from Pogo, Walt Kelly

The skunk watches for intruders and sprays.

2. Access Control Support

The ntpd daemon implements a general purpose access control list (ACL) containing address/match entries sorted first by increasing address values and then by increasing mask values. A match occurs when the bitwise AND of the mask and the packet source address is equal to the bitwise AND of the mask and address in the list. The list is searched in order with the last match found defining the restriction flags associated with the entry.

The ACL is specified as a list of restrict commands in the following formats:

restrict address[/cidr] [mask mask] [flag][…​]

The address argument expressed in dotted-quad (for IPv4) or :-delimited (for IPv6) form is the address of a host or network. Alternatively, the address argument can be a valid host DNS name. The mask argument expressed in IPv4 or IPv6 numeric address form defaults to all mask bits on, meaning that the address is treated as the address of an individual host. Instead of an explicit mask the address/cidr may be specified in CIDR notation.

A default entry (address, mask for IPv4; and address :: mask :: for IPv6) is always the first entry in the list. restrict default, with no mask option, modifies both IPv4 and IPv6 default entries. restrict source configures a template restriction automatically added at runtime for each association, whether configured, ephemeral, or preemptable, and removed when the association is demobilized.

Some flags have the effect to deny service, some have the effect to enable service and some are conditioned by other flags. The flags are not orthogonal, in that more restrictive flags will often make less restrictive ones redundant. The flags that deny service are classed in two categories, those that restrict time service and those that restrict informational queries and attempts to do run-time reconfiguration of the server.

An example may clarify how it works. Our campus has two class-B networks, 128.4 for the ECE and CIS departments and 128.175 for the rest of campus. Let’s assume (not true!) that subnet 128.4.1 homes critical services like class rosters and spread sheets. A suitable ACL might look like this:

restrict default nopeer                 # deny new associations
restrict mask       # allow campus access
restrict mask notrust # require authentication on subnet 1
restrict time.nist.gov                      # allow access

Note that by design the restrict declaration can only add restrictions to an IP range that has already been the subject of a previous restriction, not remove them.

If the behavior of multiple restricts with identical or overlapping ranges seems confusing, bear in mind that each restrict creates an internal table entry associated with its subject IP range, and the table entries are checked in sequence when the flags applying to a particular IP need to be computed.

While this facility may be useful for keeping unwanted, broken or malicious clients from congesting innocent servers, it should not be considered an alternative to the NTP authentication facilities. Source address based restrictions are easily circumvented by a determined cracker.

Default restriction list entries with the flags ignore, ntpport, for each of the local host’s interface addresses are inserted into the table at startup to prevent the server from attempting to synchronize to its own time. A default entry is also always present, though if it is otherwise unconfigured; no flags are associated with the default entry (i.e., everything besides your own NTP server is unrestricted).

homeHome Page

sitemapSite Map