Commit 5d077927 authored by James Browning's avatar James Browning Committed by Eric S. Raymond

strip header trailers 7

parent c1c494b4
= Access Control Support =
= Access Control Support
include::html.include[]
[cols="10%,90%",frame="none",grid="none",style="verse"]
......@@ -10,14 +10,14 @@ The skunk watches for intruders and sprays.
|==============================
== Related Links ==
== Related Links
include::includes/hand.adoc[]
include::includes/accopt.adoc[]
'''''
== Access Control Support ==
== Access Control Support
The +ntpd+ daemon implements a general purpose access control list (ACL)
containing address/match entries sorted first by increasing address
......
= Access Control Commands and Options =
= Access Control Commands and Options
include::html.include[]
[cols="10%,90%",frame="none",grid="none",style="verse"]
......@@ -10,13 +10,13 @@ The skunk watches for intruders and sprays.
|==============================
== Related Links ==
== Related Links
include::includes/accopt.adoc[]
'''''
== Commands and Options ==
== Commands and Options
Unless noted otherwise, further information about these commands is on
the link:access.html[Access Control Support] page.
......
= Association Management =
= Association Management
include::html.include[]
[cols="10%,90%",frame="none",grid="none",style="verse"]
......@@ -11,11 +11,11 @@ Make sure who your friends are.
|==============================
== Related Links ==
== Related Links
include::includes/hand.adoc[]
== Table of Contents ==
== Table of Contents
* link:#modes[Association Modes]
* link:#client[Client/Server Mode]
......@@ -28,7 +28,7 @@ include::includes/hand.adoc[]
'''''
[[modes]]
== Association Modes ==
== Association Modes
This page describes the various modes of operation provided in NTPv4.
There are three types of associations in NTP: _persistent_,
......@@ -53,7 +53,7 @@ link:confopt.html[Server Commands and Options] page. See that page for
applicability and defaults.
[[client]]
== Client/Server Mode ==
== Client/Server Mode
Client/server mode is the most common configuration in the Internet
today. It operates in the classic remote-procedure-call (RPC) paradigm
......@@ -78,7 +78,7 @@ options can be used to bracket the range. Unless noted otherwise, these
options should not be used with reference clock drivers.
[[symact]]
== Symmetric Active/Passive Mode ==
== Symmetric Active/Passive Mode
Symmetric active/passive mode is intended for configurations where a
clique of low-stratum peers operate as mutual backups for each other.
......@@ -111,7 +111,7 @@ like client-mode messages, aside from putting a different mode number
into the response.
[[broad]]
== Broadcast/Multicast Modes ==
== Broadcast/Multicast Modes
These modes cannot be effectively secured and are deprecated in
NTPsec. Client-mode support has been removed; server-side support
......@@ -128,7 +128,7 @@ A server is configured to send broadcast messages using the
+broadcast+ command and specifying the subnet address for broadcast.
[[many]]
== Manycast and Pool Modes ==
== Manycast and Pool Modes
Manycast and pool modes are automatic discovery and configuration
paradigms. They are intended as a means for a client to troll the
......@@ -142,7 +142,7 @@ servers should one or another fail. Additional information is on the
link:discover.html[Automatic Server Discovery Schemes] page.
[[poll]]
== Poll Interval Management ==
== Poll Interval Management
NTP uses an intricate heuristic algorithm to automatically control the
poll interval for maximum accuracy consistent with minimum network
......@@ -195,7 +195,7 @@ recommended minimum and maximum intervals are 12 (1.1 hr) and 17 (36
hr), respectively.
[[burst]]
== Burst Options ==
== Burst Options
Occasionally it is necessary to send packets temporarily at intervals
less than the poll interval. For instance, with the +burst+ and +iburst+
......
= Authentication Support =
= Authentication Support
include::html.include[]
[cols="10%,90%",frame="none",grid="none",style="verse"]
......@@ -10,12 +10,12 @@ Our resident cryptographer; now you see him, now you don't.
|==============================
== Related Links ==
== Related Links
include::includes/hand.adoc[]
include::includes/authopt.adoc[]
== Table of Contents ==
== Table of Contents
* link:#auth[Introduction]
* link:#mac[MAC authentication]
......@@ -25,7 +25,7 @@ include::includes/authopt.adoc[]
'''''
== Introduction ==
== Introduction
Authentication support allows the NTP client to verify that the server
is in fact known and trusted and not an intruder accidentally
......@@ -46,7 +46,7 @@ vulnerability analysis is in the white paper
{millshome}security.html[NTP Security Analysis].
[[mac]]
=== MAC authentication ===
=== MAC authentication
MAC authentication uses symmetric-key cryptography via message
digests. It computes a one-way hash, which verifies that the server
......@@ -89,7 +89,7 @@ that can be used if a key becomes compromised. The +controlkey+ command
selects the key used as the password for the {ntpqman} utility.
[[operation]]
=== MAC Operation ===
=== MAC Operation
A server receiving an unauthenticated packet will respond with an
unauthenticated packet, while the same server receiving a packet of a
......@@ -119,14 +119,14 @@ to other servers; he can run multiple configured associations with multiple
different servers (or the same server, although that might not be useful).
[[keys]]
=== MAC Key Management ===
=== MAC Key Management
Shared keys used for authentication are incorporated
into the keys files generated by the {ntpkeygenman} utility
program.
[[algorithms]]
=== MAC Algorithms ===
=== MAC Algorithms
The NTP standards include symmetric (private-key) authentication using
any message digest algorithm supported by the OpenSSL package.
......@@ -149,7 +149,7 @@ link:authopt.html[Access Control Options] page, can be used to disable
access to all but correctly authenticated clients.
[[formats]]
=== MAC Data Formats ===
=== MAC Data Formats
The NTPv4 specification (RFC 5905) allows any one of possibly 65,535
message digest keys (excluding zero), each distinguished by a 32-bit key
......@@ -200,7 +200,7 @@ The +controlkey+ command selects the key ID used as the password
for the +ntpq+ utility.
[[nts]]
== Network Time Security ==
== Network Time Security
NTS (Network Time security) uses the TLS public-key encryption
infrastructure to secure and authenticate associations.
......@@ -216,7 +216,7 @@ There is some documentation of client-side configuration on the
link:confopt.html#options[Server Commands and Options] page.
[[windows]]
== Microsoft Windows Authentication ==
== Microsoft Windows Authentication
In addition to the above means, +ntpd+ supports Microsoft Windows
MS-SNTP authentication using Active Directory services. This support was
......@@ -230,7 +230,7 @@ users. Therefore, this flag should be used only for a dedicated server
with no clients other than MS-SNTP.*
[[autokey]]
== Autokey ==
== Autokey
Old versions of NTP supported Autokey, which used an early form of
public-key cryptography for authentication. It was described in RFC 5906.
......
= Authentication Commands and Options =
= Authentication Commands and Options
include::html.include[]
[cols="10%,90%",frame="none",grid="none",style="verse"]
......@@ -10,13 +10,13 @@ Our resident cryptographer; now you see him, now you don't.
|===============================
== Related Links ==
== Related Links
include::includes/authopt.adoc[]
'''''
== Commands and Options ==
== Commands and Options
Unless noted otherwise, further information about these commands is on
the link:authentic.html[Authentication Support] page.
......
= NTP Bug Reporting Procedures =
= NTP Bug Reporting Procedures
include::html.include[]
[cols="10%,90%",frame="none",grid="none",style="verse"]
......@@ -12,13 +12,13 @@ The rabbit toots to make sure you read this.
'''''
== Security Bug Reporting Procedures ==
== Security Bug Reporting Procedures
If you find or suspect a security related program bug in this
distribution, please send a report to {project-security-list}. Please do not
contact developers directly.
== Non-Security Bug Reporting Procedures ==
== Non-Security Bug Reporting Procedures
If you find or suspect a non-security related program or documentation
bug in this distribution, please enter a report on the project's
......
= Building and Installing the Distribution =
= Building and Installing the Distribution
include::html.include[]
[cols="10%,90%",frame="none",grid="none",style="verse"]
......@@ -10,11 +10,11 @@ For putting out compiler fires.
|==============================
== Related Links ==
== Related Links
include::includes/install.adoc[]
== Table of Contents ==
== Table of Contents
* link:#waf[Autoconf has been replaced with waf]
* link:#build[Building and Installing the Distribution]
......@@ -26,7 +26,7 @@ include::includes/install.adoc[]
'''''
[[waf]]
=== Autoconf has been replaced with waf ===
=== Autoconf has been replaced with waf
The autoconf build system used in NTP Classic has been replaced with
waf, a more modern and much faster build engine. It is not necessary
......@@ -34,7 +34,7 @@ to install any separate waf package; the build engine is a Python
script included in your NTPsec distribution.
[[build]]
== Building and Installing the Distribution ==
== Building and Installing the Distribution
It is not possible in a software distribution such as this to support
every individual computer and operating system with a common
......@@ -51,7 +51,7 @@ most detailed information on build-time dependencies and configuration
options.
[[unix]]
== Building and Installing for Unix ==
== Building and Installing for Unix
This distribution uses common compilers and tools that come with most
Unix distributions. Not all of these tools exist in the standard
......@@ -69,7 +69,7 @@ compile and link the distribution and the +./waf install+ command to install
the executables by default in +/usr/local/bin+.
[[conf]]
== Configuration ==
== Configuration
You are now ready to configure the daemon. You will need to create an NTP
configuration file by default in +/etc/{ntpconf}+. Newbies should see the
......@@ -79,7 +79,7 @@ daemon] page and move on to the specific configuration option pages from
there.
[[prob]]
== If You Have Problems ==
== If You Have Problems
If you have problems with your hardware and software environment,
a tutorial on debugging technique is in
......@@ -97,7 +97,7 @@ Users are invited to report bugs and offer suggestions via the
link:bugs.html[NTP Bug Reporting Procedures] page.
[[additional]]
== Additional +waf+ commands ==
== Additional +waf+ commands
+./waf clean+::
Cleans out object files, programs and temporary files.
......
= Clock State Machine =
= Clock State Machine
include::html.include[]
== Table of Contents ==
== Table of Contents
* link:#intro[General Overview]
* link:#panic[Panic Threshold]
......@@ -13,7 +13,7 @@ include::html.include[]
'''''
[[intro]]
== General Overview ==
== General Overview
In the NTPv4 specification and reference implementation a state machine
is used to manage the system clock under exceptional conditions, as when
......@@ -28,7 +28,7 @@ determined using three thresholds: _panic_, _step_ and _stepout_, and
one timer: _hold_.
[[panic]]
== Panic Threshold ==
== Panic Threshold
Most computers today incorporate a real-time-clock (RTC) chip (sometimes
referred to as a "time-of-year" (TOY) chip in the past) to maintain
......@@ -44,7 +44,7 @@ but it can be changed with the +panic+ option of the
link:miscopt.html#tinker[+tinker+] command.
[[step]]
== Step and Stepout Thresholds ==
== Step and Stepout Thresholds
Under ordinary conditions, the clock discipline gradually slews the
clock to the correct time, so that the time is effectively continuous
......@@ -83,7 +83,7 @@ for distributed applications that require correctly synchronized network
time.
[[hold]]
== Hold Timer ==
== Hold Timer
When the daemon is started after a considerable downtime, it could be
that the RTC chip clock has drifted significantly from NTP time. This can
......@@ -104,7 +104,7 @@ file or by the training interval described later, the clock is set to
within 0.5 ms in less than 300 s.
[[inter]]
== Operating Intervals ==
== Operating Intervals
The state machine operates in one of four nonoverlapping intervals.
......@@ -139,7 +139,7 @@ Sync Interval::
intervals are used.
[[state]]
== State Transition Function ==
== State Transition Function
The state machine consists of five states. An event is created when an
update is received by the discipline algorithm. Depending on the state
......
= Reference Clock Commands and Options =
= Reference Clock Commands and Options
include::html.include[]
[cols="10%,90%",frame="none",grid="none",style="verse"]
......@@ -8,7 +8,7 @@ Master Time Facility at the {millshome}lab.html[UDel Internet Research Laborator
|==============================
== Related Links ==
== Related Links
include::includes/refclock.adoc[]
include::includes/clockopt.adoc[]
......@@ -16,13 +16,13 @@ include::includes/clockopt.adoc[]
'''''
[[types]]
== Reference Clock Types ==
== Reference Clock Types
Unless noted otherwise, further information about these types is on
the link:refclock.html[Reference Clock Support] page.
[[options]]
== Commands and Options ==
== Commands and Options
include::includes/clock-options.adoc[]
......
= Clock Cluster Algorithm =
= Clock Cluster Algorithm
include::html.include[]
The clock cluster algorithm processes the truechimers produced by the
......
= Command Index =
= Command Index
include::html.include[]
[cols="10%,90%",frame="none",grid="none",style="verse"]
......@@ -10,7 +10,7 @@ The Mad Hatter says "Bring it on".
|==============================
== Related Links ==
== Related Links
include::includes/accopt.adoc[]
include::includes/authopt.adoc[]
......
= Server Commands and Options =
= Server Commands and Options
include::html.include[]
[cols="10%,90%",frame="none",grid="none",style="verse"]
......@@ -10,11 +10,11 @@ The chicken is getting configuration advice.
|==============================
== Related Links ==
== Related Links
include::includes/confopt.adoc[]
== Table of Contents ==
== Table of Contents
* link:#address[Server and Peer Addresses]
* link:#association[Association Commands]
......@@ -23,7 +23,7 @@ include::includes/confopt.adoc[]
'''''
[[address]]
== Server and Peer Addresses ==
== Server and Peer Addresses
Following is a description of the server configuration commands in
NTPv4. There are two classes of commands, configuration commands that
......@@ -48,7 +48,7 @@ the host name forces DNS resolution to the IPv4 namespace, while a
+-6+ qualifier forces DNS resolution to the IPv6 namespace.
[[association]]
== Association Commands ==
== Association Commands
Unless noted otherwise, further information about these commands is at
link:discover.html#pool[Automatic Server Discovery].
......@@ -61,12 +61,12 @@ otherwise.
include::includes/assoc-commands.adoc[]
[[options]]
== Server Command Options ==
== Server Command Options
include::includes/assoc-options.adoc[]
[[aux]]
== Auxiliary Commands ==
== Auxiliary Commands
Information on authentication for broadcast options can be found at
link:authopt.html[Authentication Options].
......
= Copyright Notice =
= Copyright Notice
include::html.include[]
[cols="10%,90%",frame="none",grid="none",style="verse"]
......
= NTP Debugging Techniques =
= NTP Debugging Techniques
include::html.include[]
[cols="10%,90%",frame="none",grid="none",style="verse"]
......@@ -10,13 +10,13 @@ We make house calls and bring our own bugs.
|==============================
== More Help ==
== More Help
include::includes/install.adoc[]
'''''
== Initial Startup ==
== Initial Startup
This page discusses +ntpd+ program monitoring and debugging techniques
using the link:ntpq.html[+ntpq+ - standard NTP query program], either
......@@ -59,7 +59,7 @@ utility can be used to verify a partial or complete path exists. Most
problems reported to the NTP newsgroup are not NTP problems, but
problems with the network or firewall configuration.
== Verifying Correct Operation ==
== Verifying Correct Operation
Unless using the +iburst+ option, the client normally takes a few
minutes to synchronize to a server. If the client time at startup
......@@ -136,7 +136,7 @@ Sometimes the time distribution of errors can be revealing. It's a
good idea to look occasionally at the plots produced by
link:ntpviz.html[ntpviz].
== Large Frequency Errors ==
== Large Frequency Errors
The frequency tolerance of computer clock oscillators varies widely,
sometimes above 500 ppm. While the daemon can handle frequency errors up
......@@ -154,7 +154,7 @@ kernel clock frequency below that value. For systems that do not support
this program, this might be one using a command in the system startup
file.
== Access Controls ==
== Access Controls
Provisions are included in +ntpd+ for access controls which deflect
unwanted traffic from selected hosts or networks. The controls described
......@@ -175,7 +175,7 @@ association has synchronized, the association is not disabled, but a
message is sent to the system log. See the link:accopt.html[Access
Control Options] page for further information.
== Large Delay Variations ==
== Large Delay Variations
In some reported scenarios an access line may show low to moderate
network delays during some period of the day and moderate to high delays
......@@ -198,7 +198,7 @@ Solaris, Tru64, Linux and FreeBSD, the kernel continuously disciplines
the frequency so that the residual correction produced by +ntpd+ is
usually less than a few milliseconds.
== Cryptographic Authentication ==
== Cryptographic Authentication
Reliable source authentication requires the use of symmetric key
link:authopt.html[Authentication Options] page. In symmetric key
......@@ -216,7 +216,7 @@ displayed which shows the authentication status in the +auth+ field. A
status of 1 indicates the packet was successful authenticated; otherwise
it has failed.
== Debugging Checklist ==
== Debugging Checklist
If the +ntpq+ or program does not show that messages are being
received by the daemon or that received messages do not result in
......
= Event Messages and Status Words =
= Event Messages and Status Words
include::html.include[]
[cols="10%,90%",frame="none",grid="none",style="verse"]
......@@ -12,11 +12,11 @@ Caterpillar knows all the error codes, which is more than most of us do.
== Related Links ==
== Related Links
include::includes/install.adoc[]
== Table of Contents ==
== Table of Contents
* link:#intro[Introduction]
* link:#sys[System Status Word]
......@@ -31,7 +31,7 @@ include::includes/install.adoc[]
'''''
[[intro]]
== Introduction ==
== Introduction
This page lists the status words, event messages and error codes used
for +ntpd+ reporting and monitoring. Status words are used to display
......@@ -57,7 +57,7 @@ status or event. Some messages include additional information useful for
error diagnosis and performance assessment.
[[sys]]
== System Status Word ==
== System Status Word
The system status word consists of four fields LI (0-1), Source (2-7),
Count (8-11) and Event (12-15). It is reported in the first line of the
......@@ -125,7 +125,7 @@ The Event Field displays the most recent event message coded as follows:
|============================================================================
[[peer]]
== Peer Status Word ==
== Peer Status Word
The peer status word consists of four fields: Status (0-4), Select
(5-7), Count (8-11) and Code (12-15). It is reported in the first line
......@@ -194,7 +194,7 @@ The Event Field displays the most recent event message coded as follows:
|============================================================================
[[clock]]
== Clock Status Word ==
== Clock Status Word
The clock status word consists of four fields: Unused (0-7), Count
(8-11) and Code (12-15). It is reported in the first line of the
......@@ -225,7 +225,7 @@ When the clock driver sets the code to a new value, a +clock_alarm+ (11)
peer event is reported.
[[flash]]
== Flash Status Word ==
== Flash Status Word
The flash status word is displayed by the +ntpq+ program +rv+ command.
It consists of a number of bits coded in hexadecimal as follows:
......@@ -250,7 +250,7 @@ The "Tag" field is the name the source code uses for the status bit.
Not all bits are in use, but have been kept for backwards compatibility.
[[kiss]]
== Kiss Codes ==
== Kiss Codes
Kiss codes are used in kiss-o'-death (KoD) packets, billboard displays
and log messages. They consist of a string of four zero-padded ASCII
......
= Clock Discipline Algorithm =
= Clock Discipline Algorithm
include::html.include[]
== Table of Contents ==
== Table of Contents
* link:#intro[General Overview]
* link:#pll[Phase-Lock Loop Operations]
......@@ -11,7 +11,7 @@ include::html.include[]
'''''
[[intro]]
== General Overview ==
== General Overview
At the heart of the NTP specification and reference implementation is
the clock discipline algorithm, which is best described as an adaptive
......@@ -27,7 +27,7 @@ image::pic/discipline.gif[align="center"]
Figure 1. Clock Discipline Algorithm
[[pll]]
== Clock Discipline Operations ==
== Clock Discipline Operations
A block diagram of the clock discipline is shown in Figure 1. The
timestamp of a reference clock or remote server is compared with the
......@@ -60,7 +60,7 @@ such cases, either peer uses the minimum of its poll interval and
that of the other peer, which is included in the NTP packet header.
[[loop]]
== Loop Dynamics ==
== Loop Dynamics
It is necessary to verify that the clock discipline algorithm is stable
and satisfies the Nyquist criterion, which requires that the sampling
......@@ -128,7 +128,7 @@ operation, the system time can be stepped forward or backward more than
page.
[[house]]
== Clock Initialization and Management ==
== Clock Initialization and Management
If left running continuously, an NTP client on a fast LAN in a home or
office environment can maintain synchronization nominally within one
......
= Automatic Server Discovery Schemes =
= Automatic Server Discovery Schemes
include::html.include[]
[cols="10%,90%",frame="none",grid="none",style="verse"]
......@@ -10,11 +10,11 @@ Make sure who your friends are.
|==============================
== Related Links ==
== Related Links
include::includes/hand.adoc[]
== Table of Contents ==
== Table of Contents
* link:#assoc[Association Management]
* link:#pool[Server Pool Scheme]
......@@ -22,7 +22,7 @@ include::includes/hand.adoc[]
'''''
[[modes]]
== Introduction ==
== Introduction
The NTPv4 *reference specification* supports three automatic server discovery
schemes: broadcast, manycast, and server pool. However, NTPsec only supports
......@@ -40,7 +40,7 @@ from the configuration file, and they are ordered from best to worst according
to the NTP mitigation algorithms, and surplus associations are pruned.
[[assoc]]
== Association Management ==
== Association Management
Pool discovery uses an iterated process to discover new preemptable client
associations as long as the total number of client associations is less
......@@ -81,7 +81,7 @@ link:confopt.html[Configuration Options] page. See that page
for applicability and defaults.
[[pool]]
== Pool Scheme ==
== Pool Scheme
The idea of targeting servers on a random basis to distribute and
balance the load is not a new one; however, the
......
= External Clock Discipline and the Local Clock Driver =
= External Clock Discipline and the Local Clock Driver
include::html.include[]
The NTPv4 implementation includes provisions for an external clock,
......
= Clock Filter Algorithm =
= Clock Filter Algorithm
include::html.include[]
The clock filter algorithm processes the offset and delay samples
......
= How to build new GENERIC clocks =
= How to build new GENERIC clocks
include::html.include[]
Here is an attempt to sketch out what you need to do to add
......@@ -6,7 +6,7 @@ another clock to the generic driver: Currently the implementation is being
cleaned up - so not all information in here is completely correct. Refer
to the included code where in doubt.
== Prerequisites ==
== Prerequisites
* Does the system you want the clock connect to have the include file
termios.h? (You need that for the generic driver)
......@@ -15,7 +15,7 @@ What to do:
Make a conversion module (libparse/clk_*.c)
== What is the time code format? ==
== What is the time code format?
Find year, month, day, hour, minute, second, status (synchronised or
not), possibly time zone information (you need to give the offset to
......@@ -132,7 +132,7 @@ closest to yours and tweak the code to match your clock.
In order to make your clk_*.c file usable, a reference to the clockformat
structure must be put into parse_conf.c.
== Driver initialization ==
== Driver initialization
TTY setup and initialization/configuration will be done in
ntpd/refclock_generic.c.
......
== History of NTP ==
== History of NTP
// Early history was found at https://www.galsys.co.uk/about-NTP.html
......
= The Huff-n'-Puff Filter =
= The Huff-n'-Puff Filter
include::html.include[]
In scenarios where a considerable amount of data are downloaded or
......
= The Secure Network Time Protocol (NTPsec) Distribution =
= The Secure Network Time Protocol (NTPsec) Distribution
include::html.include[]
[cols="10%,90%",frame="none",grid="none",style="verse"]
......@@ -10,13 +10,13 @@ Pleased to meet you.
|==============================
== Related Links ==
== Related Links