriction facility was implemented in conformance with the
33
access policies for the original NSFnet backbone time servers.
34
While this facility may be otherwise useful for keeping unwanted or
35
broken remote time servers from affecting your own, it should not
36
be considered an alternative to the standard NTP authentication
37
facility. Source address based restrictions are easily circumvented
38
by a determined cracker.</p>
40
<h4>The Kiss-of-Death Packet</h4>
42
<p>Ordinarily, packets denied service are simply dropped with no
43
further action except incrementing statistics counters. Sometimes a
44
more proactive response is needed, such as a server message that
45
explicitly requests the client to stop sending and leave a message
46
for the system operator. A special packet format has been created
47
for this purpose called the kiss-of-death packet. If the <tt>
48
kod</tt> flag is set and either service is denied or the client
49
limit is exceeded, the server it returns the packet and sets the
50
leap bits unsynchronized, stratum zero and the ASCII string "DENY"
51
in the reference source identifier field. If the <tt>kod</tt> flag
52
is not set, the server simply drops the packet.</p>
54
<p>A client or peer receiving a kiss-of-death packet performs a set
55
of sanity checks to minimize security exposure. If this is the
56
first packet received from the server, the client assumes an access
57
denied condition at the server. It updates the stratum and
58
reference identifier peer variables and sets the access denied
59
(test 4) bit in the peer flash variable. If this bit is set, the
60
client sends no packets to the server. If this is not the first
61
packet, the client assumes a client limit condition at the server,
62
but does not update the peer variables. In either case, a message
63
is sent to the system log.</p>
65
<h4>Access Control Commands</h4>
68
<dt><tt>restrict <i>numeric_address</i> [mask <i>numeric_mask</i>]
69
[<i>flag</i>][...]</tt></dt>
71
<dd>The <i><tt>numeric_address</tt></i> argument, expressed in
72
dotted- quad form, is the address of an host or network. The <i>
73
<tt>mask</tt></i> argument, also expressed in dotted-quad form,
74
defaults to <tt>255.255.255.255</tt>, meaning that the <i><tt>
75
numeric_address</tt></i> is treated as the address of an individual
76
host. A default entry (address <tt>0.0.0.0</tt>, mask <tt>
77
0.0.0.0</tt>) is always included and, given the sort algorithm, is
78
always the first entry in the list. Note that, while <i><tt>
79
numeric_address</tt></i> is normally given in dotted-quad format,
80
the text string <tt>default</tt>, with no mask option, may be used
81
to indicate the default entry.</dd>
83
<dd>In the current implementation, <i><tt>flag</tt></i> always
84
restricts access, i.e., an entry with no flags indicates that free
85
access to the server is to be given. The flags are not orthogonal,
86
in that more restrictive flags will often make less restrictive
87
ones redundant. The flags can generally be classed into two
88
catagories, those which restrict time service and those which
89
restrict informational queries and attempts to do run-time
90
reconfiguration of the server. One or more of the following flags
91
may be specified:</dd>
97
<dd>If access is denied, send a kiss-of-death packet.</dd>
99
<dt><tt>ignore</tt></dt>
101
<dd>Ignore all packets from hosts which match this entry. If this
102
flag is specified neither queries nor time server polls will be
105
<dt><tt>noquery</tt></dt>
107
<dd>Ignore all NTP mode 6 and 7 packets (i.e. information queries
108
and configuration requests) from the source. Time service is not
111
<dt><tt>nomodify</tt></dt>
113
<dd>Ignore all NTP mode 6 and 7 packets which attempt to modify the
114
state of the server (i.e. run time reconfiguration). Queries which
115
return information are permitted.</dd>
117
<dt><tt>notrap</tt></dt>
119
<dd>Decline to provide mode 6 control message trap service to
120
matching hosts. The trap service is a subsystem of the mode 6
121
control message protocol which is intended for use by remote event
122
logging programs.</dd>
124
<dt><tt>lowpriotrap</tt></dt>
126
<dd>Declare traps set by matching hosts to be low priority. The
127
number of traps a server can maintain is limited (the current limit
128
is 3). Traps are usually assigned on a first come, first served
129
basis, with later trap requestors being denied service. This flag
130
modifies the assignment algorithm by allowing low priority traps to
131
be overridden by later requests for normal priority traps.</dd>
133
<dt><tt>noserve</tt></dt>
135
<dd>Ignore NTP packets whose mode is other than 6 or 7. In effect,
136
time service is denied, though queries may still be permitted.</dd>
138
<dt><tt>nopeer</tt></dt>
140
<dd>Provide stateless time service to polling hosts, but do not
141
allocate peer memory resources to these hosts even if they
142
otherwise might be considered useful as future synchronization
145
<dt><tt>notrust</tt></dt>
147
<dd>Treat these hosts normally in other respects, but never use
148
them as synchronization sources.</dd>
150
<dt><tt>limited</tt></dt>
152
<dd>These hosts are subject to limitation of number of clients from
153
the same net. Net in this context refers to the IP notion of net
154
(class A, class B, class C, etc.). Only the first <tt>
155
client_limit</tt> hosts that have shown up at the server and that
156
have been active during the last <tt>client_limit_period</tt>
157
seconds are accepted. Requests from other clients from the same net
158
are rejected. Only time request packets are taken into account.
159
Query packets sent by the <tt>ntpq</tt> and <tt>ntpdc</tt> programs
160
are not subject to these limits. A history of clients is kept using
161
the monitoring capability of <tt>ntpd</tt>. Thus, monitoring is
162
always active as long as there is a restriction entry with the <tt>
163
limited</tt> flag.</dd>
165
<dt><tt>ntpport</tt></dt>
167
<dd>This is actually a match algorithm modifier, rather than a
168
restriction flag. Its presence causes the restriction entry to be
169
matched only if the source port in the packet is the standard NTP
170
UDP port (123). Both <tt>ntpport</tt> and <tt>non-ntpport</tt> may
171
be specified. The <tt>ntpport</tt> is considered more specific and
172
is sorted later in the list.</dd>
174
<dt><tt>version</tt></dt>
176
<dd>Ignore these hosts if not the current NTP version.</dd>
180
<dd>Default restriction list entries, with the flags <tt>ignore,
181
interface, ntpport</tt>, for each of the local host's interface
182
addresses are inserted into the table at startup to prevent the
183
server from attempting to synchronize to its own time. A default
184
entry is also always present, though if it is otherwise
185
unconfigured; no flags are associated with the default entry (i.e.,
186
everything besides your own NTP server is unrestricted).</dd>
188
<dt><tt>clientlimit <i>limit</i></tt></dt>
190
<dd>Set the <tt>client_limit</tt> variable, which limits the number
191
of simultaneous access-controlled clients. The default value for
192
this variable is 3.</dd>
194
<dt><tt>clientperiod <i>period</i></tt></dt>
196
<dd>Set the <tt>client_limit_period</tt> variable, which specifies
197
the number of seconds after which a client is considered inactive
198
and thus no longer is counted for client limit restriction. The
199
default value for this variable is 3600 seconds.</dd>
203
<a href="index.htm"><img align="left" src="pic/home.gif" alt=
206
<address><a href="mailto:mills@udel.edu">David L. Mills
207
<mills@udel.edu></a></address>