Mental model
Time is the silent dependency of every modern security protocol:
- TLS certificates are valid only between two timestamps. A wrong clock = “certificate not yet valid” or “expired” errors.
- Kerberos tickets are valid for ~5 minutes. Domain login dies if the clock skews more than that.
- Log correlation during incident response is impossible if device clocks disagree.
- 2FA / TOTP codes are time-based — wrong clock, wrong code.
- Forensic timelines in a breach investigation collapse if you can’t trust the timestamps.
If you can spoof NTP, you can attack all of these indirectly. That’s why NTP must be authenticated and access-controlled in any serious network.
If you haven’t already, read NTP basics first — this topic assumes you know stratum, client/server/peer mode, and the ntp server command.
Three layers of NTP security
| Layer | What it does |
|---|---|
| 1. Authentication keys | Only servers with the right key can sync me |
2. ACL (ntp access-group) | Only specific IPs can query/sync from me |
| 3. Service hardening | Disable unused NTP modes (peer, broadcast, control queries) |
You typically layer all three.
Authentication keys — the configuration
Three commands work together:
! 1. Define the key (number 1, hash SHA-256, value "TheSharedSecret")
R1(config)# ntp authentication-key 1 md5 TheSharedSecret
! On modern IOS-XE, also: hmac-sha256
! 2. Mark the key as trusted (Cisco's "trust list")
R1(config)# ntp trusted-key 1
! 3. Globally enable NTP authentication
R1(config)# ntp authenticate
! 4. Point at a server using that key
R1(config)# ntp server 10.0.0.1 key 1
All four lines required. Authentication is enabled per packet — the client computes HMAC over the NTP message using the key, sends the digest, and the server verifies (and vice versa).
If the keys don’t match, the packet is silently discarded. Clock won’t sync, and show ntp associations shows the server as untrusted.
The trusted-key concept — why it’s separate
You can define many keys but only some are “trusted” to sync from. Useful when you migrate keys:
R1(config)# ntp authentication-key 1 md5 OldKey
R1(config)# ntp authentication-key 2 md5 NewKey
R1(config)# ntp trusted-key 2 ! Only key 2 is currently trusted
The server uses key 1 for older clients (still works) but only newer clients with key 2 can actually drive R1’s clock.
NTP access-groups — IP-level filtering
You may want NTP to query an internet server but never be queried by strangers. Four access categories:
| Access type | Allows |
|---|---|
| peer | Full peer relationship (this is the strongest grant) |
| serve | Can serve time and respond to control queries |
| serve-only | Time queries only, no control queries |
| query-only | Control queries only, no time sync |
Recommended pattern for an enterprise NTP server:
! ACL 10: trusted internal devices that can sync from us
R1(config)# access-list 10 permit 10.0.0.0 0.255.255.255
! ACL 20: nobody else (deny by default through the access-list)
R1(config)# access-list 20 permit any
! 11.1: internal devices can sync our time
R1(config)# ntp access-group serve-only 10
! 11.2: nobody can do mode 6 control queries
R1(config)# ntp access-group query-only 20
The most common attack — NTP amplification DDoS — uses the monlist control query (mode 6/7) to amplify a small spoofed request into a huge response. query-only blocks that.
Service hardening — disable what you don’t use
! Disable broadcast NTP (we only use server/client)
R1(config)# no ntp broadcast client
! Disable peer mode if you only use server-client
! (peer is rarely needed unless you run mutual sync between cores)
! Optionally disable NTP entirely on interfaces facing untrusted networks
R1(config)# interface Gi0/1
R1(config-if)# ntp disable
Topology — a real-world design
Internet NTP servers
│
│ key 7
┌──────────────┴──────────────┐
│ Border NTP gateway │ Stratum 2 / 3
│ (peers with two extern) │
└──────────────┬──────────────┘
│ key 1, ACL 10
┌──────────────┴──────────────┐
│ Internal NTP core │ Stratum 3
│ (serves the whole org) │
└──────┬──────────────┬───────┘
│ key 1 │ key 1
│ │
Branch routers All switches
(clients only) (clients only)
- Border NTP gateway holds an outside relationship; nothing else internally is allowed out to internet NTP.
- All internal devices point at the internal core, key 1.
- ACLs limit access to internal subnets.
- A different key (key 7) protects the external relationship.
Verification
R1# show ntp status
Clock is synchronized, stratum 4, reference is 10.0.0.1
nominal freq is 1000.0003 Hz, actual freq is 1000.0003 Hz, precision is 2**18
R1# show ntp associations
address ref clock st when poll reach delay offset disp
*~10.0.0.1 .GPS. 1 23 64 377 1.234 0.022 0.450
* sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured
R1# show ntp associations detail
... authenticated, sane, valid, master...
R1# show ntp packets
In show ntp associations:
~next to address = configured (not auto-discovered).*= currently selected as time source.- If you’ve enabled auth, the detail view shows
authenticated.
If auth is failing, detail shows unauthenticated and the server doesn’t get a *.
Quick troubleshooting flowchart
Symptom: clocks won’t sync.
- Reachability?
ping <ntp-server>from the device. ACL or firewall blocking UDP 123? - Key value matches?
show running-config | section ntpon both ends. Compareauthentication-keylines exactly (case-sensitive on the value). - Trusted?
ntp trusted-key Nset on both ends? - Globally enabled?
ntp authenticatein the config? - Pointed to the right key?
ntp server <ip> key N—Nmatches the trusted key? - Stratum sane? Server itself synced? Stratum >= 1 and <= 15? A stratum-16 server is “unsynchronized” — won’t drive others.
Common mistakes
-
ntp authentication-keyconfigured butntp authenticatemissing. The keys exist, the server references them, but the global toggle is off — auth is disabled. Common gotcha becausentp authenticatelooks like it might be implicit. -
trusted-keymissing. Auth is enabled, keys defined, but the key isn’t trusted. Sync silently fails. -
Different hash algorithms. Old IOS only supports MD5. Newer IOS-XE supports SHA-1/SHA-256/HMAC. Both ends must use the same one.
-
Case-sensitive key value mismatch.
MyKeyvsmykeywon’t match. -
Wrong key number. Server defines key 5, client points to
ntp server 10.0.0.1 key 1. Silent failure. -
Open NTP on a public-facing device. Without ACL, your border router can be amplifier for an NTP DDoS attack. Always restrict.
-
Trusting unauthenticated public NTP for sensitive infrastructure.
pool.ntp.orgis unauthenticated. Fine for a home lab; not OK for the Kerberos KDC of your domain. Run your own internal stratum-2 server. -
Forgetting that NTP is UDP 123. Both directions. Firewall rules must allow stateful UDP/123.
Lab to try tonight
- Two routers. R1 = NTP server (Stratum 2, pretend), R2 = client.
- On R1:
ntp master 2to make R1 a stratum-2 master. - On R2:
ntp server <R1-IP>. Checkshow ntp associations— sync should occur in ~1 minute. Noteunauthenticated. - Add auth on both sides per the config block above. Use key 1, value
TheSharedSecret. - Verify:
show ntp associations detailon R2 now showsauthenticated. - Change R2’s key value to
WrongValue. Watch sync break — server falls off the candidate list. - Restore. Add
ntp access-group serve-only 10on R1 with an ACL that excludes R2. Verify R2 is now blocked. - Bonus: capture NTP traffic on R1 with
monitor captureor in CML with PCAP — observe the auth digest field.
Cheat strip
| Concept | Plain English |
|---|---|
ntp authentication-key N md5 VALUE | Define key N with hash and value |
ntp trusted-key N | Mark key N as trusted for sync |
ntp authenticate | Globally enable auth (REQUIRED) |
ntp server <ip> key N | Sync from this server using key N |
ntp access-group serve-only <acl> | Restrict who can query us |
monlist query | The classic NTP DDoS amplification — block via query-only ACL |
| UDP 123 | NTP port. Both directions |
| Stratum | 0 = atomic source, 1 = primary server, …, 16 = unsynced |
show ntp associations | Star (*) = current source; tilde (~) = configured |
| Why it matters | TLS certs, Kerberos, logs, 2FA, forensics — all depend on accurate, trusted time |