Project

General

Profile

Feature #8794

NTP authentiction

Added by Tod L over 2 years ago. Updated 7 days ago.

Status:
New
Priority:
Normal
Assignee:
Tod L
Category:
NTPD
Target version:
2.5.next
Start date:
08/17/2018
Due date:
% Done:

100%

Estimated time:

Description

NIST 800.53, specifically CM-6, requires network devices sync their time source using authenticated NTP. I'd like to request the NTP client in pfsense have an option to use authentication with NIST time servers. Cicso routers have this capability built in.

Associated revisions

Revision 9108d083 (diff)
Added by Viktor Gurov about 2 months ago

NTP server authentication. Issue #8794

History

#1 Updated by Jim Pingle over 1 year ago

  • Category set to NTPD

#2 Updated by Viktor Gurov 9 months ago

Currently supported NTP auth hashes by vendors:
Juniper - MD5, SHA1, SHA256
Huawei - MD5, SHA256
Palo Alto - MD5, SHA1
Cisco, Avaya and most other vendors - MD5 only

#3 Updated by Viktor Gurov 2 months ago

Server side authentication support:
https://github.com/pfsense/pfsense/pull/4472

#4 Updated by Jim Pingle 2 months ago

  • Status changed from New to Pull Request Review
  • Target version set to 2.5.0

#5 Updated by Renato Botelho about 2 months ago

  • Status changed from Pull Request Review to Feedback
  • Assignee set to Renato Botelho
  • % Done changed from 0 to 100

PR has been merged. Thanks!

#6 Updated by Steve Beaver about 2 months ago

  • Assignee changed from Renato Botelho to Tod L

#7 Updated by Viktor Gurov 7 days ago

  • Status changed from Feedback to New
  • Target version changed from 2.5.0 to 2.5.next

after configuring ntpd authentication on Debian peer I can see packets with MAC:

Network Time Protocol (NTP Version 4, server)
    Flags: 0x24, Leap Indicator: no warning, Version number: NTP Version 4, Mode: server
    Peer Clock Stratum: secondary reference (3)
    Peer Polling Interval: 6 (64 sec)
    Peer Clock Precision: 0.000015 sec
    Root Delay: 0.0244598388671875 seconds
    Root Dispersion: 0.07177734375 seconds
    Reference ID: 193.182.111.13
    Reference Timestamp: Nov 28, 2020 16:00:20.461789665 UTC
    Origin Timestamp: Nov 28, 2020 16:09:03.511942520 UTC
    Receive Timestamp: Nov 28, 2020 16:09:03.515572186 UTC
    Transmit Timestamp: Nov 28, 2020 16:09:03.515697472 UTC
    Key ID: 00000001
    Message Authentication Code: 5e194bd30f46bb22789f80c8e8964ae7

linux peer 'ntpq -c as' output:

ind assid status  conf reach auth condition  last_event cnt
===========================================================
  1 59188  8811   yes  none  none    reject    mobilize  1
  2 59189  f31a   yes   yes   ok    outlier    sys_peer  1

pfSense 2.5.0.a.20201127.1850

pfSense NTP client still doesn't have authentication support, so I set the target version to 2.5.next

Also available in: Atom PDF