ITIS 3110 IT INFRASTRUCTURE II

Tony Kombol

NTP

"Does Anybody Realy Know What Time It Is?"*

•Time keeping is one of most fundamental aspects of computer infrastructure

•Many protocols rely on accurate clocks•Correlating information from multiple

systems impossible with out a shared clock

*Does Anybody Realy Care (CTA aka Chicago, 1969)http://www.youtube.com/watch?v=8qssWO8NSq0

Time Sources

Side note: Difference between precision and accuracy Accuracy

Closeness to the actual value E.g. the clock is 1 hour off

Precision How much it does not vary

E.g. the clock varies by less than a nanosecond in a year

So which is better? A clock might not vary by more than a

nanosecond, but be off by one hour A clock might be off by one second, but vary by

a millisecond over the day

Network Time Protocol (NTP)

•Port 123/udp•Can maintain time in fractions of a second•Can use external time source

oe.g. Atomic clock or GPS clock

•Most computers and devices act as a client

Network Time Protocol (NTP)

•All servers belong to a ‘Stratum’ • Denotes how far from a time source they areoPrevents Loops

Can only sync with servers in same stratum or higher

oStratum 0: time sourceoStratum 1: server directly attached to time sourceoEtc…

oVersions available for: oUNIX familyoWindows familyoSNTP for 2000 and XPoFull NTP for Server 2003 and Vista

Security concerns

Only a few security problems have been identified in the reference implementation of the NTP codebase in its 25+ year history

The protocol has been undergoing revision and review over its entire history As of January 2011, there are no security revisions in

the NTP specification and no reports at CERT The current codebase for the reference

implementation has been undergoing security audits from several sources for several years now There are no known high-risk vulnerabilities in the

current released software

NTP: Security Considerations

•Default configuration is usually client-only•Supports authentication if working in a

paranoid environment

NTP Stratum

http://en.wikipedia.org/wiki/File:Network_Time_Protocol_servers_and_clients.svg

Yellow arrows are direct connectionsRed arrows are network connections

Clock strata NTP uses a hierarchical, semi-layered system of levels of

clock sources Each level of this hierarchy is termed a stratum

Assigned a layer number starting with 0 (zero) at the top The stratum level defines its distance from the reference

clock and exists to prevent cyclical dependencies in the hierarchy

Note 1: the stratum level is not a guarantee of quality or reliability It is common to find stratum 3 time sources that are higher

quality than other stratum 2 time sources Note2: This definition of stratum is also different from

the notion of clock strata used in telecommunication systems

Clock strata

Stratum 0 Devices such as

Atomic clocks (cesium, rubidium) GPS clocks Radio clocks (e.g. WWV)

Stratum-0 devices are traditionally not attached to the network Instead they are locally connected to computers

e.g., via an RS-232 connection using a pulse per second signal

Stratum 1 These are computers attached to Stratum 0 devices. Normally they act as servers for timing requests from

Stratum 2 servers via NTP These computers are also referred to as time servers They are typically attached to the network

Clock strata

Stratum 2 Computers that send NTP requests to Stratum 1 servers Normally a Stratum 2 computer will reference a number of

Stratum 1 servers and use the NTP algorithm to gather the best data sample Dropping any Stratum 1 servers that seem obviously wrong

Stratum 2 computers will peer with other Stratum 2 computers to provide more stable and robust time for all devices in the peer group

Stratum 2 computers normally act as servers for Stratum 3 NTP requests

Stratum 3 These computers employ exactly the same algorithms for

peering and data sampling as Stratum 2 Can themselves act as servers for stratum 4 computers, and so on…

Clock strata

NTP supports up to 256 strata Only the first 16 are employed Any device at Stratum 16 is considered to

be unsynchronized Some systems may reject a time update

from a "too highly numbered" stratum

Note: Depends on what version of NTP protocol in use

SNTP - Simple Network Time Protocol

A less complex implementation of NTP Uses the same protocol Does not require the storage of state over

extended periods of time Used in some embedded devices and in

applications where high accuracy timing is not required See RFC 1361, RFC 1769, RFC 2030,

RFC 4330 and RFC 5905

NTP timestamps

64-bit timestamps used by NTP consist of 32-bit part for seconds 32-bit part for fractional second

Gives NTP: Time scale that rolls over every 232 seconds

~136 years Theoretical resolution of 2−32 seconds

~233 picoseconds NTP uses an epoch of January 1, 1900

First rollover occurs in 2036 Before the UNIX year 2038 problem

NTP timestamps Implementations should disambiguate NTP time using a

knowledge of the approximate time from other sources NTP only works with the differences between timestamps and

never their absolute values Wraparound is invisible as long as the timestamps are within 68

years of each other This means that the rollover will be invisible for most running

systems, since they will have the correct time to within a very small tolerance

However, systems that are starting up need to know the date within no more than 68 years Given the large allowed error, it is not expected that this is too

onerous a requirement One suggested method is to set the clock to no earlier than

the system build date Many systems use a battery powered hardware clock to avoid this

problem

NTP timestamps Even so, future versions of NTP may extend

the time representation to 128 bits: 64 bits for the second and 64 bits for the

fractional-second The current NTP4 format has support for Era

Number and Era Offset, that when used properly should aid fixing date rollover issues

According to Mills: "The 64 bit value for the fraction is enough to

resolve the amount of time it takes a photon to pass an electron at the speed of light. The 64 bit second value is enough to provide unambiguous time representation until the universe goes dim."

Stratum 0 clocks are usually directly connected to the network

A. TrueB. False

True

False

90%

10%

Logging

Logging

•Best practice is to centralize all logs to a dedicated log host

•Good for debugging, forensics, etc.•Centralized logging needs a shared clock

for best results

Clock synchronization algorithm

To synchronize its clock with a remote server, the NTP client must compute the round-trip delay time and the offset Round-trip delay is d = (t3-t0) – (t2-t1)

Where: t0 is the time of the request packet transmission t1 is the time of the request packet reception t2 is the time of the response packet transmission t3 is the time of the response packet reception (t3-t0) is the time elapsed on the client side between the

emission of the request packet and the reception of the response packet

while t2-t1 is the time the server waited before sending the answer.

Offset is given by o = ((t1-t0) + (t2-t3)) /2

Clock synchronization algorithm

The NTP synchronization is correct when both the incoming and outgoing routes between the client and the server have symmetrical nominal delay If the routes do not have a common

nominal delay, the synchronization has a systematic bias of half the difference between the forward and backward travel times

Syslog

•Port 514/UDP• Modern implementations support TCP as well

•Most computers and devices can generate syslog messages

•UDP is used because it is stateless

Syslog Facilities

• Every syslog message is associated with a facility• The facility is the general source of the message

•Example facilities are• AUTH• CRON• DAEMON• FTP• MAIL

• Allows different facilities to be handled differently

Facility Levels 0-11

Facility Number Keyword Facility Description

0 kern kernel messages1 user user-level messages2 mail mail system3 daemon system daemons4 auth security/authorization messages

5 syslog messages generated internally by syslogd

6 lpr line printer subsystem7 news network news subsystem8 uucp UUCP subsystem9 clock daemon10 authpriv security/authorization messages

11 ftp FTP daemon

Facility Levels (12-23)

Facility Number Keyword Facility Description

12 - NTP subsystem13 - log audit14 - log alert15 cron clock daemon16 local0 local use 0 (local0)17 local1 local use 1 (local1)18 local2 local use 2 (local2)19 local3 local use 3 (local3)20 local4 local use 4 (local4)21 local5 local use 5 (local5)22 local6 local use 6 (local6)23 local7 local use 7 (local7)

Syslog Priorities

•Every syslog message has a set priority•Declares how important the message is•Examples are:

odebugonoticeowarningoerror

Code SeverityKeywo

rdDescription General Description

0 Emergencyemerg (panic)

System is unusable.

A "panic" condition usually affecting multiple apps/servers/sites. At this level it would usually notify all tech staff on call.

1 Alert alertAction must be taken immediately.

Should be corrected immediately, therefore notify staff who can fix the problem. An example would be the loss of a primary ISP connection.

2 Critical crit Critical conditions.Should be corrected immediately, but indicates failure in a primary system, an example is a loss of a backup ISP connection.

3 Errorerr (error)

Error conditions.Non-urgent failures, these should be relayed to developers or admins; each item must be resolved within a given time.

4 Warningwarning (warn)

Warning conditions.

Warning messages, not an error, but indication that an error will occur if action is not taken, e.g. file system 85% full - each item must be resolved within a given time.

5 Notice noticeNormal but significant condition.

Events that are unusual but not error conditions - might be summarized in an email to developers or admins to spot potential problems - no immediate action required.

6Informational

infoInformational messages.

Normal operational messages - may be harvested for reporting, measuring throughput, etc. - no action required.

7 Debug debugDebug-level messages.

Info useful to developers for debugging the application, not useful during operations.

A common mnemonic used to remember the syslog levels down to top is: "Do I Notice When Evenings Come Around Early".

Severity Levels

Syslog Configuration

•Messages can be routed based on facility and priority• What subsystem and its importance

•Destination can be:• Local log file• Remote syslog server

•Log files can be written synchronously or asynchronously• Synchronous – slower but guaranteed write• Asynchronous – faster, but may lose some logs if

the system crashes

Example Syslog Configuration

# Log all kernel messages to the console.# Logging much else clutters up the screen.kern.* /dev/console# Log anything (except mail) of level info or higher.# Don't log private authentication messages!*.info;mail.none;authpriv.none;cron.none /var/log/messages# Send all logs to log.example.com*.* @log.example.com

Notes about the configuration

•*oThe asterisk is a ‘glob’ character. o It means to match anything

oYou will see it in many configuration files as well as on

the command line

•/dev/consoleoUNIX has a philosophy that everything is a fileo/dev/console is a device fileoIt writes messages to all locally attached terminals

Syslog: Security Considerations

•No authentication

•No encryption

•UDP source can be spoofed

•Malicious user could run log server out of disk space• Same for a mis-configured system

Syslog: Security Mitigations

•Limit access to Syslog using firewall

•Run on internal network if possible

•Log to a separate partition

•Monitor disk usage on log server

•Use more feature-rich syslog implementations that support TCP and/or encryption

 

Why do NTP and Syslog need to work together:

A. Both share the same base protocol

B. All systems need a common timebase for log timestamps

C. TCP requires synchronized packet transfers

D. It keeps the NSA synchronized Both

share

the sa

me base...

All sys

tems need a co

mm..

TCP require

s synch

ronize

...

It keeps t

he NSA sy

nchro

...

2% 0%2%

95%