SRX

Expand all | Collapse all

NTP authentication key purpose

Jump to Best Answer
  • 1.  NTP authentication key purpose

    Posted 03-07-2020 13:00

    Hi everybody,

    Pease consider the following set up:

    SRX ( NTP Client)--20.20.20.10--------200.20.20.200 -NTP SERVER 

     

    1)Above SRX is configured with MD5 key for NTP to ensure  SRX will only synch time with authorised NTP server i.e NTP server has to prove to NTP Client ( SRX) that it is legitimate NTP server.

    2) Cisco router is acting as NTP stratum one server above. 

     

    SRX CONFIG:

    Capture-NTP CLIENT.PNG

    SRX has synched its clock with NTP source ,  though NTP server is not configured with any autehentication key
    Capture-NTP-ASS.PNG

     

    NTP SERVER config:

    NTP SERVER#show running-config | begin ntp
    ntp master 1
    ###############

    Capture taken on SRX shows SRX ( NTP Client) does send MD5 hash with key number 1:

    Capture-WIRE.PNG

    SRX Version:

    Capture-VERSION.PNG

     

     

    ####################################################################

    Question:

    1) As we can see above SRX has synched time with NTP server( which does not have any NTP authentiction configured),  though SRX is confgured for NTP authenticaion. Is it a bug?

    2) Even when NTP server is configured with mismatched MD5 key, SRX ( NTP client) is still able to synced time:

    NTP SERVER (config)#ntp authentication-key 1 md5 KOO

     

    Capture-NTP-ASS.PNG

     

     

    Thanks and have a good weekend!!

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

    Capture-NTP CLIENT.PNG

     

     

     

     

     

     

     

     



  • 2.  RE: NTP authentication key purpose
    Best Answer

     
    Posted 03-08-2020 04:05

    Your configuration looks correct.

     

    https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/network-time-protocol-authentication-keys.html

     

    So it seems likely it is a bug (Juniper calls these PR problem reports).  However, I don't see it listed in the public PR database for your version so you might need to raise an official support case to report it.

     

    https://prsearch.juniper.net/InfoCenter/index?page=prsearch#qt=ntp&bv=12.1X47-D15&sid=srx&dt=0&mode=undefined&stype=affectingthis&start=0&srtBy=relevance

    (login required to the search before the link will work)

     



  • 3.  RE: NTP authentication key purpose

    Posted 03-08-2020 09:39

    I would start with upgrading to the JTAC recommend code.  If the keys are mismatched, you should not be able to sync time with the peer.



  • 4.  RE: NTP authentication key purpose

    Posted 03-09-2020 13:21

    I would agree with this. upgrade to the latest recommended code and this should take care of the mismatch issue, then let's see.

     

    Cheers,

    Benjamin