12b15cb3dSCy Schubert<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> 22b15cb3dSCy Schubert<html> 32b15cb3dSCy Schubert<head> 42b15cb3dSCy Schubert<meta http-equiv="content-type" content="text/html;charset=iso-8859-1"> 52b15cb3dSCy Schubert<meta name="generator" content="HTML Tidy, see www.w3.org"> 62b15cb3dSCy Schubert<title>Access Control Support</title> 72b15cb3dSCy Schubert<link href="scripts/style.css" type="text/css" rel="stylesheet"> 82b15cb3dSCy Schubert<style type="text/css"> 92b15cb3dSCy Schubert<!-- 102b15cb3dSCy Schubert<style1 { 112b15cb3dSCy Schubertcolor: #FF0000; 122b15cb3dSCy Schubert font-weight: bold; 132b15cb3dSCy Schubert} 142b15cb3dSCy Schubert--> 152b15cb3dSCy Schubert</style> 162b15cb3dSCy Schubert</head> 172b15cb3dSCy Schubert<body> 182b15cb3dSCy Schubert<h3>Access Control Support</h3> 192b15cb3dSCy Schubert<p><img src="pic/pogo6.gif" alt="gif" align="left"><a href="http://www.eecis.udel.edu/~mills/pictures.html">from <i>Pogo</i>, Walt Kelly</a></p> 202b15cb3dSCy Schubert<p>The skunk watches for intruders and sprays.</p> 212b15cb3dSCy Schubert<p>Last update: 22*09100258SXin LI <!-- #BeginDate format:En2m -->26-Jul-2017 20:10<!-- #EndDate --> 232b15cb3dSCy Schubert UTC</p> 242b15cb3dSCy Schubert<br clear="left"> 252b15cb3dSCy Schubert<h4>Related Links</h4> 262b15cb3dSCy Schubert<script type="text/javascript" language="javascript" src="scripts/hand.txt"></script> 272b15cb3dSCy Schubert<script type="text/javascript" language="javascript" src="scripts/command.txt"></script> 282b15cb3dSCy Schubert<script type="text/javascript" language="javascript" src="scripts/accopt.txt"></script> 292b15cb3dSCy Schubert<hr> 302b15cb3dSCy Schubert<h4>Access Control Support</h4> 312b15cb3dSCy Schubert<p>The <tt>ntpd</tt> daemon implements a general purpose access control list (ACL) containing address/match entries sorted first by increasing address values and then by increasing mask values. A match occurs when the bitwise AND of the mask and the packet source address is equal to the bitwise AND of the mask and address in the list. The list is searched in order with the last match found defining the restriction flags associated with the entry.</p> 322b15cb3dSCy Schubert<p>The ACL is specified as a list of <tt>restrict</tt> commands in the following format:</p> 332b15cb3dSCy Schubert<p><tt>restrict <i>address</i> [mask <i>mask</i>] [<i>flag</i>][...]</tt></p> 342b15cb3dSCy Schubert<p>The <tt><i>address</i></tt> argument expressed in dotted-quad form is the address of a host or network. Alternatively, the <tt><i>address</i></tt> argument can be a valid host DNS name. The <tt><i>mask</i></tt> argument expressed in IPv4 or IPv6 numeric address form defaults to all mask bits on, meaning that the <tt><i>address</i></tt> is treated as the address of an individual host. A default entry (address 0.0.0.0, mask 0.0.0.0 for IPv4 and address :: mask :: for IPv6) is always the first entry in the list. <tt>restrict default</tt>, with no mask option, modifies both IPv4 and IPv6 default entries. <tt>restrict source</tt> configures a template restriction automatically added at runtime for each association, whether configured, ephemeral, or preemptable, and removed when the association is demobilized.</p> 35*09100258SXin LI<p>Some flags have the effect to deny service, some have the effect to enable service and some are conditioned by other flags. The flags are not orthogonal, in that more restrictive flags will often make less restrictive ones redundant. The flags that deny service are classed in two categories, those that restrict time service and those that restrict informational queries and attempts to do run-time reconfiguration of the server.</p> 362b15cb3dSCy Schubert<p>An example may clarify how it works. Our campus has two class-B networks, 128.4 for the ECE and CIS departments and 128.175 for the rest of campus. Let's assume (not true!) that subnet 128.4.1 homes critical services like class rosters and spread sheets. A suitable ACL might look like this:</p> 372b15cb3dSCy Schubert<pre> 382b15cb3dSCy Schubertrestrict default nopeer # deny new associations 392b15cb3dSCy Schubertrestrict 128.175.0.0 mask 255.255.0.0 # allow campus access 402b15cb3dSCy Schubertrestrict 128.4.0.0 mask 255.255.0.0 none # allow ECE and CIS access 412b15cb3dSCy Schubertrestrict 128.4.1.0 mask 255.255.255.0 notrust # require authentication on subnet 1 422b15cb3dSCy Schubertrestrict time.nist.gov # allow access 432b15cb3dSCy Schubert</pre> 442b15cb3dSCy Schubert<p>While this facility may be useful for keeping unwanted, broken or malicious clients from congesting innocent servers, it should not be considered an alternative to the NTP authentication facilities. Source address based restrictions are easily circumvented by a determined cracker.</p> 452b15cb3dSCy Schubert<p>Default restriction list entries with the flags <tt>ignore, ntpport</tt>, for each of the local host's interface addresses are inserted into the table at startup to prevent the server from attempting to synchronize to its own time. A default entry is also always present, though if it is otherwise unconfigured; no flags are associated with the default entry (i.e., everything besides your own NTP server is unrestricted).</p> 462b15cb3dSCy Schubert<hr> 472b15cb3dSCy Schubert<script type="text/javascript" language="javascript" src="scripts/footer.txt"></script> 482b15cb3dSCy Schubert</body> 492b15cb3dSCy Schubert</html> 502b15cb3dSCy Schubert</html> 51
