ntp clients stop seeing multicast traffic - ttl option not effective in ntp.conf
Environment
- RHEL 6
- RHEL 7
- ntp
Issue
- When
ntp
package was upgraded fromntp-4.2.6p5-10.el6.1.x86_64
tontp-4.2.6p5-12.el6_9.2.x86_64
the ntp clients stopped seeing multicast broadcast traffic. - ntp broadcasts are still sent from the timehost servers but the
ttl
of messages is1
if the destination address is not in the same network, thus the message will be dropped by the next router.
Resolution
- Even with a
ttl
option on thebroadcast
line inntp.conf
will not solve the issue:
broadcast 123.0.0.1 ttl 6
- The documentation is not very clear about this option, but the solution for
RHEL 6
is to add attl
line in thentp.conf
file thus the arraysys_ttl
will be configured: - in ntp.conf:
ttl 0 32 64 96 128 160 192 224
broadcast 123.0.1.1 ttl 3
For RHEL 7 update to ntp-4.2.6p5-29.el7
shipped with Advisory RHSA-2019:2077 or newer.
Root Cause
- The
ttl
configuration is confusing. Thettl
value in the broadcast directive is an index to the array configured by thettl
directive and theCVE-2017-6464
fix prevents using the default values of the array. -
However, the
sys_ttlmax
variable is not set correctly when parsing a config file which does not have attl
directive. In such case it is set to -1, so the default value of 32 (which should be selected byttl 1
on the broadcast line) fromsys_ttl
is ignored and some bogus value is used instead. -
With the last version ntp-4.2.6p5-12.el6_9.2.x86_64 that includes this patch:
--- ntp-4.2.6p5/ntpd/ntp_proto.c.cve-2017-6464 2017-03-22 12:54:11.270454677 +0100
+++ ntp-4.2.6p5/ntpd/ntp_proto.c 2017-03-22 12:54:11.279454706 +0100
@@ -3017,8 +3017,10 @@ peer_xmit(
}
}
peer->t21_bytes = sendlen;
- sendpkt(&peer->srcadr, peer->dstadr, sys_ttl[peer->ttl],
- &xpkt, sendlen);
+ sendpkt(&peer->srcadr, peer->dstadr,
+ sys_ttl[(peer->ttl >= sys_ttlmax) ? sys_ttlmax : peer->ttl],
+ &xpkt, sendlen);
peer->sent++;
peer->throttle += (1 << peer->minpoll) - 2;
the ttl option is not correctly managed:
- For example:
broadcast 123.0.0.0 ttl 6
will configure a ttl of 1 if the destination address is not in the same network.
- But if we add a line :
ttl 8
in the ntp.conf file, then ttl is then set to 8 (and not 6 ..)
-
The first issue is that in the code,
sys_ttlmax
is-1
thuspeer->ttl
is not used but-1
.. -
This is due to this part:
8<---------- 8< ---------------- 8< ---------------- 8< --------
static void
config_ttl(
struct config_tree *ptree
)
{
int i = 0;
int *curr_ttl;
curr_ttl = queue_head(ptree->ttl);
while (curr_ttl != NULL) {
if (i < COUNTOF(sys_ttl))
sys_ttl[i++] = (u_char)*curr_ttl;
else
msyslog(LOG_INFO,
"ttl: Number of TTL entries exceeds %lu. Ignoring TTL %d...",
(u_long)COUNTOF(sys_ttl), *curr_ttl);
curr_ttl = next_node(curr_ttl);
}
sys_ttlmax = i - 1;
}
8<---------- 8< ---------------- 8< ---------------- 8< --------
Diagnostic Steps
- You can check the
broadcast
andttl
configuration in ntp.conf - If you capture the packets in the destination to the external network, you will see a
ttl
of 1:
tcpdump -v -s 0 -n "dst host 123.0.0.0"
10:51:02.863017 IP (tos 0xc0, ttl 1, id 0, offset 0, flags [DF], proto UDP (17), length 76)
192.168.1.224.ntp > 123.0.0.0.ntp: NTPv4, length 48
Broadcast, Leap indicator: (0), Stratum 3 (secondary reference), poll 6s, precision -22
Root Delay: 0.138885, Root dispersion: 0.958358, Reference-ID: x.y.z.w
Reference Timestamp: 3752473800.431462764 (2018/11/29 10:50:00)
Originator Timestamp: 0.000000000
Receive Timestamp: 0.000000000
Transmit Timestamp: 3752473862.863004565 (2018/11/29 10:51:02)
Originator - Receive Timestamp: 0.000000000
Originator - Transmit Timestamp: 3752473862.863004565 (2018/11/29 10:51:02)
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments