xref: /netbsd-src/external/bsd/ntp/dist/html/accopt.html (revision b1c86f5f087524e68db12794ee9c3e3da1ab17a0) 
1<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
2
3<html>
4<head>
5<meta http-equiv="content-type" content="text/html;charset=iso-8859-1">
6<meta name="generator" content="HTML Tidy, see www.w3.org">
7<title>Access Control Options</title>
8<link href="scripts/style.css" type="text/css" rel="stylesheet">
9<style type="text/css">
10<!--
11.style1 {
12	color: #FF0000;
13	font-weight: bold;
14}
15-->
16</style>
17</head>
18
19<body>
20
21<h3>Access Control Options</h3>
22
23<img src="pic/pogo6.gif" alt="gif" align="left"><a href="http://www.eecis.udel.edu/~mills/pictures.html">from <i>Pogo</i>, Walt Kelly</a>
24
25<p>The skunk watches for intruders and sprays.</p>
26<p>Last update:
27<!-- #BeginDate format:En2m -->30-Sep-2009  17:16<!-- #EndDate -->
28		UTC</p>
29<br clear="left">
30
31<h4>Related Links</h4>
32
33<script type="text/javascript" language="javascript" src="scripts/command.txt"></script>
34<script type="text/javascript" language="javascript" src="scripts/accopt.txt"></script>
35
36<h4>Table of Contents</h4>
37
38<ul>
39<li class="inline"><a href="#acx">Access Control Support</a></li>
40<li class="inline"><a href="#cmd">Access Control Commands</a></li>
41</ul>
42
43<hr>
44
45<h4 id="acx">Access Control Support</h4>
46
47<p>The <tt>ntpd</tt> daemon implements a general purpose access control list
48	(ACL) containing address/match entries sorted first by increasing address
49	values and then by increasing mask values. A match occurs when the bitwise
50	AND of the mask and the packet source address is equal to the bitwise AND of
51	the mask and address in the list. The list is searched in order with the last
52	match found defining the restriction flags associated with the entry.</p>
53
54<p>An example may clarify how it works. Our campus has two class-B networks,
55128.4 for the ECE and CIS departments and 128.175 for the rest of campus.
56Let's assume (not true!) that subnet 128.4.1 homes critical services like class
57	rosters and spread sheets. A suitable ACL might be</p>
58<pre>
59restrict default nopeer					# deny new associations
60restrict 128.175.0.0 mask 255.255.0.0 		# allow campus access
61restrict 128.4.0.0 mask 255.255.0.0 none	# allow ECE and CIS access
62restrict 128.4.1.0 mask 255.255.255.0 notrust # require authentication on subnet 1
63restrict time.nist.gov						# allow access
64</pre>
65
66<p>While this facility may be useful for keeping unwanted, broken or malicious clients from congesting innocent servers, it should not be considered an alternative to the NTP authentication facilities. Source address based restrictions are easily circumvented by a determined cracker.</p>
67
68<h4 id="cmd">Access Control Commands</h4>
69
70<dl>
71
72<dt id="discard"><tt>discard [ average <i>avg</i> ][ minimum <i>min</i> ] [ monitor <i>prob</i> ]</tt></dt>
73<dd>Set the parameters of the rate control facility which protects the server
74	from client abuse. If the <tt>limited</tt> flag is present in the ACL, packets
75	that violate these limits are discarded. If in addition the <tt>kod</tt> restriction
76	is present, a kiss-o'-death packet is returned.</dd>
77
78<dd><dl>
79
80<dt><tt>average <i>avg</i></tt></dt>
81<dd>Specify the minimum average interpacket spacing (minimum average headway
82time) in log<sub>2</sub> s with default 3.</dd>
83
84<dt><tt>minimum <i>min</i></tt></dt>
85<dd>Specify the minimum interpacket spacing (guard time) in log<sub>2</sub> s
86	with default 1.</dd>
87
88<dt><tt>monitor</tt></dt>
89<dd>Specify the probability of discard for packets that overflow the rate-control
90	window. This is a performance optimization for servers with aggregate arrivals
91	of 1000 packets per second or more.</dd>
92
93</dl></dd>
94
95<dt id="restrict"><tt>restrict <i>address</i> [mask <i>mask</i>] [<i>flag</i>][...]</tt></dt>
96<dd>The <tt><i>address</i></tt> argument expressed in dotted-quad form is the
97	address of a host or network. Alternatively, the <tt><i>address</i></tt> argument
98	can be a valid host DNS name. The <tt><i>mask</i></tt> argument expressed in
99	dotted-quad form defaults to 255.255.255.255, meaning that the <tt><i>address</i></tt> is
100	treated as the address of an individual host. A default entry (address 0.0.0.0,
101	mask 0.0.0.0) is always included and is always the first entry in the list.
102	Note that the text string <tt>default</tt>, with no mask option, may be used
103	to indicate the default entry.</dd>
104
105<dd>Some flags have the effect to deny service, some  have the effect to
106	enable service and some are  conditioned by other flags. The  flags. are
107	not orthogonal, in that more restrictive flags will often make less restrictive
108	ones redundant. The flags that deny service are classed in two categories,
109	those that restrict time service and those that restrict informational queries
110	and attempts to do run-time reconfiguration of the server. One or more of the
111	following flags may be specified:</dd>
112<dd><dl>
113
114<dt><tt>flake</tt></dt>
115<dd>Discard received NTP packets with probability 0.1; that is, on average drop
116	one packet in ten. This is for testing and amusement. The name comes from Bob
117	Braden's <i>flakeway</i>, which once did a similar thing for early Internet
118	testing.</dd>
119
120<dt><tt>ignore</tt></dt>
121<dd>Deny packets of all kinds, including <tt>ntpq</tt> and <tt>ntpdc</tt> queries.</dd>
122
123<dt><tt>kod</tt></dt>
124<dd>Send a kiss-o'-death (KoD) packet if the <tt>limited</tt> flag is present
125	and a packet violates the rate limits established by the <tt>discard</tt> command.
126	KoD packets are themselves rate limited for each source address separately.
127	If this flag is not present, packets that violate the rate limits are discarded.</dd>
128
129<dt><tt>limited</tt></dt>
130<dd>Deny time service if the packet violates the rate limits established by the <tt>discard</tt> command.
131	This does not apply to <tt>ntpq</tt> and <tt>ntpdc</tt> queries.</dd>
132
133<dt><tt>lowpriotrap</tt></dt>
134<dd>Declare traps set by matching hosts to be low priority. The number of traps
135	a server can maintain is limited (the current limit is 3). Traps are usually
136	assigned on a first come, first served basis, with later trap requestors being
137	denied service. This flag modifies the assignment algorithm by allowing low
138	priority traps to be overridden by later requests for normal priority traps.</dd>
139<dt><tt>mssntp</tt></dt>
140<dd>Enable Microsoft Windows MS-SNTP authentication using Active Directory services.
141	<span class="style1">Note: Potential users should be aware that these services
142	involve a TCP connection to another process that could potentially block,
143	denying services to other users. Therefore, this flag should be used only
144	for a dedicated  server with no clients other than MS-SNTP.</span></dd>
145<dt><tt>nomodify</tt></dt>
146<dd>Deny <tt>ntpq</tt> and <tt>ntpdc</tt> queries which attempt to modify the
147	state of the server (i.e., run time reconfiguration). Queries which return information
148	are permitted.</dd>
149
150<dt><tt>noquery</tt></dt>
151<dd>Deny <tt>ntpq</tt> and <tt>ntpdc</tt> queries. Time service is not affected.</dd>
152
153<dt><tt>nopeer</tt></dt>
154<dd>Deny packets that might  mobilize an  association unless authenticated. This
155	includes broadcast, symmetric-active and manycast server packets when a configured
156	association does not exist. Note that this flag does not apply to packets
157	that do not attempt to mobilize an association. </dd>
158
159<dt><tt>noserve</tt></dt>
160<dd>Deny all packets except <tt>ntpq</tt> and <tt>ntpdc</tt> queries.</dd>
161
162<dt><tt>notrap</tt></dt>
163<dd>Decline to provide mode 6 control message trap service to matching hosts.
164	The trap service is a subsystem of the <tt>ntpdc</tt> control message protocol
165	which is intended for use by remote event logging programs.</dd>
166
167<dt><tt>notrust</tt></dt>
168<dd>Deny packets that are not cryptographically authenticated. Note carefully
169	how this flag interacts with the <tt>auth</tt> option of the <tt>enable</tt> and <tt>disable</tt> commands.
170	If  <tt>auth</tt> is enabled, which is the default, authentication is required
171	for all packets that might mobilize  an association.
172	If <tt>auth</tt> is
173	disabled, but the <tt>notrust</tt> flag is not present, an association can be
174	mobilized whether or not authenticated. If <tt>auth</tt> is disabled, but the <tt>notrust</tt> flag
175	is present, authentication is required only for the specified address/mask
176	range. </dd>
177
178		<dt><tt>ntpport</tt></dt>
179			<dt><tt>non-ntpport</tt></dt>
180			<dd>This is actually a match algorithm modifier, rather than a restriction
181				flag. Its presence causes the restriction entry to be matched only if the
182				source port in the packet is the standard NTP UDP port (123). Both <tt>ntpport</tt> and <tt>non-ntpport</tt> may
183				be specified. The <tt>ntpport</tt> is considered more specific and is sorted
184				later in the list.</dd>
185			<dt><tt>version</tt></dt>
186			<dd>Deny packets that do not match the current NTP version.</dd>
187		</dl>
188</dd>
189<dd>Default restriction list entries with the flags <tt>ignore, ntpport</tt>,
190	for each of the local host's interface addresses are inserted into the table
191	at startup to prevent the server from attempting to synchronize to its own time.
192	A default entry is also always present, though if it is otherwise unconfigured;
193	no flags are associated with the default entry (i.e., everything besides your
194	own NTP server is unrestricted).</dd>
195</dl>
196
197<hr>
198<script type="text/javascript" language="javascript" src="scripts/footer.txt"></script>
199
200</body>
201
202</html>