Re: NTS multicast response on IPv6
- From: Steve Kostecke <kostecke@xxxxxxxxxxx>
- Date: 18 Jan 2006 19:57:40 GMT
On 2006-01-18, Danny Mayer <mayer@xxxxxxxxxxx> wrote:
> Mauricio Schramm wrote:
>
>> I'm trying to set up an NTP server that answers multicast requests
>> Ifrom Pv6 clients without any success.
>
> Please understand that is not how multicast works. The clients are
> passive and only receive multicast packets from the server (modulo the
> authentication keydance).
The "dance" occurs during a temporary unicast association with the
server. Once the authentication is set up the client start listening on
the multicast address.
Information about setting up NTP Authentication is available at
http://ntp.isc.org/Support/ConfiguringAutokey
>> I just don't know if the problem is with the client or with the
>> server and I don't have a reliable test tool to make sure if any of
>> them is correctly set. Does someone already tried this with success?
>> I tried it with up to date Red Hat Linux and Free BSD and Open BSD
>> servers and it never worked. Does someone know if I can use tools
>> like ntpq to do my tests?
You can use ntpq to monitor the progress of the association between a
client ans a server. On the client, run 'watch ntpq -p' immediately
after starting ntpd. Within 64 seconds after starting the client ntpd
you should see a unicast assocation with the server. 64 seconds after
that you should see the association change from unicast to multicast
(see the 't' column):
remote refid st t when poll reach delay offset jitter
==========================================================================
+ntp0.kostecke.n .GPS. 1 m 45 64 2 0.917 -2.583 0.753
ntpq -cas will show you if crypto is working (look for the 'ok' in the
auth column:
ind assID status conf reach auth condition last_event cnt
===========================================================
1 45799 7414 no yes ok candidat reachable 1
ntpq -c"rv 0 cert" will show you what certificates are held by ntpd:
assID=0 status=06a4 leap_none, sync_ntp, 10 events, event_peer/strat_chg,
cert="ntp0.kostecke.net ntp0.kostecke.net 0x3 3315100165",
cert="stasis imp.kostecke.net 0x3 3343787146",
cert="imp.kostecke.net ntp0.kostecke.net 0x3 3344713570",
cert="stasis stasis 0x3 3343787146"
To see the authentication details (e.g. which Identity Scheme is in use)
you need to look at the flags for that association:
$ ntpq -c"rv 45799 flags"
assID=45799 status=7614 reach, auth, sel_sys.peer, 1 event, event_reach,
flags=0x80f21
In this case:
#define CRYPTO_FLAG_ENAB 0x0001 /* crypto enable */
#define CRYPTO_FLAG_IFF 0x0020 /* IFF identity scheme */
#define CRYPTO_FLAG_VALID 0x0100 /* public key verified */
#define CRYPTO_FLAG_VRFY 0x0200 /* identity verified */
#define CRYPTO_FLAG_PROV 0x0400 /* signature verified */
#define CRYPTO_FLAG_AGREE 0x0800 /* cookie verifed */
The flags are documented in ./include/ntp_crypto.h
--
Steve Kostecke <kostecke@xxxxxxxxxxx>
NTP Public Services Project - http://ntp.isc.org/
.
- References:
- NTS multicast response on IPv6
- From: Mauricio Schramm
- Re: NTS multicast response on IPv6
- From: Danny Mayer
- NTS multicast response on IPv6
- Prev by Date: Re: NTS multicast response on IPv6
- Next by Date: Re: Looking for time sync hardware supported under Linux for under $400?
- Previous by thread: Re: NTS multicast response on IPv6
- Next by thread: Internet-Draft on how to deal with leap seconds (UTC-SLS)
- Index(es):
Relevant Pages
|
