Page MenuHomePhabricator
Create Task
Maniphest T599

Bind NTP service to specific interface
Closed, ResolvedPublicFEATURE REQUEST
Actions

Description

To prevent NTP service listen on all existing interface, it would be good to implement cli options to configure interfaces for ntp service, for example to add int ntp.conf:

interface ignore wildcard
interface listen 127.0.0.1
interface listen ::1

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close

Related Objects
Search...

Event Timeline

maugli13 created this task.Apr 12 2018, 3:20 PM
c-po added subscribers: syncer, dmbaturin, c-po.May 1 2018, 4:35 PM

We already have set system ntp allow-clients address 172.16.0.0/12 which can become a brother to a new command named set system ntp listen-on.

@dmbaturin @syncer may I raise the question why this is unter system and not service tree?

pasik added a subscriber: pasik.May 15 2018, 9:55 PM
syncer triaged this task as Normal priority.May 27 2018, 10:01 AM

@c-po i think we not offer ntp service as of now, but i think maybe we should?

c-po added a comment.EditedMay 27 2018, 2:43 PM

@syncer we do offer NTP as service (unfortunately it's unter the system tree instead of service.

cpo@LR1# set system ntp
Possible completions:
 > allow-clients
                Network Time Protocol (NTP) server options
+> server       Network Time Protocol (NTP) server

We support several servers and also an allow-client feature where only clients listes as IP networks are allowed to query. NTP server listenes at all interfaces right now. NTP is also already re-written as XML style interface definition (T623). The question here is for extending the CLI and bind NTP to a specific IP (we should add this).

syncer added a comment.May 27 2018, 2:47 PM

that is weird,
i was under impression that we have it as client.
So it perfectly make sense have it under service

c-po added a comment.EditedMay 27 2018, 6:57 PM

As soon as someone sets set system ntp allow-clients address 172.16.0.0/12 we act as NTP server for this network,too. It's a bit odd that this node is under system but ... it is as it is.

If this node is set we listen on every interface:

# sudo netstat -vaun | grep 123
udp        0      0 172.16.37.241:123       0.0.0.0:*
udp        0      0 172.16.254.36:123       0.0.0.0:*
udp        0      0 127.0.0.1:123           0.0.0.0:*
udp        0      0 0.0.0.0:123             0.0.0.0:*
udp6       0      0 fe80::250:56ff:feaa:123 :::*
udp6       0      0 ::1:123                 :::*
udp6       0      0 :::123                  :::*

You can test this e.g. unter windows w/ $ w32tm /stripchart /computer:<ipaddress> /dataonly /samples:100

I propose:

set system ntp listen-address
Possible completions:
   <x.x.x.x>         Domain Name Server (DNS) IPv4 address
   <h:h:h:h:h:h:h:h> Domain Name Server (DNS) IPv6 address

b/c NTPd uses IP addresses for listen connections and not interfaces.

maugli13 added a comment.May 31 2018, 11:23 AM

It looks pretty clear from configuration point of view. Actually this request was made to avoid potential security breach if somebody doesn't have correct acl on wan facing interface.

c-po moved this task from Need Triage to Finished on the VyOS 1.2 Crux board.Jun 1 2018, 7:17 AM
dmbaturin assigned this task to c-po.Jun 3 2018, 3:38 AM
dmbaturin edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc1); removed VyOS 1.2 Crux, VyConf.
dmbaturin closed this task as Resolved.Sep 25 2018, 6:20 PM
hexes added a subscriber: hexes.Nov 10 2019, 2:58 PM
 show system ntp
 allow-clients {
     address 192.168.100.0/24
 }
 server 10.255.0.1 {
     prefer
 }


netstat -vaun | grep 123
udp        0      0 127.0.0.1:123           0.0.0.0:*                          
udp6       0      0 ::1:123                 :::*

And in config file there is:

#Do not listen on any interface address by default
interface ignore wildcard

I think that it's mistake, "interface ignore wildcard" should come into confige only when "set system ntp listen-address" configured...
What do you think?

hexes added a comment.Nov 10 2019, 3:01 PM

While "interface ignore wildcard" configured, we got:

ntpq -c lpeer
 remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 10.255.0.1      .INIT.          16 u    -   64    0    0.000    0.000   0.000
jjakob added a subscriber: jjakob.EditedDec 24 2019, 11:11 AM

This is confusing. While NTP used to work (listen on all interfaces) without any listen-address set, now it doesn't. This means any old config without listen-address set will now have a non-working NTP without any warning. There was no migration script to migrate the old behavior to the new. ntp should have a mandatory listen-address if this new behavior is kept.

Of course this is incompatible with the default configuration with only a DHCP client interface. NTP needs to listen on the interface used to connect to the upstream server to work, so it won't even work as a client if it doesn't listen on that interface. This means ntpd needs to listen on the DHCP interface, it that interface is used to connect to servers.
*Correction: this is not true: if ntpd listens on any private address and there is a src-nat masquerade rule to the DHCP interface, it will work, if there is no masquerade rule, it won't. For example IPv6, there is usually no masquerade rule*

I also don't see the reason to limit ourselves to listening addresses as ntp.conf's "interface" definition takes either interface names or addresses. Take for example a case where an interface address changes (either in config or through DHCP client), that won't be reflected in ntp.conf and NTP on that interface will stop working.

I propose a configuration node 'listen {interface abc; address a.b.c.d;})' and a way to specify listening on all interfaces.

Additionally "show ntp" doesn't work due to error "localhost: timed out, nothing received". I've tried adding listen-address 127.0.0.1 with no change. ntpq -p works fine.