Configuring the Network Time Protocol (NTP)

NTP address and mask facility

The address and mask configuration facility adds various restrictions or erects barriers between your host and other time servers. A typical statement in the configuration file looks as follows:

restrict IP_address mask IP_address_mask flag1 flag2 . . .

Each statement adds an entry to an internal list maintained by ntpd. Each entry in this list contains the list entry address (the IP address following restrict), the address mask, and the flags. Below is a list of all of the flags and their meanings:

ignore: Indicates that all packets from hosts matching this entry will be ignored.
noquery: Indicates that your host will not respond to mode 6 and 7 packets sent from hosts with a matching address.
nomodify: Indicates that your host will not allow itself to be reconfigured by hosts with a matching address.
notrap: Indicates that your host will not allow hosts with a matching address to register as a trap receiver.
lowpriotrap: Indicates that your host will give hosts with a matching address a low priority for the use of traps.
noserve: Indicates that your host will not give the time to hosts with a matching address.
nopeer: Indicates that your host will not attempt to get time from any host with a matching address.
notrust: Indicates that hosts matching this entry, while treated normally in other respects, should not be trusted for synchronization.

When ntpd receives a packet, it compares the address of the host that sent the packet (the source address) with each entry in the internal list. Whenever the following relation (expressed in C language syntax) is true, a match occurs.

   (source_address & address_mask) == (list_entry_address & address_mask)

In words, the source address and the address mask are logically ANDed together bitwise, the list entry address and the address mask are logically ANDed together bitwise, and the two results compared for equality. If the results are equal, a match has occurred. To establish default restrictions that apply to all hosts for which no match is found, include a statement like the following in the configuration file:

   restrict default flag1 flag2 . . .

If a particular source address matches more than one list entry, the entry with the most one bits in the address mask is taken to be the matched entry. If a match is found, flags associated with this entry are returned.

Suppose that you are running ntpd on a host with IP address 10.0.246.16. You would like to ensure that runtime reconfiguration requests can be made only from the local host. Further, you would like the host to synchronize with only one of a pair of offsite servers or, failing that, a time source on the class B network whose address is 10.0. The following entries in the configuration file would implement this policy:

# By default, do not trust and do not allow modifications restrict default notrust nomodify

# These hosts are trusted for time, but no modifications allowed restrict 10.0.0.0 mask 255.255.0.0 nomodify restrict 128.115.14.97 nomodify restrict 16.1.0.22 nomodify

# These local addresses are unrestricted restrict 10.0.246.16 restrict 127.0.0.1

The first entry is the default entry, which all hosts match and hence which provides the default set of flags. The next three entries indicate that matching hosts have only the nomodify flag set and hence are trusted for time. If the mask is not specified in the restrict statement, it defaults to 255.255.255.255. Note that the address 10.0.246.16 matches three entries in the table, the default entry (mask 0.0.0.0), the entry for net 10.0 (mask 255.255.0.0), and the entry for the host itself (mask 255.255.255.255). As expected, the flags for the host are derived from the last entry, as that mask has the most bits set.

Each restrict statement applies to packets from all hosts, including those that are configured elsewhere in the configuration file. Hence, if you specify a default set of restrictions that you do not wish to apply to the hosts you are synchronizing with, you must override the default restrictions for those hosts with additional restrict statements.