diff options
Diffstat (limited to 'contrib/ntp/ntpd/invoke-ntp.conf.texi')
-rw-r--r-- | contrib/ntp/ntpd/invoke-ntp.conf.texi | 67 |
1 files changed, 64 insertions, 3 deletions
diff --git a/contrib/ntp/ntpd/invoke-ntp.conf.texi b/contrib/ntp/ntpd/invoke-ntp.conf.texi index 32b41e6..1d8a621 100644 --- a/contrib/ntp/ntpd/invoke-ntp.conf.texi +++ b/contrib/ntp/ntpd/invoke-ntp.conf.texi @@ -6,7 +6,7 @@ # # EDIT THIS FILE WITH CAUTION (invoke-ntp.conf.texi) # -# It has been AutoGen-ed January 7, 2016 at 11:30:49 PM by AutoGen 5.18.5 +# It has been AutoGen-ed January 20, 2016 at 04:17:59 AM by AutoGen 5.18.5 # From the definitions ntp.conf.def # and the template file agtexi-file.tpl @end ignore @@ -2294,8 +2294,8 @@ otherwise, should be avoided. @item @code{dscp} @kbd{value} This option specifies the Differentiated Services Control Point (DSCP) value, a 6-bit code. The default value is 46, signifying Expedited Forwarding. -@item @code{enable} @code{[@code{auth} | @code{bclient} | @code{calibrate} | @code{kernel} | @code{mode7} | @code{monitor} | @code{ntp} | @code{stats}]} -@item @code{disable} @code{[@code{auth} | @code{bclient} | @code{calibrate} | @code{kernel} | @code{mode7} | @code{monitor} | @code{ntp} | @code{stats}]} +@item @code{enable} @code{[@code{auth} | @code{bclient} | @code{calibrate} | @code{kernel} | @code{mode7} | @code{monitor} | @code{ntp} | @code{stats} | @code{unpeer_crypto_early} | @code{unpeer_crypto_nak_early} | @code{unpeer_digest_early}]} +@item @code{disable} @code{[@code{auth} | @code{bclient} | @code{calibrate} | @code{kernel} | @code{mode7} | @code{monitor} | @code{ntp} | @code{stats} | @code{unpeer_crypto_early} | @code{unpeer_crypto_nak_early} | @code{unpeer_digest_early}]} Provides a way to enable or disable various server options. Flags not mentioned are unaffected. Note that all of these flags @@ -2367,6 +2367,67 @@ See the section for further information. The default for this flag is @code{disable}. +@item @code{unpeer_crypto_early} +By default, if +@code{ntpd(1ntpdmdoc)} +receives an autokey packet that fails TEST9, +a crypto failure, +the association is immediately cleared. +This is almost certainly a feature, +but if, in spite of the current recommendation of not using autokey, +you are +.B still +using autokey +.B and +you are seeing this sort of DoS attack +disabling this flag will delay +tearing down the association until the reachability counter +becomes zero. +You can check your +@code{peerstats} +file for evidence of any of these attacks. +The +default for this flag is +@code{enable}. +@item @code{unpeer_crypto_nak_early} +By default, if +@code{ntpd(1ntpdmdoc)} +receives a crypto-NAK packet that +passes the duplicate packet and origin timestamp checks +the association is immediately cleared. +While this is generally a feature +as it allows for quick recovery if a server key has changed, +a properly forged and appropriately delivered crypto-NAK packet +can be used in a DoS attack. +If you have active noticable problems with this type of DoS attack +then you should consider +disabling this option. +You can check your +@code{peerstats} +file for evidence of any of these attacks. +The +default for this flag is +@code{enable}. +@item @code{unpeer_digest_early} +By default, if +@code{ntpd(1ntpdmdoc)} +receives what should be an authenticated packet +that passes other packet sanity checks but +contains an invalid digest +the association is immediately cleared. +While this is generally a feature +as it allows for quick recovery, +if this type of packet is carefully forged and sent +during an appropriate window it can be used for a DoS attack. +If you have active noticable problems with this type of DoS attack +then you should consider +disabling this option. +You can check your +@code{peerstats} +file for evidence of any of these attacks. +The +default for this flag is +@code{enable}. @end table @item @code{includefile} @kbd{includefile} This command allows additional configuration commands |