On 2005-11-02, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > Some how you are always a step ahead of me ;-) Adding restrictions is > my next step (I finally added authentication the other day). With my > current setup of: 2 broadcast servers (that peer each other) and the > rest of the subnet being broadcast clients. What set of restrictions is > recommended (assuming highest level of paranoia ;-))
'restrict default ignore' is the most paranoid default; it tells ntpd to ignore all NTP packets from any source. Along with this default you need to add exceptions for all authorized clients and remote time servers. Please see http://ntp.isc.org/Support/AccessRestrictions for information about setting up your restrictions. Keep in mind that the meaning of 'notrust' changed at ntpd version 4.2 > Please take a look at the authentication I've setup (below) and let me > know what you think: > > "server1" sends broadcasts with "key1". > "server2" sends broadcasts with "key2". > both servers peers with each other using "key3". Why symmetric keys instead of Autokey? > This means that > > "server1" trusts "key1" and "key3". Server1 sends NTP (broadcast) packets authenticated with key 1 and trusts NTP packets authenticated with key3. > "server2" trusts "key2" and "key3" Server2 sends NTP (broadcast) packets authenticated with key 2 and trusts NTP packets authenticated with key3. > broadcast clients trust "key2" and "key3" The broadcast clients trust NTP packets authenticated with either key1 or key 2. -- Steve Kostecke <[EMAIL PROTECTED]> NTP Public Services Project - http://ntp.isc.org/ _______________________________________________ questions mailing list [email protected] https://lists.ntp.isc.org/mailman/listinfo/questions
