summaryrefslogtreecommitdiffstats
path: root/contrib/ntp/html/accopt.htm
diff options
context:
space:
mode:
Diffstat (limited to 'contrib/ntp/html/accopt.htm')
-rw-r--r--contrib/ntp/html/accopt.htm427
1 files changed, 209 insertions, 218 deletions
diff --git a/contrib/ntp/html/accopt.htm b/contrib/ntp/html/accopt.htm
index d64a0d1..b0f5a9d 100644
--- a/contrib/ntp/html/accopt.htm
+++ b/contrib/ntp/html/accopt.htm
@@ -1,219 +1,210 @@
-<HTML>
-<HEAD>
- <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
- <META NAME="GENERATOR" CONTENT="Mozilla/4.01 [en] (Win95; I) [Netscape]">
- <TITLE>Access Control Options
-</TITLE>
-</HEAD>
-<BODY>
-
-<H3>
-Access Control Options</H3>
-
-<HR>
-<H4>
-Access Control Support</H4>
-<TT>ntpd</TT> implements a general purpose address-and-mask based restriction
-list. The list is sorted by address and by mask, and the list is searched
-in this order for matches, with the last match found defining the restriction
-flags associated with the incoming packets. The source address of incoming
-packets is used for the match, with the 32-bit address being and'ed with
-the mask associated with the restriction entry and then compared with the
-entry's address (which has also been and'ed with the mask) to look for
-a match. Additional information and examples can be found in the <A HREF="notes.htm">Notes
-on Configuring NTP and Setting up a NTP Subnet </A>page.
-
-<P>The restriction facility was implemented in conformance with the access
-policies for the original NSFnet backbone time servers. While this facility
-may be otherwise useful for keeping unwanted or broken remote time servers
-from affecting your own, it should not be considered an alternative to
-the standard NTP authentication facility. Source address based restrictions
-are easily circumvented by a determined cracker.
-<H4>
-Access Control Commands</H4>
-
-<DL>
-<DT>
-<TT>restrict <I>numeric_address</I> [mask <I>numeric_mask</I>] [<I>flag</I>]
-[...]</TT></DT>
-
-<DD>
-The <I><TT>numeric_address</TT></I> argument, expressed in dotted-quad
-form, is the address of an host or network. The <I><TT>mask</TT></I> argument,
-also expressed in dotted-quad form, defaults to <TT>255.255.255.255</TT>,
-meaning that the <I><TT>numeric_address</TT></I> is treated as the address
-of an individual host. A default entry (address <TT>0.0.0.0</TT>, mask
-<TT>0.0.0.0</TT>) is always included and, given the sort algorithm, is
-always the first entry in the list. Note that, while <I><TT>numeric_address</TT></I>
-is normally given in dotted-quad format, the text string <TT>default</TT>,
-with no mask option, may be used to indicate the default entry.</DD>
-
-<DD>
-In the current implementation, <I><TT>flag</TT></I> always restricts access,
-i.e., an entry with no flags indicates that free access to the server is
-to be given. The flags are not orthogonal, in that more restrictive flags
-will often make less restrictive ones redundant. The flags can generally
-be classed into two catagories, those which restrict time service and those
-which restrict informational queries and attempts to do run-time reconfiguration
-of the server. One or more of the following flags may be specified:</DD>
-
-<DD>
-&nbsp;</DD>
-
-<DL>
-<DT>
-<TT>ignore</TT></DT>
-
-<DD>
-Ignore all packets from hosts which match this entry. If this flag is specified
-neither queries nor time server polls will be responded to.</DD>
-
-<DD>
-&nbsp;</DD>
-
-<DT>
-<TT>noquery</TT></DT>
-
-<DD>
-Ignore all NTP mode 6 and 7 packets (i.e. information queries and configuration
-requests) from the source. Time service is not affected.</DD>
-
-<DD>
-&nbsp;</DD>
-
-<DT>
-<TT>nomodify</TT></DT>
-
-<DD>
-Ignore all NTP mode 6 and 7 packets which attempt to modify the state of
-the server (i.e. run time reconfiguration). Queries which return information
-are permitted.</DD>
-
-<DD>
-&nbsp;</DD>
-
-<DT>
-<TT>notrap</TT></DT>
-
-<DD>
-Decline to provide mode 6 control message trap service to matching hosts.
-The trap service is a subsystem of the mode 6 control message protocol
-which is intended for use by remote event logging programs.</DD>
-
-<DD>
-&nbsp;</DD>
-
-<DT>
-<TT>lowpriotrap</TT></DT>
-
-<DD>
-Declare traps set by matching hosts to be low priority. The number of traps
-a server can maintain is limited (the current limit is 3). Traps are usually
-assigned on a first come, first served basis, with later trap requestors
-being denied service. This flag modifies the assignment algorithm by allowing
-low priority traps to be overridden by later requests for normal priority
-traps.</DD>
-
-<DD>
-&nbsp;</DD>
-
-<DT>
-<TT>noserve</TT></DT>
-
-<DD>
-Ignore NTP packets whose mode is other than 6 or 7. In effect, time service
-is denied, though queries may still be permitted.</DD>
-
-<DD>
-&nbsp;</DD>
-
-<DT>
-<TT>nopeer</TT></DT>
-
-<DD>
-Provide stateless time service to polling hosts, but do not allocate peer
-memory resources to these hosts even if they otherwise might be considered
-useful as future synchronization partners.</DD>
-
-<DD>
-&nbsp;</DD>
-
-<DT>
-<TT>notrust</TT></DT>
-
-<DD>
-Treat these hosts normally in other respects, but never use them as synchronization
-sources.</DD>
-
-<DD>
-&nbsp;</DD>
-
-<DT>
-<TT>limited</TT></DT>
-
-<DD>
-These hosts are subject to limitation of number of clients from the same
-net. Net in this context refers to the IP notion of net (class A, class
-B, class C, etc.). Only the first <TT>client_limit</TT> hosts that have
-shown up at the server and that have been active during the last <TT>client_limit_period</TT>
-seconds are accepted. Requests from other clients from the same net are
-rejected. Only time request packets are taken into account. Query packets
-sent by the <TT>ntpq</TT> and <TT>ntpdc</TT> programs are not subject to
-these limits. A history of clients is kept using the monitoring capability
-of <TT>ntpd</TT>. Thus, monitoring is always active as long as there is
-a restriction entry with the <TT>limited</TT> flag.</DD>
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
+<html>
+<head>
+<meta name="generator" content="HTML Tidy, see www.w3.org">
+<title>Access Control Options</title>
+</head>
+<body>
+<h3>Access Control Options</h3>
+
+<img align="left" src="pic/pogo6.gif" alt="gif"><a href=
+"http://www.eecis.udel.edu/~mills/pictures.htm">from <i>Pogo</i>,
+Walt Kelly</a>
+
+<p>The skunk watches for intruders and sprays.<br clear="left">
+</p>
+
+<hr>
+<h4>Access Control Support</h4>
+
+<tt>ntpd</tt> implements a general purpose address-and-mask based
+restriction list. The list is sorted by address and by mask, and
+the list is searched in this order for matches, with the last match
+found defining the restriction flags associated with the incoming
+packets. The source address of incoming packets is used for the
+match, with the 32- bit address being and'ed with the mask
+associated with the restriction entry and then compared with the
+entry's address (which has also been and'ed with the mask) to look
+for a match. Additional information and examples can be found in
+the <a href="notes.htm">Notes on Configuring NTP and Setting up a
+NTP Subnet</a> page.
+
+<p>The restriction facility was implemented in conformance with the
+access policies for the original NSFnet backbone time servers.
+While this facility may be otherwise useful for keeping unwanted or
+broken remote time servers from affecting your own, it should not
+be considered an alternative to the standard NTP authentication
+facility. Source address based restrictions are easily circumvented
+by a determined cracker.</p>
+
+<h4>The Kiss-of-Death Packet</h4>
+
+<p>Ordinarily, packets denied service are simply dropped with no
+further action except incrementing statistics counters. Sometimes a
+more proactive response is needed, such as a server message that
+explicitly requests the client to stop sending and leave a message
+for the system operator. A special packet format has been created
+for this purpose called the kiss-of-death packet. If the <tt>
+kod</tt> flag is set and either service is denied or the client
+limit is exceeded, the server it returns the packet and sets the
+leap bits unsynchronized, stratum zero and the ASCII string "DENY"
+in the reference source identifier field. If the <tt>kod</tt> flag
+is not set, the server simply drops the packet.</p>
+
+<p>A client or peer receiving a kiss-of-death packet performs a set
+of sanity checks to minimize security exposure. If this is the
+first packet received from the server, the client assumes an access
+denied condition at the server. It updates the stratum and
+reference identifier peer variables and sets the access denied
+(test 4) bit in the peer flash variable. If this bit is set, the
+client sends no packets to the server. If this is not the first
+packet, the client assumes a client limit condition at the server,
+but does not update the peer variables. In either case, a message
+is sent to the system log.</p>
+
+<h4>Access Control Commands</h4>
+
+<dl>
+<dt><tt>restrict <i>numeric_address</i> [mask <i>numeric_mask</i>]
+[<i>flag</i>][...]</tt></dt>
+
+<dd>The <i><tt>numeric_address</tt></i> argument, expressed in
+dotted- quad form, is the address of an host or network. The <i>
+<tt>mask</tt></i> argument, also expressed in dotted-quad form,
+defaults to <tt>255.255.255.255</tt>, meaning that the <i><tt>
+numeric_address</tt></i> is treated as the address of an individual
+host. A default entry (address <tt>0.0.0.0</tt>, mask <tt>
+0.0.0.0</tt>) is always included and, given the sort algorithm, is
+always the first entry in the list. Note that, while <i><tt>
+numeric_address</tt></i> is normally given in dotted-quad format,
+the text string <tt>default</tt>, with no mask option, may be used
+to indicate the default entry.</dd>
+
+<dd>In the current implementation, <i><tt>flag</tt></i> always
+restricts access, i.e., an entry with no flags indicates that free
+access to the server is to be given. The flags are not orthogonal,
+in that more restrictive flags will often make less restrictive
+ones redundant. The flags can generally be classed into two
+catagories, those which restrict time service and those which
+restrict informational queries and attempts to do run-time
+reconfiguration of the server. One or more of the following flags
+may be specified:</dd>
+
+<dd>
+<dl>
+<dt><tt>kod</tt></dt>
+
+<dd>If access is denied, send a kiss-of-death packet.</dd>
+
+<dt><tt>ignore</tt></dt>
+
+<dd>Ignore all packets from hosts which match this entry. If this
+flag is specified neither queries nor time server polls will be
+responded to.</dd>
+
+<dt><tt>noquery</tt></dt>
+
+<dd>Ignore all NTP mode 6 and 7 packets (i.e. information queries
+and configuration requests) from the source. Time service is not
+affected.</dd>
+
+<dt><tt>nomodify</tt></dt>
+
+<dd>Ignore all NTP mode 6 and 7 packets which attempt to modify the
+state of the server (i.e. run time reconfiguration). Queries which
+return information are permitted.</dd>
+
+<dt><tt>notrap</tt></dt>
+
+<dd>Decline to provide mode 6 control message trap service to
+matching hosts. The trap service is a subsystem of the mode 6
+control message protocol which is intended for use by remote event
+logging programs.</dd>
+
+<dt><tt>lowpriotrap</tt></dt>
+
+<dd>Declare traps set by matching hosts to be low priority. The
+number of traps a server can maintain is limited (the current limit
+is 3). Traps are usually assigned on a first come, first served
+basis, with later trap requestors being denied service. This flag
+modifies the assignment algorithm by allowing low priority traps to
+be overridden by later requests for normal priority traps.</dd>
+
+<dt><tt>noserve</tt></dt>
+
+<dd>Ignore NTP packets whose mode is other than 6 or 7. In effect,
+time service is denied, though queries may still be permitted.</dd>
+
+<dt><tt>nopeer</tt></dt>
+
+<dd>Provide stateless time service to polling hosts, but do not
+allocate peer memory resources to these hosts even if they
+otherwise might be considered useful as future synchronization
+partners.</dd>
+
+<dt><tt>notrust</tt></dt>
+
+<dd>Treat these hosts normally in other respects, but never use
+them as synchronization sources.</dd>
+
+<dt><tt>limited</tt></dt>
+
+<dd>These hosts are subject to limitation of number of clients from
+the same net. Net in this context refers to the IP notion of net
+(class A, class B, class C, etc.). Only the first <tt>
+client_limit</tt> hosts that have shown up at the server and that
+have been active during the last <tt>client_limit_period</tt>
+seconds are accepted. Requests from other clients from the same net
+are rejected. Only time request packets are taken into account.
+Query packets sent by the <tt>ntpq</tt> and <tt>ntpdc</tt> programs
+are not subject to these limits. A history of clients is kept using
+the monitoring capability of <tt>ntpd</tt>. Thus, monitoring is
+always active as long as there is a restriction entry with the <tt>
+limited</tt> flag.</dd>
+
+<dt><tt>ntpport</tt></dt>
+
+<dd>This is actually a match algorithm modifier, rather than a
+restriction flag. Its presence causes the restriction entry to be
+matched only if the source port in the packet is the standard NTP
+UDP port (123). Both <tt>ntpport</tt> and <tt>non-ntpport</tt> may
+be specified. The <tt>ntpport</tt> is considered more specific and
+is sorted later in the list.</dd>
+
+<dt><tt>version</tt></dt>
+
+<dd>Ignore these hosts if not the current NTP version.</dd>
+</dl>
+</dd>
+
+<dd>Default restriction list entries, with the flags <tt>ignore,
+interface, ntpport</tt>, for each of the local host's interface
+addresses are inserted into the table at startup to prevent the
+server from attempting to synchronize to its own time. A default
+entry is also always present, though if it is otherwise
+unconfigured; no flags are associated with the default entry (i.e.,
+everything besides your own NTP server is unrestricted).</dd>
+
+<dt><tt>clientlimit <i>limit</i></tt></dt>
+
+<dd>Set the <tt>client_limit</tt> variable, which limits the number
+of simultaneous access-controlled clients. The default value for
+this variable is 3.</dd>
+
+<dt><tt>clientperiod <i>period</i></tt></dt>
+
+<dd>Set the <tt>client_limit_period</tt> variable, which specifies
+the number of seconds after which a client is considered inactive
+and thus no longer is counted for client limit restriction. The
+default value for this variable is 3600 seconds.</dd>
+</dl>
+
+<hr>
+<a href="index.htm"><img align="left" src="pic/home.gif" alt=
+"gif"></a>
+
+<address><a href="mailto:mills@udel.edu">David L. Mills
+&lt;mills@udel.edu&gt;</a></address>
+</body>
+</html>
-<DD>
-&nbsp;</DD>
-
-<DT>
-<TT>ntpport</TT></DT>
-
-<DD>
-This is actually a match algorithm modifier, rather than a restriction
-flag. Its presence causes the restriction entry to be matched only if the
-source port in the packet is the standard NTP UDP port (123). Both <TT>ntpport</TT>
-and <TT>non-ntpport</TT> may be specified. The <TT>ntpport</TT> is considered
-more specific and is sorted later in the list.</DD>
-
-<DD>
-&nbsp;</DD>
-</DL>
-
-<DD>
-Default restriction list entries, with the flags <TT>ignore, ntpport</TT>,
-for each of the local host's interface addresses are inserted into the
-table at startup to prevent the server from attempting to synchronize to
-its own time. A default entry is also always present, though if it is otherwise
-unconfigured; no flags are associated with the default entry (i.e., everything
-besides your own NTP server is unrestricted).</DD>
-
-<DD>
-&nbsp;</DD>
-
-<DT>
-<TT>clientlimit <I>limit</I></TT></DT>
-
-<DD>
-Set the <TT>client_limit</TT> variable, which limits the number of simultaneous
-access-controlled clients. The default value for this variable is 3.</DD>
-
-<DD>
-&nbsp;</DD>
-
-<DT>
-<TT>clientperiod <I>period</I></TT></DT>
-
-<DD>
-Set the <TT>client_limit_period</TT> variable, which specifies the number
-of seconds after which a client is considered inactive and thus no longer
-is counted for client limit restriction. The default value for this variable
-is 3600 seconds.</DD>
-</DL>
-
-<HR>
-<ADDRESS>
-David L. Mills (mills@udel.edu)</ADDRESS>
-
-</BODY>
-</HTML>
OpenPOWER on IntegriCloud