3

Backstory, I operate a couple of public stratum 2 NTP servers that are part of the NTP pool. These then sync to internal stratum 1 NTP clocks.

The issue I have is that clients using the public NTP servers see the internal IPs of the stratum 1 clocks. I'd much rather have something else there, for example the DNS name of the servers. Is this at all possible?

Stuggi
  • 3,506
  • 4
  • 19
  • 36
  • Certainly sounds possible, but how is it that clients outside your network can "see" the S1 clocks? – Larryc May 07 '19 at 11:56
  • The addresses aren't of course reachable, it just looks amateurish to have the internal 192.168.x.x addresses show as the reference for the S2 clocks. – Stuggi May 10 '19 at 06:57

1 Answers1

4

Reference ID is a 32 bit identifier to prevent loops. DNS names you may see are merely an implementation detail of IPv4 addresses being used, plus the convenience of your NTP client resolving them for you.

If the bits look like an IPv4 address and resolve to a name in public DNS, clients will see a name. You can't configure this to an arbitrary string.

To obscure it, have your stratum 1 NTP provide service over IPv6 and have stratum 2 access stratum 1 over that interface. Due to the hashing and other hacks to stuff IPv6 into a 32 bit refid, the address won't be in the packets.

However, realize that obscuring the IP address provides zero additional security. You should be restricting the control protocol to localhost or a local subnet, plus network firewalls.

John Mahowald
  • 32,050
  • 2
  • 19
  • 34
  • Thanks, I'm of course fully aware that this would not be something of a security improvement (except from an OPSEC standpoint maybe), it's just that I'm trying to act professional and this in my opinion looks a bit amateurish :) The obvious solution would be to give the S1 clocks public IPs and just not allow access to them, but I'm not going to waste public IPs on just window dressing. Thanks for the IPv6 suggestion, finally I have something to motivate adding IPv6 support to the network. :) – Stuggi May 10 '19 at 07:02
  • RFC1918 addresses are an adequate refid, there's no need to route to them and small risk of collision. They are the minority because much of the NTP pool references a public IP NTP or a 4 character reference clock. This is the most trivial reason to use IPv6 I've seen, but at least it is an excuse to use IPv6. – John Mahowald May 10 '19 at 12:42
  • Well, you got to start somewhere! :) – Stuggi May 15 '19 at 05:24