NIST 800.53, specifically CM-6, requires network devices sync their time source using authenticated NTP. I'd like to request the NTP client in pfsense have an option to use authentication with NIST time servers. Cicso routers have this capability built in.
Updated by Viktor Gurov 11 months ago
- Status changed from Feedback to New
- Target version changed from 2.5.0 to CE-Next
after configuring ntpd authentication on Debian peer I can see packets with MAC:
Network Time Protocol (NTP Version 4, server) Flags: 0x24, Leap Indicator: no warning, Version number: NTP Version 4, Mode: server Peer Clock Stratum: secondary reference (3) Peer Polling Interval: 6 (64 sec) Peer Clock Precision: 0.000015 sec Root Delay: 0.0244598388671875 seconds Root Dispersion: 0.07177734375 seconds Reference ID: 22.214.171.124 Reference Timestamp: Nov 28, 2020 16:00:20.461789665 UTC Origin Timestamp: Nov 28, 2020 16:09:03.511942520 UTC Receive Timestamp: Nov 28, 2020 16:09:03.515572186 UTC Transmit Timestamp: Nov 28, 2020 16:09:03.515697472 UTC Key ID: 00000001 Message Authentication Code: 5e194bd30f46bb22789f80c8e8964ae7
linux peer 'ntpq -c as' output:
ind assid status conf reach auth condition last_event cnt =========================================================== 1 59188 8811 yes none none reject mobilize 1 2 59189 f31a yes yes ok outlier sys_peer 1
pfSense NTP client still doesn't have authentication support, so I set the target version to 2.5.next
Folks, I made a patch to the function system_ntp_configure() in the file /etc/inc/system.inc to get this working. Tested on 21.02.2.
Patch pasted here:
https://forum.netgate.com/post/977899, see below auth field indicating ok on the ntp client on pfSense.
[21.02.2-RELEASE][admin@your-sweet-pfsense-server-name]/root: ntpq -pc as remote refid st t when poll reach delay offset jitter ============================================================================== *ntp-g.nist.gov .NIST. 1 u 7 64 377 10.865 -0.019 0.738 ind assid status conf reach auth condition last_event cnt =========================================================== 1 64816 f61a yes yes ok sys.peer sys_peer 1