ntp clients stop seeing multicast traffic - ttl option not effective in ntp.conf
Environment
- RHEL 6
- RHEL 7
- ntp
Issue
- When
ntppackage was upgraded fromntp-4.2.6p5-10.el6.1.x86_64tontp-4.2.6p5-12.el6_9.2.x86_64the ntp clients stopped seeing multicast broadcast traffic. - ntp broadcasts are still sent from the timehost servers but the
ttlof messages is1if the destination address is not in the same network, thus the message will be dropped by the next router.
Resolution
- Even with a
ttloption on thebroadcastline inntp.confwill not solve the issue:
broadcast 123.0.0.1 ttl 6
- The documentation is not very clear about this option, but the solution for
RHEL 6is to add attlline in thentp.conffile thus the arraysys_ttlwill be configured: - in ntp.conf:
ttl 0 32 64 96 128 160 192 224
broadcast 123.0.1.1 ttl 3
For RHEL 7 update to ntp-4.2.6p5-29.el7 shipped with Advisory RHSA-2019:2077 or newer.
Root Cause
- The
ttlconfiguration is confusing. Thettlvalue in the broadcast directive is an index to the array configured by thettldirective and theCVE-2017-6464fix prevents using the default values of the array. -
However, the
sys_ttlmaxvariable is not set correctly when parsing a config file which does not have attldirective. In such case it is set to -1, so the default value of 32 (which should be selected byttl 1on the broadcast line) fromsys_ttlis ignored and some bogus value is used instead. -
With the last version ntp-4.2.6p5-12.el6_9.2.x86_64 that includes this patch:
--- ntp-4.2.6p5/ntpd/ntp_proto.c.cve-2017-6464 2017-03-22 12:54:11.270454677 +0100
+++ ntp-4.2.6p5/ntpd/ntp_proto.c 2017-03-22 12:54:11.279454706 +0100
@@ -3017,8 +3017,10 @@ peer_xmit(
}
}
peer->t21_bytes = sendlen;
- sendpkt(&peer->srcadr, peer->dstadr, sys_ttl[peer->ttl],
- &xpkt, sendlen);
+ sendpkt(&peer->srcadr, peer->dstadr,
+ sys_ttl[(peer->ttl >= sys_ttlmax) ? sys_ttlmax : peer->ttl],
+ &xpkt, sendlen);
peer->sent++;
peer->throttle += (1 << peer->minpoll) - 2;
the ttl option is not correctly managed:
- For example:
broadcast 123.0.0.0 ttl 6
will configure a ttl of 1 if the destination address is not in the same network.
- But if we add a line :
ttl 8
in the ntp.conf file, then ttl is then set to 8 (and not 6 ..)
-
The first issue is that in the code,
sys_ttlmaxis-1thuspeer->ttlis not used but-1.. -
This is due to this part:
8<---------- 8< ---------------- 8< ---------------- 8< --------
static void
config_ttl(
struct config_tree *ptree
)
{
int i = 0;
int *curr_ttl;
curr_ttl = queue_head(ptree->ttl);
while (curr_ttl != NULL) {
if (i < COUNTOF(sys_ttl))
sys_ttl[i++] = (u_char)*curr_ttl;
else
msyslog(LOG_INFO,
"ttl: Number of TTL entries exceeds %lu. Ignoring TTL %d...",
(u_long)COUNTOF(sys_ttl), *curr_ttl);
curr_ttl = next_node(curr_ttl);
}
sys_ttlmax = i - 1;
}
8<---------- 8< ---------------- 8< ---------------- 8< --------
Diagnostic Steps
- You can check the
broadcastandttlconfiguration in ntp.conf - If you capture the packets in the destination to the external network, you will see a
ttlof 1:
tcpdump -v -s 0 -n "dst host 123.0.0.0"
10:51:02.863017 IP (tos 0xc0, ttl 1, id 0, offset 0, flags [DF], proto UDP (17), length 76)
192.168.1.224.ntp > 123.0.0.0.ntp: NTPv4, length 48
Broadcast, Leap indicator: (0), Stratum 3 (secondary reference), poll 6s, precision -22
Root Delay: 0.138885, Root dispersion: 0.958358, Reference-ID: x.y.z.w
Reference Timestamp: 3752473800.431462764 (2018/11/29 10:50:00)
Originator Timestamp: 0.000000000
Receive Timestamp: 0.000000000
Transmit Timestamp: 3752473862.863004565 (2018/11/29 10:51:02)
Originator - Receive Timestamp: 0.000000000
Originator - Transmit Timestamp: 3752473862.863004565 (2018/11/29 10:51:02)
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments