diff options
Diffstat (limited to 'html/accopt.htm')
-rw-r--r-- | html/accopt.htm | 210 |
1 files changed, 210 insertions, 0 deletions
diff --git a/html/accopt.htm b/html/accopt.htm new file mode 100644 index 0000000..b0f5a9d --- /dev/null +++ b/html/accopt.htm @@ -0,0 +1,210 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"> +<html> +<head> +<meta name="generator" content="HTML Tidy, see www.w3.org"> +<title>Access Control Options</title> +</head> +<body> +<h3>Access Control Options</h3> + +<img align="left" src="pic/pogo6.gif" alt="gif"><a href= +"http://www.eecis.udel.edu/~mills/pictures.htm">from <i>Pogo</i>, +Walt Kelly</a> + +<p>The skunk watches for intruders and sprays.<br clear="left"> +</p> + +<hr> +<h4>Access Control Support</h4> + +<tt>ntpd</tt> implements a general purpose address-and-mask based +restriction list. The list is sorted by address and by mask, and +the list is searched in this order for matches, with the last match +found defining the restriction flags associated with the incoming +packets. The source address of incoming packets is used for the +match, with the 32- bit address being and'ed with the mask +associated with the restriction entry and then compared with the +entry's address (which has also been and'ed with the mask) to look +for a match. Additional information and examples can be found in +the <a href="notes.htm">Notes on Configuring NTP and Setting up a +NTP Subnet</a> page. + +<p>The restriction facility was implemented in conformance with the +access policies for the original NSFnet backbone time servers. +While this facility may be otherwise useful for keeping unwanted or +broken remote time servers from affecting your own, it should not +be considered an alternative to the standard NTP authentication +facility. Source address based restrictions are easily circumvented +by a determined cracker.</p> + +<h4>The Kiss-of-Death Packet</h4> + +<p>Ordinarily, packets denied service are simply dropped with no +further action except incrementing statistics counters. Sometimes a +more proactive response is needed, such as a server message that +explicitly requests the client to stop sending and leave a message +for the system operator. A special packet format has been created +for this purpose called the kiss-of-death packet. If the <tt> +kod</tt> flag is set and either service is denied or the client +limit is exceeded, the server it returns the packet and sets the +leap bits unsynchronized, stratum zero and the ASCII string "DENY" +in the reference source identifier field. If the <tt>kod</tt> flag +is not set, the server simply drops the packet.</p> + +<p>A client or peer receiving a kiss-of-death packet performs a set +of sanity checks to minimize security exposure. If this is the +first packet received from the server, the client assumes an access +denied condition at the server. It updates the stratum and +reference identifier peer variables and sets the access denied +(test 4) bit in the peer flash variable. If this bit is set, the +client sends no packets to the server. If this is not the first +packet, the client assumes a client limit condition at the server, +but does not update the peer variables. In either case, a message +is sent to the system log.</p> + +<h4>Access Control Commands</h4> + +<dl> +<dt><tt>restrict <i>numeric_address</i> [mask <i>numeric_mask</i>] +[<i>flag</i>][...]</tt></dt> + +<dd>The <i><tt>numeric_address</tt></i> argument, expressed in +dotted- quad form, is the address of an host or network. The <i> +<tt>mask</tt></i> argument, also expressed in dotted-quad form, +defaults to <tt>255.255.255.255</tt>, meaning that the <i><tt> +numeric_address</tt></i> is treated as the address of an individual +host. A default entry (address <tt>0.0.0.0</tt>, mask <tt> +0.0.0.0</tt>) is always included and, given the sort algorithm, is +always the first entry in the list. Note that, while <i><tt> +numeric_address</tt></i> is normally given in dotted-quad format, +the text string <tt>default</tt>, with no mask option, may be used +to indicate the default entry.</dd> + +<dd>In the current implementation, <i><tt>flag</tt></i> always +restricts access, i.e., an entry with no flags indicates that free +access to the server is to be given. The flags are not orthogonal, +in that more restrictive flags will often make less restrictive +ones redundant. The flags can generally be classed into two +catagories, those which restrict time service and those which +restrict informational queries and attempts to do run-time +reconfiguration of the server. One or more of the following flags +may be specified:</dd> + +<dd> +<dl> +<dt><tt>kod</tt></dt> + +<dd>If access is denied, send a kiss-of-death packet.</dd> + +<dt><tt>ignore</tt></dt> + +<dd>Ignore all packets from hosts which match this entry. If this +flag is specified neither queries nor time server polls will be +responded to.</dd> + +<dt><tt>noquery</tt></dt> + +<dd>Ignore all NTP mode 6 and 7 packets (i.e. information queries +and configuration requests) from the source. Time service is not +affected.</dd> + +<dt><tt>nomodify</tt></dt> + +<dd>Ignore all NTP mode 6 and 7 packets which attempt to modify the +state of the server (i.e. run time reconfiguration). Queries which +return information are permitted.</dd> + +<dt><tt>notrap</tt></dt> + +<dd>Decline to provide mode 6 control message trap service to +matching hosts. The trap service is a subsystem of the mode 6 +control message protocol which is intended for use by remote event +logging programs.</dd> + +<dt><tt>lowpriotrap</tt></dt> + +<dd>Declare traps set by matching hosts to be low priority. The +number of traps a server can maintain is limited (the current limit +is 3). Traps are usually assigned on a first come, first served +basis, with later trap requestors being denied service. This flag +modifies the assignment algorithm by allowing low priority traps to +be overridden by later requests for normal priority traps.</dd> + +<dt><tt>noserve</tt></dt> + +<dd>Ignore NTP packets whose mode is other than 6 or 7. In effect, +time service is denied, though queries may still be permitted.</dd> + +<dt><tt>nopeer</tt></dt> + +<dd>Provide stateless time service to polling hosts, but do not +allocate peer memory resources to these hosts even if they +otherwise might be considered useful as future synchronization +partners.</dd> + +<dt><tt>notrust</tt></dt> + +<dd>Treat these hosts normally in other respects, but never use +them as synchronization sources.</dd> + +<dt><tt>limited</tt></dt> + +<dd>These hosts are subject to limitation of number of clients from +the same net. Net in this context refers to the IP notion of net +(class A, class B, class C, etc.). Only the first <tt> +client_limit</tt> hosts that have shown up at the server and that +have been active during the last <tt>client_limit_period</tt> +seconds are accepted. Requests from other clients from the same net +are rejected. Only time request packets are taken into account. +Query packets sent by the <tt>ntpq</tt> and <tt>ntpdc</tt> programs +are not subject to these limits. A history of clients is kept using +the monitoring capability of <tt>ntpd</tt>. Thus, monitoring is +always active as long as there is a restriction entry with the <tt> +limited</tt> flag.</dd> + +<dt><tt>ntpport</tt></dt> + +<dd>This is actually a match algorithm modifier, rather than a +restriction flag. Its presence causes the restriction entry to be +matched only if the source port in the packet is the standard NTP +UDP port (123). Both <tt>ntpport</tt> and <tt>non-ntpport</tt> may +be specified. The <tt>ntpport</tt> is considered more specific and +is sorted later in the list.</dd> + +<dt><tt>version</tt></dt> + +<dd>Ignore these hosts if not the current NTP version.</dd> +</dl> +</dd> + +<dd>Default restriction list entries, with the flags <tt>ignore, +interface, ntpport</tt>, for each of the local host's interface +addresses are inserted into the table at startup to prevent the +server from attempting to synchronize to its own time. A default +entry is also always present, though if it is otherwise +unconfigured; no flags are associated with the default entry (i.e., +everything besides your own NTP server is unrestricted).</dd> + +<dt><tt>clientlimit <i>limit</i></tt></dt> + +<dd>Set the <tt>client_limit</tt> variable, which limits the number +of simultaneous access-controlled clients. The default value for +this variable is 3.</dd> + +<dt><tt>clientperiod <i>period</i></tt></dt> + +<dd>Set the <tt>client_limit_period</tt> variable, which specifies +the number of seconds after which a client is considered inactive +and thus no longer is counted for client limit restriction. The +default value for this variable is 3600 seconds.</dd> +</dl> + +<hr> +<a href="index.htm"><img align="left" src="pic/home.gif" alt= +"gif"></a> + +<address><a href="mailto:mills@udel.edu">David L. Mills +<mills@udel.edu></a></address> +</body> +</html> + |