(Software) timeserver for windows being broadcast-able incl. keys - NTP

This is a discussion on (Software) timeserver for windows being broadcast-able incl. keys - NTP ; Hi I am looking for a (software) time servers (to run on Win2000) that can send out broadcast messages together with (three) security keys (for authoring) This broadcastmessage (to be sent out approx. every few minutes) to be picked up ...

+ Reply to Thread
Page 1 of 3 1 2 3 LastLast
Results 1 to 20 of 42

Thread: (Software) timeserver for windows being broadcast-able incl. keys

  1. (Software) timeserver for windows being broadcast-able incl. keys

    Hi

    I am looking for a (software) time servers (to run on Win2000) that
    can send out broadcast messages together with (three) security keys
    (for authoring)

    This broadcastmessage (to be sent out approx. every few minutes) to be
    picked up by our
    Linux-clients which will correct time when keys are found
    (clients are set to 'broadcastclient' in ntp.conf-file)

    BTW: A different config on clients will not be possible since clients
    are as-is
    (guarantee-issue supplier)

    I know of several hardware servers that can do this job, but does
    anyone know of any software time server capable of doing this job?

    Thank you in advance
    Erik
    Holland


  2. Re: (Software) timeserver for windowsbeing broadcast-able incl. keys

    Erik wrote:
    > Hi
    >
    > I am looking for a (software) time servers (to run on Win2000) that
    > can send out broadcast messages together with (three) security keys
    > (for authoring)
    >


    Well ntpd works on Windows though I'm not entirely sure what you mean by
    3 security keys or authoring. ntpd supports the autokey protocol details
    of which you can find in the documentation area of the website:
    http://www.ntp.org/


    > This broadcastmessage (to be sent out approx. every few minutes) to be
    > picked up by our
    > Linux-clients which will correct time when keys are found
    > (clients are set to 'broadcastclient' in ntp.conf-file)
    >


    Broadcast NTP packets go out every 64 seconds.

    > BTW: A different config on clients will not be possible since clients
    > are as-is
    > (guarantee-issue supplier)
    >


    That seems to be a strange statement for software.

    > I know of several hardware servers that can do this job, but does
    > anyone know of any software time server capable of doing this job?
    >


    The hardware servers depend on ntpd in order to work so I'm not sure
    what you think you get which is any different.

    Danny
    _______________________________________________
    questions mailing list
    questions@lists.ntp.isc.org
    https://lists.ntp.isc.org/mailman/listinfo/questions


  3. Re: (Software) timeserver for windows being broadcast-able incl. keys

    Hi Danny

    thanks for your input

    > > I am looking for a (software) time servers (to run on Win2000) that
    > > can send out broadcast messages together with (three) security keys
    > > (for authoring)

    >
    > Well ntpd works on Windows though I'm not entirely sure what you mean by
    > 3 security keys or authoring. ntpd supports the autokey protocol details
    > of which you can find in the documentation area of the website:http://www.ntp.org/


    what I mean is that the clients expect three keys in the broadcast
    message to be sent along
    These keys are defined in /etc/ntp/keys
    For example
    1 M
    2 M
    15 M
    else they will refuse to see the broadcast as one that can be trusted
    and will not correct the time
    This means that the prog sending out these broadcasts will have to
    send along these keys

    BTW If this is the 'autokey' you mentioned is what I don't know; I
    will look into the info-pages you mentioned

    > > BTW: A different config on clients will not be possible since clients
    > > are as-is
    > > (guarantee-issue supplier)

    >
    > That seems to be a strange statement for software.


    It concerns machines with an integrated industrial PC here running
    Linux
    We might run into probs with supplier when it comes to guarantee
    issues when fiddling with the standard config of these machines

    > > I know of several hardware servers that can do this job, but does
    > > anyone know of any software time server capable of doing this job?

    >
    > The hardware servers depend on ntpd in order to work so I'm not sure
    > what you think you get which is any different.


    Euhh.. sound logical but again; I am new in this area. I will read the
    remaining info on ntp.org website

    Thanks again for the input
    Erik


  4. Re: (Software) timeserver for windows being broadcast-able incl.keys

    Erik wrote:
    > Hi Danny
    >
    > thanks for your input
    >
    >
    >>>I am looking for a (software) time servers (to run on Win2000) that
    >>>can send out broadcast messages together with (three) security keys
    >>>(for authoring)

    >>
    >>Well ntpd works on Windows though I'm not entirely sure what you mean by
    >>3 security keys or authoring. ntpd supports the autokey protocol details
    >>of which you can find in the documentation area of the website:http://www.ntp.org/

    >
    >
    > what I mean is that the clients expect three keys in the broadcast
    > message to be sent along
    > These keys are defined in /etc/ntp/keys
    > For example
    > 1 M
    > 2 M
    > 15 M
    > else they will refuse to see the broadcast as one that can be trusted
    > and will not correct the time
    > This means that the prog sending out these broadcasts will have to
    > send along these keys


    Ntpd uses only ONE of those keys at a time. ISTR that the client
    specifies the key to be used on the "server" statement. You are not, of
    course, limited to three keys; a server might have a different set of
    keys for every client. (Unwieldy but possible.) In a broadcast or
    multicast subnet, everybody would have to use the same key.

    These keys are generally NOT used over the internet! A different keying
    scheme is used to authenticate server to client. It works something
    like this: you ask the server for its "public" key but the server signs
    it's packets with its "private" key. Your client, using the public key,
    can determine that the packet was signed by a server holding the private
    key.

    Ntpd supports both these keying schemes. The private-public key scheme
    is used by public servers whose clients need to be able to prove that
    they are synchronized to a source traceable to NIST or some other
    "national standards laboratory". Keys can, of course, be used within a
    corporate or private network.


  5. Re: (Software) timeserver for windows being broadcast-able incl. keys

    Erik,

    You want to install/maintain ntp.keys on your "client" machines just like
    you install/maintain ntp.conf on those machines.

    The machine doing the broadcasting does not send this file out, and that is
    a feature.

    H

  6. Re: (Software) timeserver for windowsbeing broadcast-able incl. keys

    Erik wrote:
    > Hi Danny
    >
    > thanks for your input
    >
    >>> I am looking for a (software) time servers (to run on Win2000) that
    >>> can send out broadcast messages together with (three) security keys
    >>> (for authoring)

    >> Well ntpd works on Windows though I'm not entirely sure what you mean by
    >> 3 security keys or authoring. ntpd supports the autokey protocol details
    >> of which you can find in the documentation area of the website:http://www.ntp.org/

    >
    > what I mean is that the clients expect three keys in the broadcast
    > message to be sent along
    > These keys are defined in /etc/ntp/keys
    > For example
    > 1 M
    > 2 M
    > 15 M
    > else they will refuse to see the broadcast as one that can be trusted
    > and will not correct the time
    > This means that the prog sending out these broadcasts will have to
    > send along these keys
    >
    > BTW If this is the 'autokey' you mentioned is what I don't know; I
    > will look into the info-pages you mentioned
    >


    That's the older security mechanism so don't look at autokey. You need
    to set up the keys right in your config file. The standard documentation
    shows how to set that up. Please post your config file.

    Danny
    _______________________________________________
    questions mailing list
    questions@lists.ntp.isc.org
    https://lists.ntp.isc.org/mailman/listinfo/questions


  7. Re: (Software) timeserver for windows being broadcast-able incl. keys

    Hello Danny,
    thanks for the input

    > That's the older security mechanism so don't look at autokey. You need
    > to set up the keys right in your config file.


    Ok, so not Autokey
    BTW With 'setting up right in your config-file' I assume you mean
    setting it up in the ntp.conf - file on the PC on which NTP-prog is
    installed ?

    > The standard documentation shows how to set that up.


    I will look into this. But for my understanding (again, a novice in
    this area):
    The NTP-program from the ntp.org-site is kind of the windows-version
    of the one present on for instance Linux-systems but with the same
    capabilities??

    > Please post your config file.


    The ntp.conf you mean?

    Thanks
    Erik


  8. Re: (Software) timeserver for windows being broadcast-able incl. keys

    Hello Danny,
    thanks for the input


    > That's the older security mechanism so don't look at autokey. You need
    > to set up the keys right in your config file.



    Ok, so not Autokey
    BTW With 'setting up right in your config-file' I assume you mean
    setting it up in the ntp.conf - file on the PC on which NTP-prog is
    installed ?
    This would the be something like
    broadcast key 1 2 15
    (since on client no subnet-address is specified, only
    'broadcastclient')?

    > The standard documentation shows how to set that up.


    I will look into this further. But for my general understanding
    (again, a novice in
    this area):
    The NTP-program from the ntp.org-site is kind of the windows-version
    of the one present on for instance Linux-systems but with the same
    capabilities??


    > Please post your config file.


    The ntp.conf you mean?

    Thanks
    Erik


  9. Re: (Software) timeserver for windowsbeing broadcast-able incl. keys

    Erik wrote:
    > Hello Danny,
    > thanks for the input
    >
    >> That's the older security mechanism so don't look at autokey. You need
    >> to set up the keys right in your config file.

    >
    > Ok, so not Autokey
    > BTW With 'setting up right in your config-file' I assume you mean
    > setting it up in the ntp.conf - file on the PC on which NTP-prog is
    > installed ?
    >


    Yes.

    >> The standard documentation shows how to set that up.

    >
    > I will look into this. But for my understanding (again, a novice in
    > this area):
    > The NTP-program from the ntp.org-site is kind of the windows-version
    > of the one present on for instance Linux-systems but with the same
    > capabilities??
    >


    Yes. You may want to install the Meinberg build which has an installer.

    >> Please post your config file.

    >
    > The ntp.conf you mean?
    >


    Yes.

    Danny
    _______________________________________________
    questions mailing list
    questions@lists.ntp.isc.org
    https://lists.ntp.isc.org/mailman/listinfo/questions


  10. Re: (Software) timeserver for windowsbeing broadcast-able incl. keys

    Erik wrote:
    > This would the be something like
    > broadcast key 1 2 15
    > (since on client no subnet-address is specified, only
    > 'broadcastclient')?
    >


    No, that's wrong. broadcast takes the broadcast or multicast address
    followed by the key and one key number. If you add a second key it will
    likely write over the first. Choose just one key to use. Remember it's
    the server authenticating to the client and not the other way around.

    Danny
    _______________________________________________
    questions mailing list
    questions@lists.ntp.isc.org
    https://lists.ntp.isc.org/mailman/listinfo/questions


  11. Re: (Software) timeserver for windows being broadcast-able incl. keys

    Hello Danny

    > > broadcast key 1 2 15
    > > (since on client no subnet-address is specified, only
    > > 'broadcastclient')?

    >
    > No, that's wrong. broadcast takes the broadcast or multicast address


    .... but the client has no address specified, just 'broadcastclient'
    what would be the subnet-address to make sure that all clients
    (approx. 40) will receive the broadcast ?
    255.255.255.255 ??

    > followed by the key and one key number. If you add a second key it will
    > likely write over the first. Choose just one key to use. Remember it's
    > the server authenticating to the client and not the other way around.


    ok, I assumed while on the client these three keys are present, all of
    these three keys are also to be expected in the broadcast
    Should I then read the client's key-list as an OR list then? I.e. or
    this key, or that key then broadcast can be 'trusted'
    In other words: I can just pick one out?

    p.s.: thanks for the tip concerning the Meinberg-built prog

    Erik


  12. Re: (Software) timeserver for windowsbeing broadcast-able incl. keys

    Erik wrote:
    > Hello Danny
    >
    >>> broadcast key 1 2 15
    >>> (since on client no subnet-address is specified, only
    >>> 'broadcastclient')?

    >> No, that's wrong. broadcast takes the broadcast or multicast address

    >
    > ... but the client has no address specified, just 'broadcastclient'
    > what would be the subnet-address to make sure that all clients
    > (approx. 40) will receive the broadcast ?
    > 255.255.255.255 ??
    >


    Broadcast is for the server side. broadcastclient is strictly for the
    clients and only takes an optional novolley argument which you don't
    want. Your example shows broadcast (I assume this was for the Windows
    box which needs this. The clients use the broadcastclient line.

    >> followed by the key and one key number. If you add a second key it will
    >> likely write over the first. Choose just one key to use. Remember it's
    >> the server authenticating to the client and not the other way around.

    >
    > ok, I assumed while on the client these three keys are present, all of
    > these three keys are also to be expected in the broadcast
    > Should I then read the client's key-list as an OR list then? I.e. or
    > this key, or that key then broadcast can be 'trusted'
    > In other words: I can just pick one out?
    >


    I don't believe that you can use more than one key here since the server
    will only send the broadcast packets with one key. Steve might be able
    to say something about this part.

    Danny
    _______________________________________________
    questions mailing list
    questions@lists.ntp.isc.org
    https://lists.ntp.isc.org/mailman/listinfo/questions


  13. Re: (Software) timeserver for windows being broadcast-able incl.keys

    Erik wrote:
    > Hello Danny,
    > thanks for the input
    >
    >
    >
    >>That's the older security mechanism so don't look at autokey. You need
    >>to set up the keys right in your config file.

    >
    >
    >
    > Ok, so not Autokey
    > BTW With 'setting up right in your config-file' I assume you mean
    > setting it up in the ntp.conf - file on the PC on which NTP-prog is
    > installed ?
    > This would the be something like
    > broadcast key 1 2 15


    No! You can use only ONE key at a time.



  14. Re: (Software) timeserver for windows being broadcast-able incl. keys

    > >> If you add a second key it will
    > >> likely write over the first. Choose just one key to use. Remember it's
    > >> the server authenticating to the client and not the other way around.


    Hello Danny, (Steve,)

    While on the clients three keys are defined, I assumed that the
    server's broadcast
    should incorporate all three

    This is - as you already stated - clearly not so (additionally
    confirmed by Richard in last posting who also mentions the use of only
    one key)

    But... should I then understand the client's key-list as an OR list?
    I.e. OR
    this key, OR that key OR that key THEN server broadcast can be
    'trusted'
    In other words: I can just pick one key out and use it on the server
    to send along in broadcast?

    Something else: I have looked at the Meinberg Timeserver which you
    advised to use on my Windows 2000-system (being the server),
    this because it has a Windows Installer
    I have installed it and tried it out yet I can not see where I can
    define the key to be incorporated in the broadcast

    Can you please give me a hint on how to set up the server (Windows PC)
    The clients are already set up as broadcastclients with three keys
    defined in ntp.keys (1, 2, 15)
    The server should use 'broadcast' and send along (apparently) one key

    Kind regards
    Erik


  15. Re: (Software) timeserver for windows being broadcast-able incl. keys

    On 26 feb, 13:27, "Richard B. gilbert" wrote:
    > No! You can use only ONE key at a time.- Tekst uit oorspronkelijk bericht niet weergeven -


    Hi Richard

    it already seemed so (came from various corners)
    thank you for the input

    Regards
    Erik


  16. Re: (Software) timeserver for windowsbeing broadcast-able incl. keys

    Erik wrote:
    >>>> If you add a second key it will
    >>>> likely write over the first. Choose just one key to use. Remember it's
    >>>> the server authenticating to the client and not the other way around.

    >
    > Hello Danny, (Steve,)
    >
    > While on the clients three keys are defined, I assumed that the
    > server's broadcast
    > should incorporate all three
    >
    > This is - as you already stated - clearly not so (additionally
    > confirmed by Richard in last posting who also mentions the use of only
    > one key)
    >
    > But... should I then understand the client's key-list as an OR list?
    > I.e. OR
    > this key, OR that key OR that key THEN server broadcast can be
    > 'trusted'
    > In other words: I can just pick one key out and use it on the server
    > to send along in broadcast?


    You can only specify one key for the broadcast server. That's the key
    you need to use for each of the clients. You don't have any choice here.
    Look at the confopt.html file for details of this. Broadcast servers can
    only send one key (same servers).

    >
    > Something else: I have looked at the Meinberg Timeserver which you
    > advised to use on my Windows 2000-system (being the server),
    > this because it has a Windows Installer
    > I have installed it and tried it out yet I can not see where I can
    > define the key to be incorporated in the broadcast
    >


    All configuration optiond are defined in ntp.conf. Windows uses the same
    file.

    > Can you please give me a hint on how to set up the server (Windows PC)
    > The clients are already set up as broadcastclients with three keys
    > defined in ntp.keys (1, 2, 15)


    Just set up the one that the broadcast server uses.

    Danny

    > The server should use 'broadcast' and send along (apparently) one key
    >


    Yes.

    > Kind regards
    > Erik


    Danny
    _______________________________________________
    questions mailing list
    questions@lists.ntp.isc.org
    https://lists.ntp.isc.org/mailman/listinfo/questions


  17. Re: (Software) timeserver for windows being broadcast-able incl. keys

    Danny,

    I looked at the documentation and the html-file confopt.html you
    mentioned
    I installed ntp-4.2.0a@mbg-fluxcap-v2-o-win32-setup.exe

    Several things, in the documentation and in previous postings got my
    attention:

    - the command line to be used: broadcast address [key key | autokey]
    [version version] [minpoll minpoll] [ttl ttl]

    - still not quite clear which address I should use here: the subnet
    the machines are connected to?
    They are on two subnets: 255.255.255.128 and 255.255.255.196


    And because of this confusion, also confusion on the following:
    - a broadcast can not go beyond the subnet
    "Ordinarily, this technology does not operate beyond the first hop
    router or gateway"
    a multicast can and - although this also uses the "broadcast" command
    - on the client-side it requires multicastclient (instead of
    broadcastclient which is what I have to use. "Have to" since client-
    config can not be altered)
    Does this mean that I ran into a problem here

    - With the server I can broadcast just one key (with the "broadcast"
    command)
    Do you have any idea why (in the ntp.keys-file on all clients) more
    than one key is specified?

    Hope you can give me a hint so I can go further

    Kind regards
    Erik


  18. Re: (Software) timeserver for windows being broadcast-able incl.keys

    Erik wrote:
    > - the command line to be used: broadcast address [key key | autokey]
    > [version version] [minpoll minpoll] [ttl ttl]


    This means you need:

    broadcast [broadcast-address] key [keynumber]

    Add "version 3" to the end if your clients are exclusively running
    NTP V3 (unlikely).

    >
    > - still not quite clear which address I should use here: the subnet
    > the machines are connected to?
    > They are on two subnets: 255.255.255.128 and 255.255.255.196


    These are netmasks, not subnets, and not broadcast addresses
    for a subnet. The broadcast address is the network address
    masked by the netmask and with all 1's at the end where the
    netmask is all 0's. If your subnet is, for example, the
    addresses 192.168.3.[0-127] with a netmask of 255.255.255.128,
    the broadcast address is 192.168.3.127. Think of the
    broadcast address as the last address in the subnet.

    >
    >
    > And because of this confusion, also confusion on the following:
    > - a broadcast can not go beyond the subnet
    > "Ordinarily, this technology does not operate beyond the first hop
    > router or gateway"
    > a multicast can and - although this also uses the "broadcast" command
    > - on the client-side it requires multicastclient (instead of
    > broadcastclient which is what I have to use. "Have to" since client-
    > config can not be altered)
    > Does this mean that I ran into a problem here


    This is about multicast and the limitations of broadcast. Your clients
    are not using multicast and they are using broadcast, so don't
    worry about it.

    >
    > - With the server I can broadcast just one key (with the "broadcast"
    > command)


    Correct.

    > Do you have any idea why (in the ntp.keys-file on all clients) more
    > than one key is specified?


    You'll have to ask whomever put them there. Presumably because
    at one time different keys were used for different purposes
    somebody thought they would be.

    Why don't you just look at how the previous server was configured
    (the one that was in use by the existing clients) and copy that?

    >
    > Hope you can give me a hint so I can go further
    >
    > Kind regards
    > Erik
    >


  19. Re: (Software) timeserver for windows being broadcast-able incl. keys

    On 13 mrt, 23:39, Tom Smith wrote:


    > This means you need:
    >
    > broadcast [broadcast-address] key [keynumber]
    >
    > Add "version 3" to the end if your clients are exclusively running
    > NTP V3 (unlikely).
    >
    > Think of the broadcast address as the last address in the subnet.


    ok Tom, thanks for the clearifying comments
    I pretty much understand it but not quite, therefore the following:

    The clients that need to be time-corrected reside in the following
    address-ranges:

    145.47.51.[016-167]
    with netmask 255.255.255.128

    145.47.52.[032-175]
    with netmask 255.255.255.128

    145.47.53.[076-091]
    with netmask 255.255.255.194

    - Does the above require me to use more than one broadcast-address?
    - Does the broadcast address always need to be the highest address
    covered by the netmask-address?
    - These broadcast-addresses: are they claimed/occupied by the
    broadcast-command just as if they were the address of a PC in the
    network?
    i.e. they can not be used anymore by other clients in the network?
    - does this result in certain requirements for the PC's network
    address hosting the broadcast service (server). That is: does this PC
    have to have this same address or not?

    I am sorry; pretty much a newby on this terrain I'm affraid

    > Why don't you just look at how the previous server was configured
    > (the one that was in use by the existing clients) and copy that?


    There was no time server before this one; the clients were just
    prtepared for such a service, the service itself was never there.
    Therefore, no possibility to peek...

    Thanks once again
    Erik


  20. Re: (Software) timeserver for windows being broadcast-able incl.keys

    Erik wrote:
    > The clients that need to be time-corrected reside in the following
    > address-ranges:
    >
    > 145.47.51.[016-167]
    > with netmask 255.255.255.128


    The netmask is not consistent with the address range
    The netmask should be 255.255.255.0 and the broadcast
    address for that network would then be 145.47.51.255

    >
    > 145.47.52.[032-175]
    > with netmask 255.255.255.128


    The netmask is not consistent with the address range
    The netmask should be 255.255.255.0 and the broadcast
    broadcast address 145.47.52.255

    >
    > 145.47.53.[076-091]
    > with netmask 255.255.255.194


    The netmask is wrong. It should be 255.255.255.192
    The broadcast address would then be 145.47.53.127

    >
    > - Does the above require me to use more than one broadcast-address?


    Yes.

    > - Does the broadcast address always need to be the highest address
    > covered by the netmask-address?


    Yes.

    > - These broadcast-addresses: are they claimed/occupied by the
    > broadcast-command just as if they were the address of a PC in the
    > network?
    > i.e. they can not be used anymore by other clients in the network?


    These are just ordinary IP broadcast addresses that would be
    used by any IP broadcast application. It is the way you specify
    that an IP packet should be sent to every address in the network.
    There is nothing reserved or otherwise special about them.

    > - does this result in certain requirements for the PC's network
    > address hosting the broadcast service (server). That is: does this PC
    > have to have this same address or not?


    Yes, it has to have interfaces in each of these networks. Otherwise,
    you have to configure your network (switches, routers) to pass
    broadcast packets addressed to a wider network from a smaller one.
    In that case, in addition to reconfiguring your network, you
    would use a minimal-scope broadcast address of 145.47.63.255
    and you would have to have an interface on the server in the
    range 145.47.[48-63].*.

    >
    > I am sorry; pretty much a newby on this terrain I'm affraid
    >
    >> Why don't you just look at how the previous server was configured
    >> (the one that was in use by the existing clients) and copy that?

    >
    > There was no time server before this one; the clients were just
    > prtepared for such a service, the service itself was never there.
    > Therefore, no possibility to peek...


    OK. Then if there is no legacy system to support, why don't
    you just reconfigure the clients into something rational?
    For example, get rid of the keys and the broadcast, and just
    point each client to the server with a simple "server [address]"
    declaration.

    >
    > Thanks once again
    > Erik
    >


+ Reply to Thread
Page 1 of 3 1 2 3 LastLast