Network Time Protocol
SUMMARY Network Time Protocol (NTP) is a protocol used to synchronize time on all the devices in a network.
NTP Overview
Network Time Protocol (NTP) is a widely used protocol used to synchronize the clocks of routers and other hardware devices on the Internet. Primary NTP servers are synchronized to a reference clock directly traceable to Coordinated Universal Time (UTC). Reference clocks include GPS receivers and telephone modem services, NTP accuracy expectations depend on the environment application requirements. However, NTP can generally maintain time to within tens of milliseconds over the public internet.
NTP is defined in the RFC 5905: Network Time Protocol Version 4: Protocol and Algorithms Specification
Devices running Junos OS can be configured to act as an NTP client, a secondary NTP server, or a primary NTP server. These variations are as follows:
-
Primary NTP Server—Primary NTP servers are synchronized to a reference clock that is directly traceable to UTC. These servers then re-distribute this time data downstream to other Secondary NTP servers or NTP clients.
-
Secondary NTP Server—Secondary NTP servers are synchronized to a primary or secondary NTP server. These servers then re-distribute this data downstream to other Secondary NTP servers or NTP clients.
-
NTP Client—NTP clients are synchronized to a primary or secondary NTP server. Clients do not re-distribute this time data to other devices.
The NTP subnet includes a number of widely accessible public primary time servers that can be used as a network’s primary NTP server. Juniper Networks strongly recommends that you authenticate any primary servers you use.
Each device on your network can be configured to run in one or more of the following NTP modes:
-
Broadcast Mode—One or more devices is set up to transmit time information to a specified broadcast or multicast address. Other devices listen for time sync packets on these addresses. This mode is less accurate than the client/server mode.
-
Client/Server Mode—Devices are organized hierarchically across the network in client/server relationships.
-
Symmetric Active (peer) Mode—Two or more devices are configured as NTP server peers to provide redundancy.
By default, if an NTP client time drifts so that the difference in time from the NTP
server exceeds 128 milliseconds, the NTP client is automatically stepped back into
synchronization. The NTP client will still synchronize with the server even if the
offset between the NTP client and server exceeds the 1000-second threshold. You can
manually request that a device synchronize with an NTP server by using the
set date ntp operational command on the router. On devices
running Junos OS that have dual Routing Engines, the backup Routing Engine
synchronizes directly with the primary Routing Engine.
All Juniper platforms that run Junos OS support the leap second adjustment. By default, if the NTP server is aware of the leap second calculations, then the Junos device will automatically add the 1 second delay. PTP (Precision Time Protocol) is used to detect and propagate leap second synchronization changes throughout all nodes in a network. NTP is also required for Common Criteria compliance. For more information on the Common Criteria certification, see Public Sector Certifications.
For more details about the Network Time Protocol, go to the Network Time Foundation website at http://www.ntp.org.
NTP supports IPv4 VPN and IPv6 routing and forwarding (VRF) requests on Junos OS. VRF request is also supported on Junos OS Evolved Release 20.2R1 onwards. This enables an NTP server running on a provider edge (PE) router to respond to NTP requests from a customer edge (CE) router. As a result, a PE router can process any NTP request packet coming from different routing instances.
Network Time Security (NTS) Support for NTP
NTS Overview
NTS provides cryptographic security for network time synchronization and supports client-server mode of NTP. NTS uses Transport Layer Security (TLS) protocol and Authenticated Encryption with Associated Data (AEAD) to obtain network time in an authenticated manner to the users. NTS also provides support for encryption of NTP extension fields.
The most important security processes are dependent on accurate time. Network time synchronization from a malicious source leads to serious consequences. Enabling NTS ensures accurate network time synchronization on your device.
Starting Junos OS Evolved release version 24.2R1, supports RFC 8915 compliance for Network Time Security (NTS) using Network Time Protocol (NTP) on ACX-Series, QFX-Series and PTX-Series devices. NTS provides cryptographic security for network time synchronization and supports the client/server mode of NTP.
This RFC 8915 compliance feature supports:
- Configuration of local-certificate for server and certificate verification options for client.
- Verification of x.509 certificates to establish a TLS channel between client and server.
- TLS NTS-KE protocol support.
- Support for NTS secured client-server NTP communication at server and client.
Benefits of NTS
- Provides strong cryptographic protection against wide range of security attacks such as packet manipulation, spoofing, DDOS amplification attacks, and replay attacks
- Ensures accurate network time synchronization from a reliable source
- Provides scalability: Servers can serve several clients without manually pre-configuring any client-specific configuration. Because of the usage of cookies the server does not need to locally store the client specific data such as keys and AEAD algorithm
- Prevents tracking of mobile devices
Network Time Synchronization with NTS
NTS consists of two protocols, the NTS Key Establishment protocol (NTS-KE) and the NTP time synchronization using NTS extension fields. Figure 1 shows the interactions in NTS.
NTS-KE Protocol
The NTS Key Establishment protocol (NTS-KE) uses TLS protocol to manage the initial authentication of the server, NTS parameter negotiation, and key establishment over TLS in the following order:
- The client performs a TLS handshake with the NTS-KE server and successfully verify the certificates.
-
The client performs the NTS parameters negotiation with the server over the TLS-protected channel. The cryptographic algorithms negotiated are AEAD methods, which protects the NTP packets in the second phase.
-
The client and the server successfully establish the key material for communication.
-
The server also sends a supply of initial cookies to the client to use in next phase.
-
The TLS channel closes and NTP proceeds to the next phase where actual exchange of time data happens.
NTS supports only the TLS version 1.3. The older TLS versions get rejected during the NTS-KE protocol phase.
NTP Time Synchronization Using NTS Extension Fields
This phase manages the encryption and authentication during NTP time synchronization through the extension fields in the NTP packets in the following order:
-
The client queries the NTP server about time with NTS extension fields. These extension fields include cookies and an authentication tag computed using negotiated AEAD algorithm and key material extracted from the NTS-KE handshake.
An NTS-secured NTP client request contains the following NTS extension fields:
-
Unique Identifier Extension Field: Contains randomly generated data and provides the means for replay protection at the NTS level.
-
NTS Cookie Extension Field: Contains the information about the key material, which establishes during NTS-KE phase, and the negotiated cryptographic algorithm. A cookie is only used once in a request to prevent tracking.
-
NTS Cookie Placeholder Extension Field: (Optional) Communicates to the server that the client wants to receive additional cookies in the response packet.
-
NTS Authenticator and Encrypted Extension Fields: Generated using AEAD Algorithm and key established during NTS-KE. This field provides the integrity protection for the NTP header and all the previous extension fields.
Constant refreshing of cookies protects a device from tracking when it changes network addresses. For example a mobile device moving across different networks. The lack of any recognizable data prevents an adversary from determining that two packets sent over different network addresses came from the same client.
-
-
When the server receives an NTS-secured request from the client, the server decrypts the cookie with a master key.
-
The server extracts the negotiated AEAD algorithm and the keys that are available in the cookie. Using this key, the server checks the integrity of the NTP packet to ensure no manipulations to the packet.
-
The server generates one or more new cookies and creates the NTP response packet. The server generates at least one new cookie and one additional cookie for each Cookie Placeholder Extension Field that the client added in the request packet.
The response packet contains two NTS extension fields:
- The Unique Identifier Extension Field, which has the same contents from the Unique Identifier field in request packet.
- The NTS Authenticator and Encrypted Extension Field, which secures the NTP header and the previous extension fields using the extracted keys.
-
The server also encrypts the cookies and includes them in the NTS Authenticator and Encrypted Extension Fields. This procedure also protects the client from tracking because an attacker cannot extract the cookies from a response message.
-
The server finalizes the response packet and sends the packet to the client.
-
The client receives the response packet.
-
The client checks the Unique Identifier field and verifies that the Unique Identifier matches with an outstanding request.
-
The client successfully performs the integrity check of the packet using the key and the AEAD algorithm.
-
The client decrypts the cookies and adds them to its pool and processes the time information received from server.
NTP Time Servers
The IETF defined the Network Time Protocol (NTP) to synchronize the clocks of computer systems connected to each other over a network. Most large networks have an NTP server that ensures that time on all devices is synchronized, regardless of the device location. If you use one or more NTP servers on your network, ensure you include the NTS server addresses in your Junos OS configuration.
When configuring the NTP, you can specify which system on the network is the authoritative time source, or time server, and how time is synchronized between systems on the network. To do this, you configure the router, switch, or security device to operate in one of the following modes:
-
Client mode—In this mode, the local router or switch can be synchronized with the remote system, but the remote system can never be synchronized with the local router or switch.
-
Symmetric active mode—In this mode, the local router or switch and the remote system can synchronize with each other. You use this mode in a network in which either the local router or switch or the remote system might be a better source of time.
Symmetric active mode can be initiated by either the local or the remote system. Only one system needs to be configured to do so. This means that the local system can synchronize with any system that offers symmetric active mode without any configuration whatsoever. However, we strongly encourage you to configure authentication to ensure that the local system synchronizes only with known time servers.
-
Broadcast mode—In this mode, the local router or switch sends periodic broadcast messages to a client population at the specified broadcast or multicast address. Normally, you include this statement only when the local router or switch is operating as a transmitter.
-
Server mode—In this mode, the local router or switch operates as an NTP server.
In NTP server mode, the Junos OS supports authentication as follows:
-
If the NTP request from the client comes with an authentication key (such as a key ID and message digest sent with the packet), the request is processed and answered based on the authentication key match.
-
If the NTP request from the client comes without any authentication key, the request is processed and answered without authentication.
-
Configure NTP Time Server and Time Services
When you use NTP, configure the router or switch to operate in one of the following modes:
-
Client mode
-
Symmetric active mode
-
Broadcast mode
-
Server mode
The following topics describe how to configure these modes of operation:
- Configure the Router or Switch to Operate in Client Mode
- Configure the Router or Switch to Operate in Symmetric Active Mode
- Configure the Router or Switch to Operate in Broadcast Mode
- Configure the Router or Switch to Operate in Server Mode
Configure the Router or Switch to Operate in Client Mode
To configure the local router or switch to operate in client mode, include
the server statement and other optional statements at the
[edit system ntp] hierarchy level:
[edit system ntp] server address <key key-number> <version value> <prefer>; authentication-key key-number type type value password; trusted-key[key-numbers];
Specify the address of the system acting as the time server. You must specify an address, not a hostname.
To include an authentication key in all messages sent to the time server,
include the key option. The key corresponds to the
key number you specify in the authentication-key statement,
as described in .
By default, the router or switch sends NTP version 4 packets to the time server. To set the NTP version level to 1, 2, or 3, include the version option.
If you configure more than one time server, you can mark one server preferred by including the prefer option.
The following example shows how to configure the router or switch to operate in client mode:
[edit system ntp] authentication-key 1 type md5 value "$ABC123"; server 10.1.1.1 key 1 prefer; trusted-key 1;
Configure the Router or Switch to Operate in Symmetric Active Mode
To configure the local router or switch to operate in symmetric active mode,
include the peer statement at the [edit system
ntp] hierarchy level:
[edit system ntp] peer address <key key-number> <version value> <prefer>;
Specify the address of the remote system. You must specify an address, not a hostname.
To include an authentication key in all messages sent to the remote system,
include the key option. The key corresponds to the
key number you specify in the authentication-key statement.
By default, the router or switch sends NTP version 4 packets to the remote system. To set the NTP version level to 1, 2 or 3, include the version option.
If you configure more than one remote system, you can mark one system preferred by including the prefer option:
peer address <key key-number> <version value> prefer;
Configure the Router or Switch to Operate in Broadcast Mode
To configure the local router or switch to operate in broadcast mode, include
the broadcast statement at the [edit system
ntp] hierarchy level:
[edit system ntp] broadcast address <key key-number> <version value> <ttl value>;
Specify the broadcast address on one of the local networks or a multicast address assigned to NTP. You must specify an address, not a hostname. If the multicast address is used, it must be 224.0.1.1. Multicast protocols PIM and IGMP should be enabled on the NTP client facing interfaces in order to facilitate the device to transmit NTP packets over multicast address 224.0.1.1. Run the following commands to do so:
set protocols igmp interface <interface_name> static group 224.0.1.1 set protocols pim rp local address <interface_ip> set protocols pim interface <interface_name> mode sparse-dense
NTP over multicast is not supported within the routing instance on the device.
To include an authentication key in all messages sent to the remote system,
include the key option. The key corresponds to the key number you specify in
the authentication-key statement.
By default, the router or switch sends NTP version 4 packets to the remote system. To set the NTP version level to 1, 2, or 3, include the version option.
Configure the Router or Switch to Operate in Server Mode
In server mode, the router or switch acts as an NTP server for clients when the clients are configured appropriately. The only prerequisite for “ server mode” is that the router or switch must be receiving time from another NTP peer or server. No other configuration is necessary on the router or switch.
When configuring the NTP service in the management VRF
(mgmt_junos), you must configure at least one IP
address on a physical or logical interface within the default routing
instance and ensure that this interface is up in order for the NTP service
to work with the mgmt_junos VRF.
To configure the local router or switch to operate as an NTP server, include
the following statements at the [edit system ntp] hierarchy
level:
[edit system ntp] authentication-key key-number type type value password; server address <key key-number> <version value> <prefer>; trusted-key [key-numbers];
Specify the address of the system acting as the time server. You must specify an address, not a hostname.
To include an authentication key in all messages sent to the time server,
include the key option. The key corresponds to the
key number you specify in the authentication-key statement.
By default, the router or switch sends NTP version 4 packets to the time server. To set the NTP version level to 1,or 2, or 3, include the version option.
If you configure more than one time server, you can mark one server preferred by including the prefer option.
The following example shows how to configure the router or switch to operate in server mode:
[edit system ntp] authentication-key 1 type md5 value "$ABC123"; server 192.168.27.46 prefer; trusted-key 1;
[edit system ntp]
nts
{
local-certificate <certificate-id of local certificate>;
trusted-ca (trusted-ca-group <trusted ca-group name> | trusted-ca-profile <ca-profile name>);
}
[edit system ntp server <server>]
nts remote-identity
{
hostname <FQDN of server>;
distinguished-name (container <container-string> | wildcard <wild-card string>);
}See Also
Example: Configure NTP as a Single Time Source for Router and Switch Clock Synchronization
Debugging and troubleshooting are much easier when the timestamps in the log files of all the routers or switches are synchronized, because events that span the network can be correlated with synchronous entries in multiple logs. We strongly recommend using the Network Time Protocol (NTP) to synchronize the system clocks of routers, switches, and other network equipment.
By default, NTP operates in an entirely unauthenticated manner. If a malicious attempt to influence the accuracy of a router or switch’s clock succeeds, it could have negative effects on system logging, make troubleshooting and intrusion detection more difficult, and impede other management functions.
The following sample configuration synchronizes all the routers or switches in the
network to a single time source. We recommend using authentication to make sure that
the NTP peer is trusted. The boot-server statement identifies the
server from which the initial time of day and date is obtained when the router
boots. The server statement identifies the NTP server used for
periodic time synchronization. The source-address statement enables
you to specify one source address per family for each routing instance, The
authentication-key statement specifies that an HMAC-Message
Digest 5 (MD5) scheme should be used to hash the key value for authentication, which
prevents the router or switch from synchronizing with an attacker’s host posing as
the time
server.
[edit]
system {
ntp {
authentication-key 2 type md5 value "$ABC123"; # SECRET-DATA
boot-server 10.1.4.1;
server 10.1.4.2 key 2;
source-address 10.1.4.3 routing-instance ntp-instance;
trusted key 2;
}
}
Synchronize and Coordinate Time Distribution Using NTP
Using NTP to synchronize and coordinate time distribution in a large network involves these tasks:
Configure NTP
-
To configure NTP on the switch, include the
ntpstatement at the[edit system]hierarchy level:[edit system] ntp { authentication-key number type type value password; boot-server (address | hostname); broadcast <address> <key key-number> <version value> <ttl value>; broadcast-client; multicast-client <address>; peer address <key key-number> <version value> <prefer>; server address <key key-number> <version value> <prefer>; ntp source-address routing-instance routing-instance-name; trusted-key [ key-numbers ]; }
Configure NTP Boot Server
When you boot the switch, it issues an ntpdate request, which polls a network server to determine the local date and time. You need to configure a server that the switch uses to determine the time when the switch boots. Otherwise, NTP will not be able to synchronize to a time server if the server’s time appears to be very far off of the local switch’s time.
-
To configure the NTP boot server, include the
boot-serverstatement at the[edit system ntp]hierarchy level:[edit system ntp] boot-server (address | hostname);
The boot-server option is deprecated starting in Junos
OS Release 20.4R1.
-
Junos OS Release 15.1 onwards, to configure the NTP boot server, include the
set ntp serverstatement at the[edit system ntp]hierarchy level:[edit system ntp] set server (address | hostname);
Specify either the IP address or the hostname of the network server.
Specify a Source Address for an NTP Server
For IP version 4 (IPv4), you can specify that if the NTP server configured at
the [edit system ntp] hierarchy level is contacted on one
of the loopback interface addresses, the reply always uses a specific source
address. This is useful for controlling which source address NTP will use to
access your network when it is either responding to an NTP client request
from your network or when it itself is sending NTP requests to your
network.
To configure the specific source address that the reply will always use, and
the source address that requests initiated by NTP server will use, include
the source-address statement at the [edit system
ntp] hierarchy level. The source-address is
a valid IP address configured on one of the router or switch interfaces.
[edit system ntp] user@host#set source-address source-address
For example:
[edit system ntp] user@host# set source-address 10.1.4.3
Starting in Junos OS Release 13.3, and Junos OS Evolved Release 20.2R1 you
can configure the source address using the routing-instance
statement at the [edit system ntp source-address
source-address] hierarchy level:
As a result, while sending NTP message through any interface in the ntp-source-test routing instance, the source address 12.12.12.12 is used.
The routing-instance statement is optional and if not
configured, the primary address of the interface will be used.
Specify one source address per family for each routing instance,
[edit system ntp] user@host# set source-address source-address routing-instance routing-instance-name
For example:
[edit system ntp] user@host# set source-address 10.1.4.3 routing-instance ntp-instance
When configuring the NTP service in the management VRF
(mgmt_junos), you must configure at least one IP
address on a physical or logical interface within the default routing
instance and ensure that this interface is up in order for the NTP service
to work with the mgmt_junos VRF.
If a firewall filter is applied on the loopback interface, ensure that
the source-address specified for the NTP server at the
[edit system ntp] hierarchy level is explicitly
included as one of the match criteria in the firewall filter. This
enables the Junos OS to accept traffic on the loopback interface from
the specified source address.
The following example shows a firewall filter with the source address
10.1.4.3 specified in the from
statement included at the [edit firewall filter
firewall-filter-name] hierarchy:
[edit firewall filter Loopback-Interface-Firewall-Filter]
term Allow-NTP {
from {
source-address {
172.17.27.46/32; // IP address of the NTP server
10.1.4.3/32 routing-instance ntp-instance; // Source address specified for the NTP server }
then accept;
}
}
If no source-address statement is configured for the NTP
server, include the primary address of the loopback interface in the
firewall filter.
NTP Configuration
The Network Time Protocol (NTP) provides the mechanisms to synchronize time and coordinate time distribution in a large, diverse network. Debugging and troubleshooting are much easier when the timestamps in the log files of all the routers or switches are synchronized, because events that span the network can be correlated with synchronous entries in multiple logs. We recommend using the Network Time Protocol (NTP) to synchronize the system clocks of routers, switches, and other network equipment.
To configure NTP:
Example: Configure NTP
The Network Time Protocol (NTP) provides the mechanism to synchronize time and coordinate time distribution in a large, diverse network. NTP uses a returnable-time design in which a distributed subnet of time servers operating in a self-organizing, hierarchical primary-secondary configuration synchronizes local clocks within the subnet and to national time standards by means of wire or radio. The servers also can redistribute reference time using local routing algorithms and time daemons.
This example shows how to configure NTP:
Requirements
This example uses the following software and hardware components:
-
Junos OS Release 11.1 or later
-
A switch connected to a network on which an NTP boot server and NTP server reside
Overview
Debugging and troubleshooting are much easier when the timestamps in the log files of all switches are synchronized, because events that span a network can be correlated with synchronous entries in multiple logs. We recommend using the Network Time Protocol (NTP) to synchronize the system clocks of your switch and other network equipment.
In this example, an administrator wants to synchronize the time in a switch to a
single time source. We recommend using authentication to make sure that the NTP
peer is trusted. The boot-server statement identifies the
server from which the initial time of day and date are obtained when the switch
boots. The server statement identifies the NTP server used for
periodic time synchronization. The authentication-key statement
specifies that an HMAC-Message Digest 5 (MD5) scheme is used to hash the key
value for authentication, which prevents the switch from synchronizing with an
attacker’s host that is posing as the time server.
Configuration
To configure NTP:
Procedure
CLI Quick Configuration
To quickly configure NTP, copy the following commands and paste them into the switch’s terminal window:
[edit system] set ntp boot-server 10.1.4.1 set ntp server 10.1.4.2 set ntp authentication-key 2 type md5 value "$ABC123"
Step-by-Step Procedure
To configure NTP :
-
Specify the boot server:
[edit system] user@host# set ntp boot-server 10.1.4.1
-
Specify the NTP server:
[edit system] user@host# set ntp server 10.1.4.2
-
Specify one source address per family for each routing-instance:
[edit system] user@host# set system ntp source-address 10.10.4.3 routing-instance ntp-instance
-
Specify the key number, authentication type (MD5), and key for authentication:
[edit system] user@host# set ntp authentication-key 2 type md5 value "$ABC123"
Results
Check the results:
[edit system]
user@host# show
ntp {
boot-server 10.1.4.1;
authentication-key 2 type md5 value "$ABC123"; ## SECRET-DATA
server 10.1.4.2;
source-address 10.10.4.3 routing-instance ntp-instance;
}
Verification
To confirm that the configuration is correct, perform these tasks:
Checking the Time
Purpose
Check the time that has been set on the switch.
Action
Enter the show system uptime operational mode command to
display the time.
user@host> show system uptime fpc0: -------------------------------------------------------------------------- Current time: 2009-06-12 12:49:03 PDT System booted: 2009-05-15 06:24:43 PDT (4w0d 06:24 ago) Protocols started: 2009-05-15 06:27:08 PDT (4w0d 06:21 ago) Last configured: 2009-05-27 14:57:03 PDT (2w1d 21:52 ago) by admin1 12:49PM up 28 days, 6:24, 1 user, load averages: 0.05, 0.06, 0.01
Meaning
The output shows that the current date and time are June 12, 2009 and 12:49:03 PDT. The switch booted 4 weeks, 6 hours, and 24 minutes ago, and its protocols were started approximately 3 minutes before it booted. The switch was last configured by user admin1 on May 27, 2009, and there is currently one user logged in to the switch.
The output also shows that the load average is 0.05 seconds for the last minute, 0.06 seconds for the last 5 minutes, and 0.01 seconds for the last 15 minutes.
Displaying the NTP Peers
Purpose
Verify that the time has been obtained from an NTP server.
Action
Enter the show ntp associations operational mode command
to display the NTP server from switch obtained its time.
user@host> show ntp associations
remote refid st t when poll reach delay offset jitter
==============================================================================
*ntp.net .GPS. 1 u 414 1024 377 3.435 4.002 0.765Meaning
The asterisk (*) in front of the NTP server name, or peer, indicates that the time is synchronized and obtained from this server. The delay, offset, and jitter are displayed in milliseconds.
Displaying the NTP Status
Purpose
View the configuration of the NTP server and the status of the system.
Action
Enter the show ntp status operational mode command to
view the status of the NTP.
user@host> show ntp status status=0644 leap_none, sync_ntp, 4 events, event_peer/strat_chg, version="ntpd 4.2.0-a Mon Apr 13 19:09:05 UTC 2009 (1)", processor="powerpc", system="JUNOS9.5R1.8", leap=00, stratum=2, precision=-18, rootdelay=2.805, rootdispersion=42.018, peer=48172, refid=192.168.28.5, reftime=cddd397a.60e6d7bf Fri, Jun 12 2009 13:30:50.378, poll=10, clock=cddd3b1b.ec5a2bb4 Fri, Jun 12 2009 13:37:47.923, state=4, offset=3.706, frequency=-23.018, jitter=1.818, stability=0.303
Meaning
The output shows status information about the switch and the NTP.
NTP Authentication Keys
Time synchronization can be authenticated to ensure that the switch obtains its time services only from known sources. By default, network time synchronization is unauthenticated. The switch will synchronize to whatever system appears to have the most accurate time. We strongly encourage you to configure authentication of network time services.
To authenticate other time servers, include the trusted-key
statement at the [edit system ntp] hierarchy level.
The
trusted keys refer to the configured key that is trusted and used by NTP for
secure clock synchronization. Any configured key not referenced in the
trusted-key is not qualified and is rejected by NTP. Only
time servers that transmit network time packets containing one of the specified
key numbers are eligible to be synchronized. Additionally, the key needs to
match the value configured for that key number. Other systems can synchronize to
the local switch without being authenticated.
[edit system ntp] trusted-key[ key-numbers ];
Each key can be any 32-bit unsigned integer except 0. Include the
key option in the peer,
server, or broadcast statements to
transmit the specified authentication key when transmitting packets. The key is
necessary if the remote system has authentication enabled so that it can
synchronize to the local system.
To define the authentication keys, include the
authentication-key statement at the [edit system
ntp] hierarchy level:
[edit system ntp] authentication-key key-number type type value password;
number is the key number, type is the authentication type (only Message Digest 5 [MD5], SHA1, and SHA256 are supported), and password is the password for this key. The key number, type, and password must match on all systems using that particular key for authentication. There must be no space in the password for configuring the Network Time Protocol (NTP) authentication-key.
EX4300, EX4600, and related non-MP devices such as QFX5100 (EX and QFX models that run BSD6) support only MD5 authentication for NTP and do not support SHA-1 and SHA-256 authentication types.
Configure Devices to Listen to Broadcast Messages Using NTP
When you are using NTP, you can configure the local router or switch to listen
for broadcast messages on the local network to discover other servers on the
same subnet by including the broadcast-client statement at the
[edit system ntp] hierarchy level:
[edit system ntp] broadcast-client;
When the router or switch detects a broadcast message for the first time, it measures the nominal network delay using a brief client-server exchange with the remote server. It then enters broadcast client mode, in which it listens for, and synchronizes to, succeeding broadcast messages.
To avoid accidental or malicious disruption in this mode, both the local and remote systems must use authentication and the same trusted key and key identifier.
Configure Devices to Listen to Multicast Messages Using NTP
When you are using NTP, you can configure the local router or switch to listen
for multicast messages on the local network to discover other servers on the
same subnet by including the multicast-client statement at the
[edit system ntp] hierarchy level:
[edit system ntp] user@host# set multicast-client address
When the router or switch receives a multicast message for the first time, it measures the nominal network delay using a brief client-server exchange with the remote server. It then enters multicast client mode, in which it listens for, and synchronizes to, succeeding multicast messages.
You can specify one or more IP addresses. (You must specify an address, not a
hostname.) If you do, the router or switch joins those multicast groups. If you
do not specify any addresses, the software uses 224.0.1.1.
To avoid accidental or malicious disruption in this mode, both the local and remote systems must use authentication and the same trusted key and key identifier.