Ntp Security - H3C SR6600-X Configuration Manual

Mode
Broadcast
Multicast
In this document, an "NTP server" or a "server" refers to a device that operates as an NTP server in
client/server mode. Time servers refer to all the devices that can provide time synchronization, including
NTP servers, NTP symmetric peers, broadcast servers, and multicast servers.

NTP security

To improve time synchronization security, NTP provides the access control and authentication functions.
NTP access control
You can control NTP access by using an ACL. The access rights are in the following order, from least
restrictive to most restrictive:
Peer—Allows time requests and NTP control queries (such as alarms, authentication status, and time
•
server information) and allows the local device to synchronize itself to a peer device.
Server—Allows time requests and NTP control queries, but does not allow the local device to
•
synchronize itself to a peer device.
• Synchronization—Allows only time requests from a system whose address passes the access list
criteria.
Query—Allows only NTP control queries from a peer device to the local device.
•
The device processes an NTP request, as follows:
Working process
A server periodically sends clock
synchronization messages to the
broadcast address
255.255.255.255. Clients listen
to the broadcast messages from
the servers to synchronize to the
server according to the broadcast
messages.
When a client receives the first
broadcast message, the client and
the server start to exchange
messages to calculate the network
delay between them. Then, only
the broadcast server sends clock
synchronization messages.
A multicast server periodically
sends clock synchronization
messages to the user-configured
multicast address. Clients listen to
the multicast messages from
servers and synchronize to the
server according to the received
messages.
Principle
A broadcast client can
synchronize to a
broadcast server, but a
broadcast server cannot
synchronize to a
broadcast client.
A multicast client can
synchronize to a
multicast server, but a
multicast server cannot
synchronize to a
multicast client.
69
Application scenario
A broadcast server sends
clock synchronization
messages to synchronize
clients in the same subnet.
As Figure 27 shows,
broadcast mode is
intended for configurations
involving one or a few
servers and a potentially
large client population.
The broadcast mode has a
lower time accuracy than
the client/server and
symmetric active/passive
modes because only the
broadcast servers send
clock synchronization
messages.
A multicast server can
provide time
synchronization for clients
in the same subnet or in
different subnets.
The multicast mode has a
lower time accuracy than
the client/server and
symmetric active/passive
modes.