NTP Security

Overview

As network technologies develop rapidly, it becomes increasingly important to ensure network security. Network Time Protocol (NTP) packets need to be protected against tampering and forgery because

NTP provides the following security policies at the protocol layer to improve security:

NTP supports the authentication function, which helps defend against error packets and replay attacks.
NTP supports the whitelist function, which helps defend against DoS attacks. Specifically, packets sent from a port that is not on the whitelist are allocated only a limited default bandwidth, whereas a "whitelist security" tag is created for each known port to achieve quick exchange of packets.
NTP supports access control, which protects each local NTP service by setting the access authority.

Impact on the System

None

Procedure

Enter the system view.
```
system-view
```
Enable the NTP authentication function.
```
ntp-service authentication enable
```
Configure an NTP authentication key.
```
ntp-service authentication-keyid key-id authentication-mode { md5 | hmac-sha256 } [ cipher ] password-key
```
The HMAC-SHA256 algorithm is recommended for NTP key authentication because it provides higher security than the MD5 algorithm.
Configure the NTP authentication key as trusted.
```
ntp-service reliable authentication-keyid key-id
```
When NTP authentication is enabled, this command can be used to configure one or more NTP authentication keys as trusted.

Checking the Security Hardening Result

Run the display ntp-service sessions command to check the status of NTP sessions.
Run the display ntp-service status command to check the status of the NTP service.