diff options
Diffstat (limited to 'contrib/ntp/html/accopt.htm')
| -rw-r--r-- | contrib/ntp/html/accopt.htm | 427 |
1 files changed, 209 insertions, 218 deletions
diff --git a/contrib/ntp/html/accopt.htm b/contrib/ntp/html/accopt.htm index d64a0d1..b0f5a9d 100644 --- a/contrib/ntp/html/accopt.htm +++ b/contrib/ntp/html/accopt.htm @@ -1,219 +1,210 @@ -<HTML> -<HEAD> - <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> - <META NAME="GENERATOR" CONTENT="Mozilla/4.01 [en] (Win95; I) [Netscape]"> - <TITLE>Access Control Options -</TITLE> -</HEAD> -<BODY> - -<H3> -Access Control Options</H3> - -<HR> -<H4> -Access Control Support</H4> -<TT>ntpd</TT> implements a general purpose address-and-mask based restriction -list. The list is sorted by address and by mask, and the list is searched -in this order for matches, with the last match found defining the restriction -flags associated with the incoming packets. The source address of incoming -packets is used for the match, with the 32-bit address being and'ed with -the mask associated with the restriction entry and then compared with the -entry's address (which has also been and'ed with the mask) to look for -a match. Additional information and examples can be found in the <A HREF="notes.htm">Notes -on Configuring NTP and Setting up a NTP Subnet </A>page. - -<P>The restriction facility was implemented in conformance with the access -policies for the original NSFnet backbone time servers. While this facility -may be otherwise useful for keeping unwanted or broken remote time servers -from affecting your own, it should not be considered an alternative to -the standard NTP authentication facility. Source address based restrictions -are easily circumvented by a determined cracker. -<H4> -Access Control Commands</H4> - -<DL> -<DT> -<TT>restrict <I>numeric_address</I> [mask <I>numeric_mask</I>] [<I>flag</I>] -[...]</TT></DT> - -<DD> -The <I><TT>numeric_address</TT></I> argument, expressed in dotted-quad -form, is the address of an host or network. The <I><TT>mask</TT></I> argument, -also expressed in dotted-quad form, defaults to <TT>255.255.255.255</TT>, -meaning that the <I><TT>numeric_address</TT></I> is treated as the address -of an individual host. A default entry (address <TT>0.0.0.0</TT>, mask -<TT>0.0.0.0</TT>) is always included and, given the sort algorithm, is -always the first entry in the list. Note that, while <I><TT>numeric_address</TT></I> -is normally given in dotted-quad format, the text string <TT>default</TT>, -with no mask option, may be used to indicate the default entry.</DD> - -<DD> -In the current implementation, <I><TT>flag</TT></I> always restricts access, -i.e., an entry with no flags indicates that free access to the server is -to be given. The flags are not orthogonal, in that more restrictive flags -will often make less restrictive ones redundant. The flags can generally -be classed into two catagories, those which restrict time service and those -which restrict informational queries and attempts to do run-time reconfiguration -of the server. One or more of the following flags may be specified:</DD> - -<DD> - </DD> - -<DL> -<DT> -<TT>ignore</TT></DT> - -<DD> -Ignore all packets from hosts which match this entry. If this flag is specified -neither queries nor time server polls will be responded to.</DD> - -<DD> - </DD> - -<DT> -<TT>noquery</TT></DT> - -<DD> -Ignore all NTP mode 6 and 7 packets (i.e. information queries and configuration -requests) from the source. Time service is not affected.</DD> - -<DD> - </DD> - -<DT> -<TT>nomodify</TT></DT> - -<DD> -Ignore all NTP mode 6 and 7 packets which attempt to modify the state of -the server (i.e. run time reconfiguration). Queries which return information -are permitted.</DD> - -<DD> - </DD> - -<DT> -<TT>notrap</TT></DT> - -<DD> -Decline to provide mode 6 control message trap service to matching hosts. -The trap service is a subsystem of the mode 6 control message protocol -which is intended for use by remote event logging programs.</DD> - -<DD> - </DD> - -<DT> -<TT>lowpriotrap</TT></DT> - -<DD> -Declare traps set by matching hosts to be low priority. The number of traps -a server can maintain is limited (the current limit is 3). Traps are usually -assigned on a first come, first served basis, with later trap requestors -being denied service. This flag modifies the assignment algorithm by allowing -low priority traps to be overridden by later requests for normal priority -traps.</DD> - -<DD> - </DD> - -<DT> -<TT>noserve</TT></DT> - -<DD> -Ignore NTP packets whose mode is other than 6 or 7. In effect, time service -is denied, though queries may still be permitted.</DD> - -<DD> - </DD> - -<DT> -<TT>nopeer</TT></DT> - -<DD> -Provide stateless time service to polling hosts, but do not allocate peer -memory resources to these hosts even if they otherwise might be considered -useful as future synchronization partners.</DD> - -<DD> - </DD> - -<DT> -<TT>notrust</TT></DT> - -<DD> -Treat these hosts normally in other respects, but never use them as synchronization -sources.</DD> - -<DD> - </DD> - -<DT> -<TT>limited</TT></DT> - -<DD> -These hosts are subject to limitation of number of clients from the same -net. Net in this context refers to the IP notion of net (class A, class -B, class C, etc.). Only the first <TT>client_limit</TT> hosts that have -shown up at the server and that have been active during the last <TT>client_limit_period</TT> -seconds are accepted. Requests from other clients from the same net are -rejected. Only time request packets are taken into account. Query packets -sent by the <TT>ntpq</TT> and <TT>ntpdc</TT> programs are not subject to -these limits. A history of clients is kept using the monitoring capability -of <TT>ntpd</TT>. Thus, monitoring is always active as long as there is -a restriction entry with the <TT>limited</TT> flag.</DD> +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> +<html> +<head> +<meta name="generator" content="HTML Tidy, see www.w3.org"> +<title>Access Control Options</title> +</head> +<body> +<h3>Access Control Options</h3> + +<img align="left" src="pic/pogo6.gif" alt="gif"><a href= +"http://www.eecis.udel.edu/~mills/pictures.htm">from <i>Pogo</i>, +Walt Kelly</a> + +<p>The skunk watches for intruders and sprays.<br clear="left"> +</p> + +<hr> +<h4>Access Control Support</h4> + +<tt>ntpd</tt> implements a general purpose address-and-mask based +restriction list. The list is sorted by address and by mask, and +the list is searched in this order for matches, with the last match +found defining the restriction flags associated with the incoming +packets. The source address of incoming packets is used for the +match, with the 32- bit address being and'ed with the mask +associated with the restriction entry and then compared with the +entry's address (which has also been and'ed with the mask) to look +for a match. Additional information and examples can be found in +the <a href="notes.htm">Notes on Configuring NTP and Setting up a +NTP Subnet</a> page. + +<p>The restriction facility was implemented in conformance with the +access policies for the original NSFnet backbone time servers. +While this facility may be otherwise useful for keeping unwanted or +broken remote time servers from affecting your own, it should not +be considered an alternative to the standard NTP authentication +facility. Source address based restrictions are easily circumvented +by a determined cracker.</p> + +<h4>The Kiss-of-Death Packet</h4> + +<p>Ordinarily, packets denied service are simply dropped with no +further action except incrementing statistics counters. Sometimes a +more proactive response is needed, such as a server message that +explicitly requests the client to stop sending and leave a message +for the system operator. A special packet format has been created +for this purpose called the kiss-of-death packet. If the <tt> +kod</tt> flag is set and either service is denied or the client +limit is exceeded, the server it returns the packet and sets the +leap bits unsynchronized, stratum zero and the ASCII string "DENY" +in the reference source identifier field. If the <tt>kod</tt> flag +is not set, the server simply drops the packet.</p> + +<p>A client or peer receiving a kiss-of-death packet performs a set +of sanity checks to minimize security exposure. If this is the +first packet received from the server, the client assumes an access +denied condition at the server. It updates the stratum and +reference identifier peer variables and sets the access denied +(test 4) bit in the peer flash variable. If this bit is set, the +client sends no packets to the server. If this is not the first +packet, the client assumes a client limit condition at the server, +but does not update the peer variables. In either case, a message +is sent to the system log.</p> + +<h4>Access Control Commands</h4> + +<dl> +<dt><tt>restrict <i>numeric_address</i> [mask <i>numeric_mask</i>] +[<i>flag</i>][...]</tt></dt> + +<dd>The <i><tt>numeric_address</tt></i> argument, expressed in +dotted- quad form, is the address of an host or network. The <i> +<tt>mask</tt></i> argument, also expressed in dotted-quad form, +defaults to <tt>255.255.255.255</tt>, meaning that the <i><tt> +numeric_address</tt></i> is treated as the address of an individual +host. A default entry (address <tt>0.0.0.0</tt>, mask <tt> +0.0.0.0</tt>) is always included and, given the sort algorithm, is +always the first entry in the list. Note that, while <i><tt> +numeric_address</tt></i> is normally given in dotted-quad format, +the text string <tt>default</tt>, with no mask option, may be used +to indicate the default entry.</dd> + +<dd>In the current implementation, <i><tt>flag</tt></i> always +restricts access, i.e., an entry with no flags indicates that free +access to the server is to be given. The flags are not orthogonal, +in that more restrictive flags will often make less restrictive +ones redundant. The flags can generally be classed into two +catagories, those which restrict time service and those which +restrict informational queries and attempts to do run-time +reconfiguration of the server. One or more of the following flags +may be specified:</dd> + +<dd> +<dl> +<dt><tt>kod</tt></dt> + +<dd>If access is denied, send a kiss-of-death packet.</dd> + +<dt><tt>ignore</tt></dt> + +<dd>Ignore all packets from hosts which match this entry. If this +flag is specified neither queries nor time server polls will be +responded to.</dd> + +<dt><tt>noquery</tt></dt> + +<dd>Ignore all NTP mode 6 and 7 packets (i.e. information queries +and configuration requests) from the source. Time service is not +affected.</dd> + +<dt><tt>nomodify</tt></dt> + +<dd>Ignore all NTP mode 6 and 7 packets which attempt to modify the +state of the server (i.e. run time reconfiguration). Queries which +return information are permitted.</dd> + +<dt><tt>notrap</tt></dt> + +<dd>Decline to provide mode 6 control message trap service to +matching hosts. The trap service is a subsystem of the mode 6 +control message protocol which is intended for use by remote event +logging programs.</dd> + +<dt><tt>lowpriotrap</tt></dt> + +<dd>Declare traps set by matching hosts to be low priority. The +number of traps a server can maintain is limited (the current limit +is 3). Traps are usually assigned on a first come, first served +basis, with later trap requestors being denied service. This flag +modifies the assignment algorithm by allowing low priority traps to +be overridden by later requests for normal priority traps.</dd> + +<dt><tt>noserve</tt></dt> + +<dd>Ignore NTP packets whose mode is other than 6 or 7. In effect, +time service is denied, though queries may still be permitted.</dd> + +<dt><tt>nopeer</tt></dt> + +<dd>Provide stateless time service to polling hosts, but do not +allocate peer memory resources to these hosts even if they +otherwise might be considered useful as future synchronization +partners.</dd> + +<dt><tt>notrust</tt></dt> + +<dd>Treat these hosts normally in other respects, but never use +them as synchronization sources.</dd> + +<dt><tt>limited</tt></dt> + +<dd>These hosts are subject to limitation of number of clients from +the same net. Net in this context refers to the IP notion of net +(class A, class B, class C, etc.). Only the first <tt> +client_limit</tt> hosts that have shown up at the server and that +have been active during the last <tt>client_limit_period</tt> +seconds are accepted. Requests from other clients from the same net +are rejected. Only time request packets are taken into account. +Query packets sent by the <tt>ntpq</tt> and <tt>ntpdc</tt> programs +are not subject to these limits. A history of clients is kept using +the monitoring capability of <tt>ntpd</tt>. Thus, monitoring is +always active as long as there is a restriction entry with the <tt> +limited</tt> flag.</dd> + +<dt><tt>ntpport</tt></dt> + +<dd>This is actually a match algorithm modifier, rather than a +restriction flag. Its presence causes the restriction entry to be +matched only if the source port in the packet is the standard NTP +UDP port (123). Both <tt>ntpport</tt> and <tt>non-ntpport</tt> may +be specified. The <tt>ntpport</tt> is considered more specific and +is sorted later in the list.</dd> + +<dt><tt>version</tt></dt> + +<dd>Ignore these hosts if not the current NTP version.</dd> +</dl> +</dd> + +<dd>Default restriction list entries, with the flags <tt>ignore, +interface, ntpport</tt>, for each of the local host's interface +addresses are inserted into the table at startup to prevent the +server from attempting to synchronize to its own time. A default +entry is also always present, though if it is otherwise +unconfigured; no flags are associated with the default entry (i.e., +everything besides your own NTP server is unrestricted).</dd> + +<dt><tt>clientlimit <i>limit</i></tt></dt> + +<dd>Set the <tt>client_limit</tt> variable, which limits the number +of simultaneous access-controlled clients. The default value for +this variable is 3.</dd> + +<dt><tt>clientperiod <i>period</i></tt></dt> + +<dd>Set the <tt>client_limit_period</tt> variable, which specifies +the number of seconds after which a client is considered inactive +and thus no longer is counted for client limit restriction. The +default value for this variable is 3600 seconds.</dd> +</dl> + +<hr> +<a href="index.htm"><img align="left" src="pic/home.gif" alt= +"gif"></a> + +<address><a href="mailto:mills@udel.edu">David L. Mills +<mills@udel.edu></a></address> +</body> +</html> -<DD> - </DD> - -<DT> -<TT>ntpport</TT></DT> - -<DD> -This is actually a match algorithm modifier, rather than a restriction -flag. Its presence causes the restriction entry to be matched only if the -source port in the packet is the standard NTP UDP port (123). Both <TT>ntpport</TT> -and <TT>non-ntpport</TT> may be specified. The <TT>ntpport</TT> is considered -more specific and is sorted later in the list.</DD> - -<DD> - </DD> -</DL> - -<DD> -Default restriction list entries, with the flags <TT>ignore, ntpport</TT>, -for each of the local host's interface addresses are inserted into the -table at startup to prevent the server from attempting to synchronize to -its own time. A default entry is also always present, though if it is otherwise -unconfigured; no flags are associated with the default entry (i.e., everything -besides your own NTP server is unrestricted).</DD> - -<DD> - </DD> - -<DT> -<TT>clientlimit <I>limit</I></TT></DT> - -<DD> -Set the <TT>client_limit</TT> variable, which limits the number of simultaneous -access-controlled clients. The default value for this variable is 3.</DD> - -<DD> - </DD> - -<DT> -<TT>clientperiod <I>period</I></TT></DT> - -<DD> -Set the <TT>client_limit_period</TT> variable, which specifies the number -of seconds after which a client is considered inactive and thus no longer -is counted for client limit restriction. The default value for this variable -is 3600 seconds.</DD> -</DL> - -<HR> -<ADDRESS> -David L. Mills (mills@udel.edu)</ADDRESS> - -</BODY> -</HTML> |
