Access Control Options
from Pogo,
Walt Kelly
The skunk watches for intruders and sprays.
Access Control Support
ntpd implements a general purpose address-and-mask based
restriction list. The list is sorted by address and by mask, and
the list is searched in this order for matches, with the last match
found defining the restriction flags associated with the incoming
packets. The source address of incoming packets is used for the
match, with the 32- bit address being and'ed with the mask
associated with the restriction entry and then compared with the
entry's address (which has also been and'ed with the mask) to look
for a match. Additional information and examples can be found in
the Notes on Configuring NTP and Setting up a
NTP Subnet page.
The restriction facility was implemented in conformance with the
access policies for the original NSFnet backbone time servers.
While this facility may be otherwise useful for keeping unwanted or
broken remote time servers from affecting your own, it should not
be considered an alternative to the standard NTP authentication
facility. Source address based restrictions are easily circumvented
by a determined cracker.
The Kiss-of-Death Packet
Ordinarily, packets denied service are simply dropped with no
further action except incrementing statistics counters. Sometimes a
more proactive response is needed, such as a server message that
explicitly requests the client to stop sending and leave a message
for the system operator. A special packet format has been created
for this purpose called the kiss-of-death packet. If the
kod flag is set and either service is denied or the client
limit is exceeded, the server it returns the packet and sets the
leap bits unsynchronized, stratum zero and the ASCII string "DENY"
in the reference source identifier field. If the kod flag
is not set, the server simply drops the packet.
A client or peer receiving a kiss-of-death packet performs a set
of sanity checks to minimize security exposure. If this is the
first packet received from the server, the client assumes an access
denied condition at the server. It updates the stratum and
reference identifier peer variables and sets the access denied
(test 4) bit in the peer flash variable. If this bit is set, the
client sends no packets to the server. If this is not the first
packet, the client assumes a client limit condition at the server,
but does not update the peer variables. In either case, a message
is sent to the system log.
Access Control Commands
- restrict numeric_address [mask numeric_mask]
[flag][...]
- The numeric_address argument, expressed in
dotted- quad form, is the address of an host or network. The
mask argument, also expressed in dotted-quad form,
defaults to 255.255.255.255, meaning that the
numeric_address is treated as the address of an individual
host. A default entry (address 0.0.0.0, mask
0.0.0.0) is always included and, given the sort algorithm, is
always the first entry in the list. Note that, while
numeric_address is normally given in dotted-quad format,
the text string default, with no mask option, may be used
to indicate the default entry.
- In the current implementation, flag always
restricts access, i.e., an entry with no flags indicates that free
access to the server is to be given. The flags are not orthogonal,
in that more restrictive flags will often make less restrictive
ones redundant. The flags can generally be classed into two
catagories, those which restrict time service and those which
restrict informational queries and attempts to do run-time
reconfiguration of the server. One or more of the following flags
may be specified:
-
- kod
- If access is denied, send a kiss-of-death packet.
- ignore
- Ignore all packets from hosts which match this entry. If this
flag is specified neither queries nor time server polls will be
responded to.
- noquery
- Ignore all NTP mode 6 and 7 packets (i.e. information queries
and configuration requests) from the source. Time service is not
affected.
- nomodify
- Ignore all NTP mode 6 and 7 packets which attempt to modify the
state of the server (i.e. run time reconfiguration). Queries which
return information are permitted.
- notrap
- Decline to provide mode 6 control message trap service to
matching hosts. The trap service is a subsystem of the mode 6
control message protocol which is intended for use by remote event
logging programs.
- lowpriotrap
- Declare traps set by matching hosts to be low priority. The
number of traps a server can maintain is limited (the current limit
is 3). Traps are usually assigned on a first come, first served
basis, with later trap requestors being denied service. This flag
modifies the assignment algorithm by allowing low priority traps to
be overridden by later requests for normal priority traps.
- noserve
- Ignore NTP packets whose mode is other than 6 or 7. In effect,
time service is denied, though queries may still be permitted.
- nopeer
- Provide stateless time service to polling hosts, but do not
allocate peer memory resources to these hosts even if they
otherwise might be considered useful as future synchronization
partners.
- notrust
- Treat these hosts normally in other respects, but never use
them as synchronization sources.
- limited
- These hosts are subject to limitation of number of clients from
the same net. Net in this context refers to the IP notion of net
(class A, class B, class C, etc.). Only the first
client_limit hosts that have shown up at the server and that
have been active during the last client_limit_period
seconds are accepted. Requests from other clients from the same net
are rejected. Only time request packets are taken into account.
Query packets sent by the ntpq and ntpdc programs
are not subject to these limits. A history of clients is kept using
the monitoring capability of ntpd. Thus, monitoring is
always active as long as there is a restriction entry with the
limited flag.
- ntpport
- This is actually a match algorithm modifier, rather than a
restriction flag. Its presence causes the restriction entry to be
matched only if the source port in the packet is the standard NTP
UDP port (123). Both ntpport and non-ntpport may
be specified. The ntpport is considered more specific and
is sorted later in the list.
- version
- Ignore these hosts if not the current NTP version.
- Default restriction list entries, with the flags ignore,
interface, ntpport, for each of the local host's interface
addresses are inserted into the table at startup to prevent the
server from attempting to synchronize to its own time. A default
entry is also always present, though if it is otherwise
unconfigured; no flags are associated with the default entry (i.e.,
everything besides your own NTP server is unrestricted).
- clientlimit limit
- Set the client_limit variable, which limits the number
of simultaneous access-controlled clients. The default value for
this variable is 3.
- clientperiod period
- Set the client_limit_period variable, which specifies
the number of seconds after which a client is considered inactive
and thus no longer is counted for client limit restriction. The
default value for this variable is 3600 seconds.
David L. Mills
<mills@udel.edu>