To Matt's point, I think it can be argued til the cows come home that NTP itself is bi-directional (the client expects the server to respond, but UDP doesn't guarantee it's going to make it back due to being connectionless). NTP uses UDP for transport however, so the lower layer can't send ACK's (which by design is uni-directional). So what layer are we talking about :)
As far as the authentication part, it can be bi-directional (I don't believe I saw anything in the RFC that would prevent that), the question your asking is can Cisco gear do mutual authentication?? I have Linux boxes doing that right now. As a personal note, i'm not big on having my routers serve time (they to busy passing packets :) I believe Stratum 3 is as good as it gets in Cisco R&S kits, and TDM/SONET doesn't run so well with that much room to drift. GPS (or someone with Stratum 2 or 1 reference) is your best bet. But since we're studying for the CCIE, I suspect my 3800's to be running ./morecoffee.sh in about 3 ... 2... Max On Fri, Jan 21, 2011 at 2:56 AM, Bojan Zivancevic <[email protected] > wrote: > Yes you are right, but the idea could be that you have two conversations > actually, where every device will authenticate the other one. > > That is why I mentioned NTP peer command. There is a "key" parameter there, > that is the first thing. Also, there is no "server" because they can sync > each other's clocks. Maybe this is a way to do mutual authentication? I > could not find any detailed info on this "ntp peer key" command. > > Best Regards, > > Bojan Zivancevic > Network Engineer > > From: Matt Hill [mailto:[email protected]] > Sent: Thursday, January 20, 2011 23:30 > To: Bojan Zivancevic > Cc: [email protected] > Subject: Re: [OSL | CCIE_RS] NTP mutual authentication - is it possible? > > I might throw this one in the air... > > NTP is UDP and completely unidirectional. There are no ACKs or anything > like that. The protocol itself has no mechanism for two way comms so I > would suggest that is why we cant so mutual authentication here. > > If someone else has something to add here (even if it proves me wrong) I'm > happy to hear it. > > Cheers, > Matt > > CCIE #22386 > CCSI #31207 > On 20 January 2011 21:59, Bojan Zivancevic <[email protected] > <mailto:[email protected]>> wrote: > I have been searching for the "final' answer to this question but still > could not find it. Cisco doc is of no use, so it seems. Looked on the > internet also, but I am not convinced what can be done about it. If someone > could clear this up it will be a blast. > > So, for many years NTP authentication was one-way. Only client had to > authenticate the source i.e. only the device that gets its clock changed has > to make sure that the source is valid. Makes sense. But since 12.4T Cisco > made some changes and now if we are doing authentication we must make > configs symmetrical. We could have done it before as well, but it was not > mandatory. > > But I could not quite get if that is real mutual authentication or not. I > looked up on the CLI etc. But it just does not click to me. I would like > your opinion. > > And what about NTP peer authentication? Is that mutual auth? There is no > real explanation about this command on Cisco doc as well. > > Best Regards, > > Bojan Zivancevic > Network Engineer > ---- > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com<http://www.ipexpert.com> > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
