diff options
Diffstat (limited to 'contrib/ntp/ntpd/ntp.conf.mdoc.in')
-rw-r--r-- | contrib/ntp/ntpd/ntp.conf.mdoc.in | 77 |
1 files changed, 70 insertions, 7 deletions
diff --git a/contrib/ntp/ntpd/ntp.conf.mdoc.in b/contrib/ntp/ntpd/ntp.conf.mdoc.in index 7ad4cc1..fe85d85 100644 --- a/contrib/ntp/ntpd/ntp.conf.mdoc.in +++ b/contrib/ntp/ntpd/ntp.conf.mdoc.in @@ -1,9 +1,9 @@ -.Dd January 7 2016 +.Dd January 20 2016 .Dt NTP_CONF 5 File Formats .Os .\" EDIT THIS FILE WITH CAUTION (ntp.mdoc) .\" -.\" It has been AutoGen-ed January 7, 2016 at 11:30:57 PM by AutoGen 5.18.5 +.\" It has been AutoGen-ed January 20, 2016 at 04:18:07 AM by AutoGen 5.18.5 .\" From the definitions ntp.conf.def .\" and the template file agmdoc-cmd.tpl .Sh NAME @@ -2393,16 +2393,18 @@ a 6\-bit code. The default value is 46, signifying Expedited Forwarding. .Oo .Cm auth | Cm bclient | .Cm calibrate | Cm kernel | -.Cm mode7 | monitor | -.Cm ntp | Cm stats +.Cm mode7 | Cm monitor | +.Cm ntp | Cm stats | +.Cm unpeer_crypto_early | Cm unpeer_crypto_nak_early | Cm unpeer_digest_early .Oc .Xc .It Xo Ic disable .Oo .Cm auth | Cm bclient | .Cm calibrate | Cm kernel | -.Cm mode7 | monitor | -.Cm ntp | Cm stats +.Cm mode7 | Cm monitor | +.Cm ntp | Cm stats | +.Cm unpeer_crypto_early | Cm unpeer_crypto_nak_early | Cm unpeer_digest_early .Oc .Xc Provides a way to enable or disable various server options. @@ -2476,6 +2478,67 @@ See the section for further information. The default for this flag is .Ic disable . +.It Cm unpeer_crypto_early +By default, if +.Xr ntpd @NTPD_MS@ +receives an autokey packet that fails TEST9, +a crypto failure, +the association is immediately cleared. +This is almost certainly a feature, +but if, in spite of the current recommendation of not using autokey, +you are +.B still +using autokey +.B and +you are seeing this sort of DoS attack +disabling this flag will delay +tearing down the association until the reachability counter +becomes zero. +You can check your +.Cm peerstats +file for evidence of any of these attacks. +The +default for this flag is +.Ic enable . +.It Cm unpeer_crypto_nak_early +By default, if +.Xr ntpd @NTPD_MS@ +receives a crypto\-NAK packet that +passes the duplicate packet and origin timestamp checks +the association is immediately cleared. +While this is generally a feature +as it allows for quick recovery if a server key has changed, +a properly forged and appropriately delivered crypto\-NAK packet +can be used in a DoS attack. +If you have active noticable problems with this type of DoS attack +then you should consider +disabling this option. +You can check your +.Cm peerstats +file for evidence of any of these attacks. +The +default for this flag is +.Ic enable . +.It Cm unpeer_digest_early +By default, if +.Xr ntpd @NTPD_MS@ +receives what should be an authenticated packet +that passes other packet sanity checks but +contains an invalid digest +the association is immediately cleared. +While this is generally a feature +as it allows for quick recovery, +if this type of packet is carefully forged and sent +during an appropriate window it can be used for a DoS attack. +If you have active noticable problems with this type of DoS attack +then you should consider +disabling this option. +You can check your +.Cm peerstats +file for evidence of any of these attacks. +The +default for this flag is +.Ic enable . .El .It Ic includefile Ar includefile This command allows additional configuration commands @@ -2834,7 +2897,7 @@ A snapshot of this documentation is available in HTML format in .Sh "AUTHORS" The University of Delaware and Network Time Foundation .Sh "COPYRIGHT" -Copyright (C) 1992\-2015 The University of Delaware and Network Time Foundation all rights reserved. +Copyright (C) 1992\-2016 The University of Delaware and Network Time Foundation all rights reserved. This program is released under the terms of the NTP license, <http://ntp.org/license>. .Sh BUGS The syntax checking is not picky; some combinations of |