[ntpwg] Handling authentication extensions (was MS-SNTP)

Danny Mayer mayer at ntp.isc.org
Thu Apr 3 02:44:53 UTC 2008 

Dave,

I'd like to make the following addition to the NTPv4 spec (and yes I 
know it's late) but this is important in processing authentication. I'm 
doing this for the case where there is more than one authentication 
extension header.

Proposed addition text:

"When processing extensions to the NTP packet involving authentication 
the ntp server and client MUST process them in the order listed in the 
packet. If the authentication type, as defined in the field type of the 
extension, is not recognized or supported its content is discarded and 
the application moves on to the next authentication type until it finds 
one that it does support. All subsequent authentication extension types 
are then discarded. If no authentication type is found the application 
proceeds based upon the policy of that server instance."

The goal here is to allow a client to send multiple possible 
authentication types (in order of preference) and the server will choose 
the first one it finds that it supports.

Does this all make sense?

Danny

David L. Mills wrote:
> Andrew,
> 
> I hear you and don't want to leave Microsoft out in any case. As it 
> stands, the MS-SNTP key ID scheme is incompatible with ordinary NTP 
> users and the national laboratories. But, you have given me an idea.
> 
> You say Samba is to simulate an AD controller, which means it would be a 
> MS-SNTP server for that domain. I wouldn't thnk the Samba AD would 
> ordinarily be a MS-SNTP client of another MS-SNTP server in that 
> domaing, but that might happen. On the other hand, the Samba 4 machine 
> would very likely be a client of other NTP server(s). This is the case I 
> am worried about. An even more perplexing case is when the Samba machine 
> is a server for both NTP and MS-SNTP clients.
> 
> For grins, I propose a configuration command to set the default server 
> key ID scheme (ntp/mssntp/...) plus an association configuration option 
> to set the default client key ID scheme. Exceptions can be handled by 
> the restrict mechanism by using the restrict bits to override the 
> default server scheme. I assume an AD will not have addresses scattered 
> all over the place and relatively few address/mask pairs would be 
> necessary. If on the other hand only a few NTP clients are used, the 
> mask can apply to them.
> 
> Does this work?
> 
> Dave

More information about the ntpwg mailing list