Reply
Highlighted

Cannot use "deny" entry in NTP access list ACE

Expert
Posts: 216
2385     0

Hi, I am trying to block a couple of networks from using the Infoblox NTP service, this is because we have migrated them onto another service and want to be sure all devices have been reconfigured. However I have found that if we add the ACE entries to the grid NTP ACL, we cannot set the permission to "Deny". The documentation states that the default permission is "Allow" and cannot be changed.

 

Why is this? A vanilla NTP configuration on Linux allows the use of "Deny" ACE's but Infoblox does allow us to do this. The docs also state that if I use a named ACL, only the "Allow" permissions in the named ACL are used.

 

Is there another way to do what I want?

 

Thanks,

 

Paul

 

Paul Roberts
PCN (UK) Ltd

All opinions expressed are my own and not representative of PCN Inc./PCN (UK) Ltd. E&OE

Re: Cannot use "deny" entry in NTP access list ACE

Expert
Posts: 81
2386     0

Hi Paul!

 

I found the same information that you have read, but I found no explanation why this is not implemented.

There is a predefined role in "Use this set of ACEs" configuration allowing access to all clients (any/any) rule. You can:

 

1. Remove it

2. Add only the networks allowed to reach NTP. if you have several networks, you can use supernet declarations, but you will have problems if you're trying to block a specific /24 network from a /8 network, for example. All other networks not specified will be blocked.

 

As far I can see, this is the only method to perform this kind of filtering.

The odd thing: The NTP RFCs doesn't show any specific rule for not implement Deny instructions on NTP's ACL, so this must be something NIOS specific.

 

These are some of the code documentations from the NTP methods used in client's filtering:

 

The access control list is an ordered set of tuples
consisting of an address, mask, and restrict word containing
defined bits.  The list is searched for the first match on
the source address (r->srcaddr) and the associated restrict
word is returned.

 

Check access control lists.  The intent here is to implement
a whitelist of those IP addresses specifically accepted
and/or a blacklist of those IP addresses specifically
rejected.  There could be different lists for authenticated
clients and unauthenticated clients.

 

Regards,

Paulo Costa

Re: Cannot use "deny" entry in NTP access list ACE

Expert
Posts: 216
2386     0

Thanks for the reply Paulo. I did think about removing the "any" ACE and explictly defining the networks I want to allow access, but there are hundreds of them. Unfortunately the customer doesn't adhere to RFC1918 space so I'd have to add a ton of networks just to "carve out" the bit of space I want to block, it's just not practical. I really need to add a blacklist. I have told the customer it's just not possible.

Paul Roberts
PCN (UK) Ltd

All opinions expressed are my own and not representative of PCN Inc./PCN (UK) Ltd. E&OE

Re: Cannot use "deny" entry in NTP access list ACE

Expert
Posts: 81
2386     0

Hi again, Paul!

 

I was able to talk with a colleague of mine about it. Although the NTP RFC mention the use of "deny" instructions (not in these words, of course) the NTP DAEMON (NTPD) have a different method to cotnrol how the clients interaction is managed.

 

In the ntpd documentation is shown that when you configure NTP for the first time, you first set a default (global) level of permissions (that can be set for IPv4 and IPv6 contexts) and then you add the permissions (exceptions) for hosts/subnets (incluing the ability to view/manage NTP server configuration details). Howeverr, it not provides options to blocking some others you simply don't want to offer time sync. These are the only four options configurable for clients allowed to interact with NTP:

 

  • nomodify -- "Do not allow this host/subnet to modify the ntpd settings even if they have the correct keys."

 

  • noserve -- "Do not serve time to this host/subnet." This option is really intended to be used when you want to allow a host/subnet to access your ntpd only for monitoring and/or remote configuration.

 

  • notrust -- "Ignore all NTP packets that are not cryptographically authenticated.

 

  • noquery -- "Do not allow this host/subnet to query your ntpd status." The ntpd status query features provided by ntpq/ntpdc will reveal some information about the system running ntpd (e.g. OS version, ntpd version) that you many not wish others to know.

Source: http://support.ntp.org/bin/view/Support/AccessRestrictions#Section_6.5.1.1.3.

 

So, taking the items above as argument, the Infoblox NTP service behavior is expected.

 

Best regards,

Paulo Costa

 

Re: Cannot use "deny" entry in NTP access list ACE

Expert
Posts: 223
2386     0

It seems like the easiest way to accomplish what you want is to use a router outbound ACL on the interface that connects to the NIOS device.  I've done that for some NTP appliances that don't natively support access controls.

Showing results for 
Search instead for 
Do you mean 

Recommended for You