diff options
Diffstat (limited to 'contrib/ntp/ntpd/ntp.conf.html')
-rw-r--r-- | contrib/ntp/ntpd/ntp.conf.html | 62 |
1 files changed, 60 insertions, 2 deletions
diff --git a/contrib/ntp/ntpd/ntp.conf.html b/contrib/ntp/ntpd/ntp.conf.html index d10a88d..c50f0e1 100644 --- a/contrib/ntp/ntpd/ntp.conf.html +++ b/contrib/ntp/ntpd/ntp.conf.html @@ -33,7 +33,7 @@ Up: <a rel="up" accesskey="u" href="#dir">(dir)</a> <p>This document describes the configuration file for the NTP Project's <code>ntpd</code> program. - <p>This document applies to version 4.2.8p5 of <code>ntp.conf</code>. + <p>This document applies to version 4.2.8p6 of <code>ntp.conf</code>. <div class="shortcontents"> <h2>Short Contents</h2> @@ -2288,7 +2288,7 @@ drift file is located in, and that file system links, symbolic or otherwise, should be avoided. <br><dt><code>dscp</code> <kbd>value</kbd><dd>This option specifies the Differentiated Services Control Point (DSCP) value, a 6-bit code. The default value is 46, signifying Expedited Forwarding. -<br><dt><code>enable</code> <code>[auth | bclient | calibrate | kernel | mode7 | monitor | ntp | stats]</code><br><dt><code>disable</code> <code>[auth | bclient | calibrate | kernel | mode7 | monitor | ntp | stats]</code><dd>Provides a way to enable or disable various server options. +<br><dt><code>enable</code> <code>[auth | bclient | calibrate | kernel | mode7 | monitor | ntp | stats | unpeer_crypto_early | unpeer_crypto_nak_early | unpeer_digest_early]</code><br><dt><code>disable</code> <code>[auth | bclient | calibrate | kernel | mode7 | monitor | ntp | stats | unpeer_crypto_early | unpeer_crypto_nak_early | unpeer_digest_early]</code><dd>Provides a way to enable or disable various server options. Flags not mentioned are unaffected. Note that all of these flags can be controlled remotely using the @@ -2351,6 +2351,64 @@ See the section for further information. The default for this flag is <code>disable</code>. +<br><dt><code>unpeer_crypto_early</code><dd>By default, if +<code>ntpd(1ntpdmdoc)</code> +receives an autokey packet that fails TEST9, +a crypto failure, +the association is immediately cleared. +This is almost certainly a feature, +but if, in spite of the current recommendation of not using autokey, +you are +.B still +using autokey +.B and +you are seeing this sort of DoS attack +disabling this flag will delay +tearing down the association until the reachability counter +becomes zero. +You can check your +<code>peerstats</code> +file for evidence of any of these attacks. +The +default for this flag is +<code>enable</code>. +<br><dt><code>unpeer_crypto_nak_early</code><dd>By default, if +<code>ntpd(1ntpdmdoc)</code> +receives a crypto-NAK packet that +passes the duplicate packet and origin timestamp checks +the association is immediately cleared. +While this is generally a feature +as it allows for quick recovery if a server key has changed, +a properly forged and appropriately delivered crypto-NAK packet +can be used in a DoS attack. +If you have active noticable problems with this type of DoS attack +then you should consider +disabling this option. +You can check your +<code>peerstats</code> +file for evidence of any of these attacks. +The +default for this flag is +<code>enable</code>. +<br><dt><code>unpeer_digest_early</code><dd>By default, if +<code>ntpd(1ntpdmdoc)</code> +receives what should be an authenticated packet +that passes other packet sanity checks but +contains an invalid digest +the association is immediately cleared. +While this is generally a feature +as it allows for quick recovery, +if this type of packet is carefully forged and sent +during an appropriate window it can be used for a DoS attack. +If you have active noticable problems with this type of DoS attack +then you should consider +disabling this option. +You can check your +<code>peerstats</code> +file for evidence of any of these attacks. +The +default for this flag is +<code>enable</code>. </dl> <br><dt><code>includefile</code> <kbd>includefile</kbd><dd>This command allows additional configuration commands to be included from a separate file. |