diff options
Diffstat (limited to 'contrib/ntp/html/accopt.htm')
| -rw-r--r-- | contrib/ntp/html/accopt.htm | 210 |
1 files changed, 0 insertions, 210 deletions
diff --git a/contrib/ntp/html/accopt.htm b/contrib/ntp/html/accopt.htm deleted file mode 100644 index b0f5a9d..0000000 --- a/contrib/ntp/html/accopt.htm +++ /dev/null @@ -1,210 +0,0 @@ -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> -<html> -<head> -<meta name="generator" content="HTML Tidy, see www.w3.org"> -<title>Access Control Options</title> -</head> -<body> -<h3>Access Control Options</h3> - -<img align="left" src="pic/pogo6.gif" alt="gif"><a href= -"http://www.eecis.udel.edu/~mills/pictures.htm">from <i>Pogo</i>, -Walt Kelly</a> - -<p>The skunk watches for intruders and sprays.<br clear="left"> -</p> - -<hr> -<h4>Access Control Support</h4> - -<tt>ntpd</tt> implements a general purpose address-and-mask based -restriction list. The list is sorted by address and by mask, and -the list is searched in this order for matches, with the last match -found defining the restriction flags associated with the incoming -packets. The source address of incoming packets is used for the -match, with the 32- bit address being and'ed with the mask -associated with the restriction entry and then compared with the -entry's address (which has also been and'ed with the mask) to look -for a match. Additional information and examples can be found in -the <a href="notes.htm">Notes on Configuring NTP and Setting up a -NTP Subnet</a> page. - -<p>The restriction facility was implemented in conformance with the -access policies for the original NSFnet backbone time servers. -While this facility may be otherwise useful for keeping unwanted or -broken remote time servers from affecting your own, it should not -be considered an alternative to the standard NTP authentication -facility. Source address based restrictions are easily circumvented -by a determined cracker.</p> - -<h4>The Kiss-of-Death Packet</h4> - -<p>Ordinarily, packets denied service are simply dropped with no -further action except incrementing statistics counters. Sometimes a -more proactive response is needed, such as a server message that -explicitly requests the client to stop sending and leave a message -for the system operator. A special packet format has been created -for this purpose called the kiss-of-death packet. If the <tt> -kod</tt> flag is set and either service is denied or the client -limit is exceeded, the server it returns the packet and sets the -leap bits unsynchronized, stratum zero and the ASCII string "DENY" -in the reference source identifier field. If the <tt>kod</tt> flag -is not set, the server simply drops the packet.</p> - -<p>A client or peer receiving a kiss-of-death packet performs a set -of sanity checks to minimize security exposure. If this is the -first packet received from the server, the client assumes an access -denied condition at the server. It updates the stratum and -reference identifier peer variables and sets the access denied -(test 4) bit in the peer flash variable. If this bit is set, the -client sends no packets to the server. If this is not the first -packet, the client assumes a client limit condition at the server, -but does not update the peer variables. In either case, a message -is sent to the system log.</p> - -<h4>Access Control Commands</h4> - -<dl> -<dt><tt>restrict <i>numeric_address</i> [mask <i>numeric_mask</i>] -[<i>flag</i>][...]</tt></dt> - -<dd>The <i><tt>numeric_address</tt></i> argument, expressed in -dotted- quad form, is the address of an host or network. The <i> -<tt>mask</tt></i> argument, also expressed in dotted-quad form, -defaults to <tt>255.255.255.255</tt>, meaning that the <i><tt> -numeric_address</tt></i> is treated as the address of an individual -host. A default entry (address <tt>0.0.0.0</tt>, mask <tt> -0.0.0.0</tt>) is always included and, given the sort algorithm, is -always the first entry in the list. Note that, while <i><tt> -numeric_address</tt></i> is normally given in dotted-quad format, -the text string <tt>default</tt>, with no mask option, may be used -to indicate the default entry.</dd> - -<dd>In the current implementation, <i><tt>flag</tt></i> always -restricts access, i.e., an entry with no flags indicates that free -access to the server is to be given. The flags are not orthogonal, -in that more restrictive flags will often make less restrictive -ones redundant. The flags can generally be classed into two -catagories, those which restrict time service and those which -restrict informational queries and attempts to do run-time -reconfiguration of the server. One or more of the following flags -may be specified:</dd> - -<dd> -<dl> -<dt><tt>kod</tt></dt> - -<dd>If access is denied, send a kiss-of-death packet.</dd> - -<dt><tt>ignore</tt></dt> - -<dd>Ignore all packets from hosts which match this entry. If this -flag is specified neither queries nor time server polls will be -responded to.</dd> - -<dt><tt>noquery</tt></dt> - -<dd>Ignore all NTP mode 6 and 7 packets (i.e. information queries -and configuration requests) from the source. Time service is not -affected.</dd> - -<dt><tt>nomodify</tt></dt> - -<dd>Ignore all NTP mode 6 and 7 packets which attempt to modify the -state of the server (i.e. run time reconfiguration). Queries which -return information are permitted.</dd> - -<dt><tt>notrap</tt></dt> - -<dd>Decline to provide mode 6 control message trap service to -matching hosts. The trap service is a subsystem of the mode 6 -control message protocol which is intended for use by remote event -logging programs.</dd> - -<dt><tt>lowpriotrap</tt></dt> - -<dd>Declare traps set by matching hosts to be low priority. The -number of traps a server can maintain is limited (the current limit -is 3). Traps are usually assigned on a first come, first served -basis, with later trap requestors being denied service. This flag -modifies the assignment algorithm by allowing low priority traps to -be overridden by later requests for normal priority traps.</dd> - -<dt><tt>noserve</tt></dt> - -<dd>Ignore NTP packets whose mode is other than 6 or 7. In effect, -time service is denied, though queries may still be permitted.</dd> - -<dt><tt>nopeer</tt></dt> - -<dd>Provide stateless time service to polling hosts, but do not -allocate peer memory resources to these hosts even if they -otherwise might be considered useful as future synchronization -partners.</dd> - -<dt><tt>notrust</tt></dt> - -<dd>Treat these hosts normally in other respects, but never use -them as synchronization sources.</dd> - -<dt><tt>limited</tt></dt> - -<dd>These hosts are subject to limitation of number of clients from -the same net. Net in this context refers to the IP notion of net -(class A, class B, class C, etc.). Only the first <tt> -client_limit</tt> hosts that have shown up at the server and that -have been active during the last <tt>client_limit_period</tt> -seconds are accepted. Requests from other clients from the same net -are rejected. Only time request packets are taken into account. -Query packets sent by the <tt>ntpq</tt> and <tt>ntpdc</tt> programs -are not subject to these limits. A history of clients is kept using -the monitoring capability of <tt>ntpd</tt>. Thus, monitoring is -always active as long as there is a restriction entry with the <tt> -limited</tt> flag.</dd> - -<dt><tt>ntpport</tt></dt> - -<dd>This is actually a match algorithm modifier, rather than a -restriction flag. Its presence causes the restriction entry to be -matched only if the source port in the packet is the standard NTP -UDP port (123). Both <tt>ntpport</tt> and <tt>non-ntpport</tt> may -be specified. The <tt>ntpport</tt> is considered more specific and -is sorted later in the list.</dd> - -<dt><tt>version</tt></dt> - -<dd>Ignore these hosts if not the current NTP version.</dd> -</dl> -</dd> - -<dd>Default restriction list entries, with the flags <tt>ignore, -interface, ntpport</tt>, for each of the local host's interface -addresses are inserted into the table at startup to prevent the -server from attempting to synchronize to its own time. A default -entry is also always present, though if it is otherwise -unconfigured; no flags are associated with the default entry (i.e., -everything besides your own NTP server is unrestricted).</dd> - -<dt><tt>clientlimit <i>limit</i></tt></dt> - -<dd>Set the <tt>client_limit</tt> variable, which limits the number -of simultaneous access-controlled clients. The default value for -this variable is 3.</dd> - -<dt><tt>clientperiod <i>period</i></tt></dt> - -<dd>Set the <tt>client_limit_period</tt> variable, which specifies -the number of seconds after which a client is considered inactive -and thus no longer is counted for client limit restriction. The -default value for this variable is 3600 seconds.</dd> -</dl> - -<hr> -<a href="index.htm"><img align="left" src="pic/home.gif" alt= -"gif"></a> - -<address><a href="mailto:mills@udel.edu">David L. Mills -<mills@udel.edu></a></address> -</body> -</html> - |
