Network Time Protocol (NTP) Server Option for DHCPv6
Cisco Systems, Inc.Village ent. GreenSide, Bat T3,400, Av de Roumanille,06410 BIOT - Sophia-Antipolis CedexFrance+33 4 97 23 26 49rgayraud@cisco.comCisco Systems, Inc.Village ent. GreenSide, Bat T3,400, Av de Roumanille,06410 BIOT - Sophia-Antipolis CedexFrance+33 4 97 23 26 23blourdel@cisco.com The NTP Server Option for DHCPv6 provides NTP (Network Time
Protocol version 4) configuration information to DHCPv6 hosts. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL",
"SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY",
and "OPTIONAL" in this document are to be interpreted as
described in . This document defines a DHCPv6 option and associated
suboptions to provide Network Time Protocol version 4
[draft-ntpv4] or greater configuration information to DHCPv6 hosts. (SNTP Configuration Option for DHCPv6)
provides some degree of automatic time server configuration
for IPv6, as it specifies how to transmit SNTP
servers addresses through DHCPv6.
However, this approach is not suitable for all NTP
deployments. The use of the SNTP protocol is only authorized
at the root and leafs of an NTP tree (i.e. stratum 1 servers
and highest stratum clients). But NTP servers that receive time
from an upstream source, and redistribute it to LAN workstations,
are not allowed to run SNTP. This is why SNTP is not the protocol
of choice for general purpose NTP servers directly used by client
workstations. Additionally the approach of only offering IPv6
addresses to specify server location does not meet NTP requirements
that make uses of a FQDN (Fully Qualified Domain Name) as well. The NTP service is publicly offered on the Internet by a number
of organizations. Those servers can be used but not abused, so
any method which is tasked to disseminate locations of NTP servers
must act responsibly in a manner that does not lead to public
server overloading.
When using DHCPv6 to offer NTP server location, and if there is a
need to distribute a device with a hardcoded configuration,
this configuration MUST NOT include server location that is
not part of the organization that distribute this device.
Typical usage of this option is to specify an NTP server that
is part of the organization that operates the DHCPv6 server. The location of the NTP service, like any other Internet service,
can be specified by an IP address or an FQDN. By design, DHCP
offers information to multiple devices and is prone to
amplification of mistakes, so great care must be taken to
define its configuration. Specification of the NTP service by
FQDN offers a level of indirection that works as
a possible mitigation tool in case of misconfiguration.
DNS can be used to redirect misconfigured clients to an
unexisting IPv6 address instead of having to change the
address of the NTP Server itself. While the NTP specification defines a comprehensive set of
configuration parameters, modification of those parameters is best
left to the decision of the client itself. The DHCPv6 option for
NTP is then restricted to server location. This option serves as a container for all the information
related to one NTP server. This option can appear multiple
times in a DHCPv6 message. Each instance of this option is
to be considered by the NTP client as a server to include
in its configuration. The option itself does not contain any value. Instead, it
contains one or several suboptions that carry NTP server
configuration information. This option MUST include one,
and only one, time source suboption. The currently defined
time source suboptions are: NTP_OPTION_SRV_ADDR, NTP_OPTION_SRV_MC_ADDR,
NTP_OPTION_SRV_FQDN. It carries the NTP server location,
as a unicast or multicast IPv6 address or as an NTP server FQDN.
More time source suboptions may be defined in the future.
While the FQDN option offers the most deployment flexibility,
resiliency as well as security, the IP address options are
defined to cover cases where a dependancy to DNS is not desirable. If the NTP server location is an IPv6 multicast address,
the client SHOULD use this address as an NTP multicast
group address and listen to messages sent to this group in
order to synchronize its clock. A client that receives this option SHOULD use the specified
NTP server to synchronize its clock. This document does not define any priority between the client's
embedded configuration and the NTP servers discovered via this
option. In particular, the client is allowed to simultaneously
use its own configured NTP servers and the servers discovered
via DHCP. This suboption is intended to appear inside the
OPTION_NTP_SERVER option. It specifies the IPv6 unicast address
of an NTP server available to the client. An example of
use is present in . This suboption is intended to appear inside the
OPTION_NTP_SERVER option. It specifies the IPv6 address
of the IPv6 multicast group address used by NTP on the local network.
An example of use is present in . This suboption is intended to appear inside the
OPTION_NTP_SERVER option. It specifies the FQDN of an NTP server
available to the client. To instruct a client to use an NTP server located at
address 2001:db8::1, a DHCP server shall use the following
format: To instruct a client to join the FF05::101 NTP multicast group,
a DHCP server shall use the following format: The OPTION_NTP_SERVER option can appear multiple times in a
DHCPv6 message. The order in which these options appear is not
significant. The client uses its usual algorithms to determine
which server(s) or multicast group(s) should be prefered to
synchronize its clock. The OPTION_NTP_SERVER option MUST NOT appear in messages other
than the following: Solicit, Advertise, Request, Renew, Rebind,
Information-Request, and Reply. If this option appears in
messages other than those specified above, the receiver SHOULD
ignore it. The option number for this option MAY appear in the "Option
Request" option in the following
messages: Solicit, Request, Renew, Rebind, Information-Request,
and Reconfigure. If this option number appears in the
"Option Request" option in messages other than those specified
above, the receiver SHOULD ignore it. This option could be used by an intruder to advertise the
address of a malicious NTP server and adversely affect
the clock of clients on the network. The consequences of such
an attack can be critical, because many security protocols
depend on time synchronization to run their algorithms.
As an example, an attacker could break connectivity
between SEND-enabled nodes , simply
by affecting the clock on these nodes. To prevent these attacks, it is strongly advisable to
secure the use of this option either by: When this document is published, the IANA is requested to
assign an option code from the "DHCPv6 Options Codes" registry
for OPTION_NTP_SERVER.
Network Time Protocol Version 4 Protocol And
Algorithms Specification
Network Time Protocol Version 4 Autokey Specification