1.3.2 Extensions

  • Article

The NTP Authentication Extensions use the Netlogon Remote Protocol (as specified in [MS-NRPC]) in a domain environment for authentication between a client and server that are capable of establishing a secure connection.

As specified in [MS-NRPC] section 3.5.4.3, the client uses the Netlogon domain controller locator service to find a domain controller (DC) that is a time source. The client and domain controller need to have pre-established trusted account information in the domain. The preestablished trusted account information is used to establish cryptographic keys and associated key identifiers for NTP authentication between the client and server.

The client sends an authentication request for time-synchronization information with the key identifier. The server constructs the response with the time information requested. The server computes the crypto-checksum of the message. The server replies in an authentication response with the time information requested and the computed crypto-checksum. The client authenticates the authentication response by computing and matching the checksum. The client accepts only authenticated responses. The sequence diagram is as described in sections 3.1.5 and 3.2.5.

This document describes an authentication mechanism that differs from the interim NTP authentication extension defined in [RFC1305] Appendix C as follows:

  • Uses a modified authenticator format and semantics, as described in section 2.2.

  • Uses a modified algorithm to compute the checksum, as described in sections 3.1.5 and 3.2.5.

  • Specifies how keys are identified by a client that is synchronizing time using the authentication extension against a DC, as described in sections  3.1.3, 3.1.5, and 3.1.6.

  • Specifies how key identifiers are interpreted by a server that is providing time synchronization for a client using the authentication extension, as described in section 3.2.5.

  • Uses modified authentication procedures, as described in sections 3.1.5, 3.1.6, and 3.2.5.

The NTP Authentication Extensions also apply to SNTP, as specified in [RFC2030]. The extensions specified in this document override the statements in [RFC2030] section 4 pertaining to the Authenticator field, and instead specify how the field is to be used and interpreted.

The NTP Authentication Extensions are defined only for the following NTP and SNTP association modes (as specified in [RFC1305] sections 3.2.1 and 3.3): client, server, and symmetric active. The client/server mode refers to the roles within the context of the NTP protocol, as opposed to roles within a network system.

As well as extending [RFC1305], the NTP Authentication Extensions apply directly to SNTP, as specified in [RFC2030]. For simplicity, only the terms NTP and [RFC1305] are generally used in the main body of this document. All references to NTP and [RFC1305] apply equally to SNTP and [RFC2030] unless the text clearly specifies otherwise.<1>