NTP Security

Overview

Network Time Protocol (NTP) packets need to be protected against tampering and forgery because NTP packet attacks may cause network interruptions, synchronization issues, and data loss.

NTP provides the following security policies at the protocol layer to improve security:

NTP supports the authentication function, which helps defend against error packets and replay attacks.
NTP supports the whitelist function, which helps defend against DoS attacks. Specifically, packets sent from a port that is not on the whitelist are allocated only a limited default bandwidth, whereas a "whitelist security" tag is created for each known port to achieve quick exchange of packets. This is vital for fast convergence on the network.
NTP supports access control, which protects each local NTP service by setting the access authority.

Impact on the System

None

Procedure

Configure key authentication on a client and a server to improve security.
1. Enter the system view.
```
system-view
```
2. Enable the NTP authentication function.
```
ntp-service authentication enable
```
3. Configure an NTP authentication key.
```
ntp-service authentication-keyid key-id authentication-mode { md5 | hmac-sha256 } [ cipher ] password-key
```
  The HMAC-SHA256 algorithm is recommended for NTP key authentication because it provides higher security than the MD5 algorithm.
Configure NTP access authority on the local device.
1. Enter the system view.
```
system-view
```
2. Allow peers that match ACL IPv4 or ACL IPv6 to perform time request, query control, and time synchronization on the local device.
```
ntp-service access { peer | query | server | synchronization | limited } { acl-number | ipv6 acl6-number } *
```
  Before specifying acl-number, ensure that an ACL has been configured.
  
  The last ACL rule must deny all IP addresses. To allow the ACL to filter IP addresses in a VPN, run the rule [ rule-id ] deny vpn-instance vpn-instance-name command in the ACL view.

Checking the Security Hardening Result

Run the display ntp-service sessions command to check the status of NTP sessions.
Run the display ntp-service status command to check the status of the NTP service.