<?xml version="1.0"encoding="US-ASCII"?>encoding="UTF-8"?> <!DOCTYPE rfcSYSTEM "rfc2629.dtd"> <?rfc toc="yes"?> <?rfc tocompact="yes"?> <?rfc tocdepth="3"?> <?rfc tocindent="yes"?> <?rfc symrefs="yes"?> <?rfc sortrefs="yes"?> <?rfc comments="yes"?> <?rfc inline="yes"?> <?rfc compact="yes"?> <?rfc subcompact="no"?>[ <!ENTITY nbsp " "> <!ENTITY zwsp "​"> <!ENTITY nbhy "‑"> <!ENTITY wj "⁠"> ]> <rfc xmlns:xi="http://www.w3.org/2001/XInclude" submissionType="IETF" category="historic" consensus="true" docName="draft-ietf-ntp-mode-6-cmds-11"ipr="pre5378Trust200902">number="9327" ipr="pre5378Trust200902" obsoletes="" updates="" xml:lang="en" tocInclude="true" tocDepth="3" symRefs="true" sortRefs="true" version="3"> <!-- xml2rfc v2v3 conversion 3.15.0 --> <front> <title abbrev="NTP Control Messages">Control Messages Protocol for Use with Network Time Protocol Version 4</title> <seriesInfo name="RFC" value="9327"/> <author fullname="Brian Haberman" initials="B." surname="Haberman" role="editor"> <organization>JHU</organization> <address> <email>brian@innovationslab.net</email> </address> </author> <datemonth="February" year="2022" />month="October" year="2022"/> <area>int</area> <workgroup>ntp</workgroup> <abstract> <t>This document describes the structure of the control messages that were historically used with the Network Time Protocol (NTP) before the advent of more modern control and management approaches. These control messages have been used to monitor and control theNetwork Time ProtocolNTP application running on any IP network attached computer. The information in this document was originally described in Appendix B of RFC 1305. The goal of this document is to provide an updated description of the control messages described in RFC 1305 in order to conform with the updatedNetwork Time ProtocolNTP specification documented in RFC 5905.</t> <t>The publication of this document is not meant to encourage the development and deployment of these control messages. This document is only providing a current reference for these control messages given the current status of RFC 1305.</t> </abstract> </front> <middle> <sectiontitle="Introduction"> <t>RFC 1305 <xrefnumbered="true" toc="default"> <name>Introduction</name> <t><xref target="RFC1305"/> describedformat="default"/> describes a set of control messages for use within the Network Time Protocol (NTP) when a comprehensive network management solution was not available. The definitions of these control messages were not promulgated toRFC 5905<xref target="RFC5905"/>format="default"/> when NTP version 4 was documented. These messages were intended for use only in systems where no other management facilities were available or appropriate, such as in dedicated-function bus peripherals. Support for these messages is not required in order to conform toRFC 5905<xref target="RFC5905"/>.format="default"/>. The control messages are described here as a current reference for use with anRFC 5905implementation ofNTP.</t>NTP from RFC 5905.</t> <t>The publication of this document is not meant to encourage the development and deployment of these control messages. This document is only providing a current reference for these control messages given the current status of RFC 1305.</t> <sectiontitle="Controlnumbered="true" toc="default"> <name>Terminology</name> <t> The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", "<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they appear in all capitals, as shown here. </t> </section> <section numbered="true" toc="default"> <name>Control MessageOverview">Overview</name> <t>The NTPModemode 6 control messages are used by NTP management programs (e.g., ntpq) when a more robust network management facility (e.g., SNMP) is not available. These control messages provide rudimentary control and monitoring functions to manage a running instance of an NTP server. These commands are not designed to be used for communication between instances of running NTP servers.</t> <t>The NTPControl Messagecontrol message has the value 6 specified in the mode field of the first octet of the NTP header and is formatted as shown in <xref target="M6Hdr"/>.format="default"/>. The format of the data field is specific to each command or response; however, in mostcasescases, the format is designed to be constructed and viewed by humans and so is coded in free-form ASCII. This facilitates the specification and implementation of simple management tools in the absence of fully evolved network-management facilities. As in ordinary NTP messages, the authenticator field follows the data field. If the authenticator isusedused, the data field is zero-padded to a 32-bit boundary, but the padding bits are not considered part of the data field and are not included in the field count.</t> <t>IP hosts are not required to reassemble datagrams over a certain size (576 octets for IPv4 <xref target="RFC0791"/>format="default"/> and 1280 octets for IPv6 <xreftarget="RFC2460" />);target="RFC8200" format="default"/>); however, some commands or responses may involve more data than will fit into a single datagram. Accordingly, a simple reassembly feature is included in which each octet of the message data is numbered starting with zero. As each fragment istransmittedtransmitted, the number of its first octet is inserted in the offset field and the number of octets is inserted in the count field. The more-data (M) bit is set in all fragments except the last.</t> <t>Most control functions involve sending a command and receiving a response, perhaps involving several fragments. The sender chooses a distinct, nonzero sequence number and sets the statusfield andfield, "R" bit, and "E"bitsbit to zero. The responder interprets the opcode and additional information in the data field, updates the status field, sets the "R" bit to one and returns the three 32-bit words of the header along with additional information in the data field. In the case of invalid message format orcontentscontents, the responder inserts a code in the status field, sets the "R" and "E" bits to one and, optionally, inserts a diagnostic message in the data field.</t> <t>Some commands read or write system variables (e.g., s.offset) and peer variables (e.g., p.stratum) for an association identified in the command. Others read or write variables associated with a radio clock or other device directly connected to a source of primary synchronization information. To identify which type of variable andassociationassociation, the Association ID is used. System variables are indicated by the identifier zero. As each association is mobilized a unique, nonzero identifier is created for it. These identifiers are used in a cyclic fashion, so that the chance of using an old identifierwhichthat matches a newly created association is remote. A management entity can request a list of current identifiers and subsequently use them to read and write variables for each association. An attempt to use an expired identifier results in an exception response, following which the list can be requested again.</t> <t>Some exception events, such as when a peer becomes reachable or unreachable, occur spontaneously and are not necessarily associated with a command. An implementation may elect to save the event information for laterretrieval orretrieval, to send an asynchronous response (called atrap)trap), or both. In case of atraptrap, the IP address and port numberisare determined by a previous command and the sequence field is set as described below. Current status and summary information for the latest exception event is returned in all normal responses. Bits in the status field indicate whether an exception has occurred since the last response and whether more than one exception has occurred.</t> <t>Commands need not necessarily be sent by an NTP peer, so ordinary access-control procedures may not apply; however, the optional mask/match mechanism suggested inSection<xref target="Security"/> elsewhere in this documentformat="default"/> provides the capability to control access by mode number, so this could be used to limit access for control messages (mode 6) to selected address ranges.</t> </section> <sectiontitle="Remotenumbered="true" toc="default"> <name>Remote Facility MessageOverview">Overview</name> <t>The original development of the NTP daemon included aremote facilityRemote Facility for monitoring and configuration. This facility used mode 7 commands to communicate with the NTP daemon. This document illustrates the mode 7 packet format only. The commands embedded in the mode 7 messages are implementation specific and not standardized in any way. The mode 7 message format is described in <xref target="mode7"/>.</t>format="default"/>.</t> </section> </section> <sectiontitle="NTPnumbered="true" toc="default"> <name>NTP Control MessageFormat">Format</name> <t>The format of the NTP Control Message header, which immediately follows the UDP header, is shown in <xref target="M6Hdr"/>.format="default"/>. Following the figure is a description of its header fields.</t> <figureanchor="M6Hdr" title="NTPanchor="M6Hdr"> <name>NTP Control MessageHeader">Header</name> <artworkalign="center"><![CDATA[align="center" name="" type="" alt=""><![CDATA[ 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |LI | VN |Mode |R|E|M|OpCodeopcode | Sequence Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Status | Association ID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Offset | Count | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | / Data (up to 468 bytes) / | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Padding (optional) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | / Authenticator (optional, 20 or 24 bits) / | |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ]]></artwork>+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+]]></artwork> </figure><t>Leap<dl newline="true" spacing="normal"> <dt>Leap Indicator(LI): This(LI):</dt><dd>This is atwo-bit2-bit integer that is set to b00 for control message requests and responses. The Leap Indicator value used at this position in most NTP modes is in theSystem Status Wordsystem status word provided in some control messageresponses.</t> <t>Versionresponses.</dd> <dt>Version Number(VN): This(VN):</dt><dd>This is athree-bit3-bit integer indicating a minimum NTP version number. NTP servers do not respond to control messages with an unrecognized version number. Requests may intentionally use a lower version number to enable interoperability with earlier versions of NTP. Responses carry the same version as the correspondingrequest.</t> <t>Mode: Thisrequest.</dd> <dt>Mode:</dt><dd>This is athree-bit3-bit integer indicating the mode. The value 6 indicates an NTP controlmessage.</t> <t>Responsemessage.</dd> <dt>Response Bit(R): Set(R):</dt><dd>Set to zero forcommands,commands; set to one forresponses.</t> <t>Errorresponses.</dd> <dt>Error Bit(E): Set(E):</dt><dd>Set to zero for normalresponse,responses; set to one for an errorresponse.</t> <t>Moreresponse.</dd> <dt>More Bit(M): Set(M):</dt><dd>Set to zero for the lastfragment,fragment; set to one for allothers.</t> <t>Operationothers.</dd> <dt>Operation Code(OpCode): This(opcode):</dt><dd>This is afive-bit5-bit integer specifying the command function. Values currently defined include thefollowing:</t> <t><figure> <artwork align="center" name="Operation Codes"><![CDATA[ +-------+--------------------------------------------------+ | Code | Meaning | +-------+--------------------------------------------------+ | 0 | reserved | | 1 | read status command/response | | 2 | readfollowing:</dd> </dl> <table anchor="opcodes"> <name>Operation Codes</name> <thead> <tr> <th>Code</th> <th>Meaning</th> </tr> </thead> <tbody> <tr> <td>0</td> <td>reserved</td> </tr> <tr> <td>1</td> <td>read status command/response</td> </tr> <tr> <td>2</td> <td>read variablescommand/response | | 3 | writecommand/response</td> </tr> <tr> <td>3</td> <td>write variablescommand/response | | 4 | readcommand/response</td> </tr> <tr> <td>4</td> <td>read clock variablescommand/response | | 5 | writecommand/response</td> </tr> <tr> <td>5</td> <td>write clock variablescommand/response | | 6 | setcommand/response</td> </tr> <tr> <td>6</td> <td>set trap address/portcommand/response | | 7 | trap response | | 8 | runtimecommand/response</td> </tr> <tr> <td>7</td> <td>trap response</td> </tr> <tr> <td>8</td> <td>runtime configurationcommand/response | | 9 | exportcommand/response</td> </tr> <tr> <td>9</td> <td>export configuration to filecommand/response | | 10 | retrievecommand/response</td> </tr> <tr> <td>10</td> <td>retrieve remote address statscommand/response | | 11 | retrievecommand/response</td> </tr> <tr> <td>11</td> <td>retrieve ordered listcommand/response | | 12 | requestcommand/response</td> </tr> <tr> <td>12</td> <td>request client-specific noncecommand/response | | 13-30 | reserved | | 31 | unsetcommand/response</td> </tr> <tr> <td>13-30</td> <td>reserved</td> </tr> <tr> <td>31</td> <td>unset trap address/portcommand/response | +-------+--------------------------------------------------+ ]]></artwork> </figure></t> <t>Sequence Number: Thiscommand/response</td> </tr> </tbody> </table> <dl newline="true" spacing="normal"> <dt>Sequence Number:</dt><dd>This is a 16-bit integer indicating the sequence number of the command or response. Each request uses a different sequence number. Each response carries the same sequence number as its corresponding request. For asynchronous trap responses, the responder increments the sequence number by one for each response, allowing trap receivers to detect missing trap responses. The sequence number of each fragment of a multiple-datagram response carries the same sequence number, copied from therequest.</t> <t>Status: Thisrequest.</dd> <dt>Status:</dt><dd>This is a 16-bit code indicating the current status of the system,peerpeer, orclock,clock with values coded as described in followingsections.</t> <t>Association ID: Thissections.</dd> <dt>Association ID:</dt><dd>This is a 16-bit unsigned integer identifying a validassociation,association or zero for the systemclock.</t> <t>Offset: Thisclock.</dd> <dt>Offset:</dt><dd>This is a 16-bit unsigned integer indicating the offset, in octets, of the first octet in the data area. The offset is set to zero in requests. Responses spanning multiple datagrams use a positive offset in all but the firstdatagram.</t> <t>Count: Thisdatagram.</dd> <dt>Count:</dt><dd>This is a 16-bit unsigned integer indicating the length of the data field, inoctets.</t> <t>Data: Thisoctets.</dd> <dt>Data:</dt><dd>This contains the message data for the command or response. The maximum number of data octets is468.</t> <t>Padding (optional): Contains468.</dd> <dt>Padding (optional):</dt><dd>Contains zero tothree3 octets with a value of zero, as needed to ensure the overall control message size is a multiple of 4octets.</t> <t>Authenticator (optional): Whenoctets.</dd> <dt>Authenticator (optional):</dt><dd>When the NTP authentication mechanism is implemented, this contains the authenticator information defined inAppendix C of<xref target="RFC1305"/>.</t>sectionFormat="of" section="Appendix C"/>.</dd> </dl> </section> <sectiontitle="Status Words ">numbered="true" toc="default"> <name>Status Words</name> <t>Status words indicate the present status of the system,associationsassociations, and clock. They are designed to be interpreted by network-monitoring programs and are in one of four 16-bit formats shown in <xref target="M6SW"/>format="default"/> and described in this section. System and peer status words are associated with responses for all commands except the read clock variables, write clockvariablesvariables, and set trap address/port commands. The association identifier zero specifies the system status word, while a nonzero identifier specifies a particular peer association. The status word returned in response to read clock variables and write clock variables commands indicates the state of the clock hardware and decoding software. A special error status word is used to report malformed command fields or invalid values.</t> <figureanchor="M6SW" title="Statusanchor="M6SW"> <name>Status WordFormats">Formats</name> <artworkalign="center"><![CDATA[align="center" name="" type="" alt=""><![CDATA[ 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | LI| Clock Src | Count | Code | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ System Status Word +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Status | SEL | Count | Code | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Peer Status Word +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Clock Status | Code | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Radio Status Word +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Error Code | Reserved | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Error Status Word +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Reserved | Count | Code | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Clock StatusWord ]]></artwork>Word]]></artwork> </figure> <sectiontitle="Systemnumbered="true" toc="default"> <name>System StatusWord ">Word</name> <t>The system status word appears in the status field of the response to a read status or read variables command with a zero association identifier. The format of the system status word is as follows:</t><t>Leap<dl newline="true" spacing="normal"> <dt>Leap Indicator(LI): This(LI):</dt><dd>This is atwo-bit2-bit code warning of an impending leap second to be inserted/deleted in the last minute of the current day, with bit 0 and bit 1, respectively, coded asfollows:</t> <t><figure> <artwork align="center" name="Leap Indicator"><![CDATA[ +------+------------------------------------------------------------+ | LI | Meaning | +------+------------------------------------------------------------+ | 00 | no warning | | 01 | insertfollows:</dd> </dl> <table anchor="LeapIndicator"> <name>Leap Indicator Codes</name> <thead> <tr> <th>LI</th> <th>Meaning</th> </tr> </thead> <tbody> <tr> <td>00</td> <td>no warning</td> </tr> <tr> <td>01</td> <td>insert second after 23:59:59 of the currentday | | 10 | deleteday</td> </tr> <tr> <td>10</td> <td>delete second 23:59:59 of the currentday | | 11 | unsynchronized | +------+------------------------------------------------------------+ ]]></artwork> </figure></t> <t>Clockday</td> </tr> <tr> <td>11</td> <td>unsynchronized</td> </tr> </tbody> </table> <dl newline="true" spacing="normal"> <dt>Clock Source (ClockSrc): ThisSrc):</dt><dd>This is asix-bit6-bit integer indicating the current synchronization source, with values coded asfollows:</t> <t><figure> <artwork align="center" name="Clock Source"><![CDATA[ +-------+-----------------------------------------------------------+ | Code | Meaning | +-------+-----------------------------------------------------------+ | 0 | unspecified or unknown | | 1 | Calibratedfollows:</dd> </dl> <table anchor="ClockSource"> <name>Clock Source Values</name> <thead> <tr> <th>Code</th> <th>Meaning</th> </tr> </thead> <tbody> <tr> <td>0</td> <td>unspecified or unknown</td> </tr> <tr> <td>1</td> <td>Calibrated atomic clock (e.g., PPS, HP5061) | | 2 | VLF5061)</td> </tr> <tr> <td>2</td> <td>VLF (band 4) or LF (band 5) radio (e.g., OMEGA,,WWVB) | | 3 | HFWWVB)</td> </tr> <tr> <td>3</td> <td>HF (band 7) radio (e.g., CHU, MSF,WWV/H) | | 4 | UHFWWV/H)</td> </tr> <tr> <td>4</td> <td>UHF (band 9) satellite (e.g., GOES,GPS) | | 5 | localGPS)</td> </tr> <tr> <td>5</td> <td>local net (e.g., DCN, TSP,DTS) | | 6 | UDP/NTP | | 7 | UDP/TIME | | 8 | eyeball-and-wristwatch | | 9 | telephoneDTS)</td> </tr> <tr> <td>6</td> <td>UDP/NTP</td> </tr> <tr> <td>7</td> <td>UDP/TIME</td> </tr> <tr> <td>8</td> <td>eyeball-and-wristwatch</td> </tr> <tr> <td>9</td> <td>telephone modem (e.g.,NIST) | | 10-63 | reserved | +-------+-----------------------------------------------------------+ ]]></artwork> </figure></t> <t>SystemNIST)</td> </tr> <tr> <td>10-63</td> <td>reserved</td> </tr> </tbody> </table> <dl newline="true" spacing="normal"> <dt>System Event Counter(Count): This(Count):</dt><dd>This is afour-bit4-bit integer indicating the number of system events occurring since the last time the System Event Code changed. Upon reaching 15, subsequent events with the same code are notcounted.</t> <t> Systemcounted.</dd> <dt>System Event Code(Code): This(Code):</dt><dd>This is afour-bit4-bit integer identifying the latest system exception event, with new values overwriting previous values, and coded asfollows:</t> <t><figure> <artwork align="center" name="Systemfollows:</dd> </dl> <table anchor="SystemEventCode"> <name>System EventCode"><![CDATA[ +------+---------------------------------------------------------+ | Code | Meaning | +------+---------------------------------------------------------+ | 0 | unspecified | | 1 | frequencyCodes</name> <thead> <tr> <th>Code</th> <th>Meaning</th> </tr> </thead> <tbody> <tr> <td>0</td> <td>unspecified</td> </tr> <tr> <td>1</td> <td>frequency correction (drift) file notavailable | | 2 | frequencyavailable</td> </tr> <tr> <td>2</td> <td>frequency correction started (frequencystepped) | | 3 | spikestepped)</td> </tr> <tr> <td>3</td> <td>spike detected and ignored, starting stepouttimer | | 4 | frequencytimer</td> </tr> <tr> <td>4</td> <td>frequency trainingstarted | | 5 | clock synchronized | | 6 | system restart | | 7 | panicstarted</td> </tr> <tr> <td>5</td> <td>clock synchronized</td> </tr> <tr> <td>6</td> <td>system restart</td> </tr> <tr> <td>7</td> <td>panic stop (required step greater than panicthreshold) | | 8 | nothreshold)</td> </tr> <tr> <td>8</td> <td>no systempeer | | 9 | leappeer</td> </tr> <tr> <td>9</td> <td>leap second insertion/deletion armed for the| | | of thecurrentmonth | | 10 | leapmonth</td> </tr> <tr> <td>10</td> <td>leap seconddisarmed | | 11 | leapdisarmed</td> </tr> <tr> <td>11</td> <td>leap second inserted ordeleted | | 12 | clockdeleted</td> </tr> <tr> <td>12</td> <td>clock stepped (stepout timerexpired) | | 13 | kernelexpired)</td> </tr> <tr> <td>13</td> <td>kernel loop discipline statuschanged | | 14 | leapsecondschanged</td> </tr> <tr> <td>14</td> <td>leapseconds table loaded fromfile | | 15 | leapsecondsfile</td> </tr> <tr> <td>15</td> <td>leapseconds table outdated, updated fileneeded | +------+---------------------------------------------------------+ ]]></artwork> </figure></t>needed</td> </tr> </tbody> </table> </section> <sectiontitle="Peernumbered="true" toc="default"> <name>Peer StatusWord">Word</name> <t>A peer status word is returned in the status field of a response to a read status, readvariablesvariables, or write variables command and appearsalsoin the list ofassociation identifiersAssociation IDs and status words returned by a read status command with a zeroassociation identifier.Association ID. The format of a peer status word is as follows:</t><t>Peer<dl newline="true" spacing="normal"> <dt>Peer Status(Status): This(Status):</dt><dd>This is afive-bit5-bit code indicating the status of the peer determined by the packet procedure, with bits assigned asfollows:</t> <t><figure> <artwork align="center" name="Peer Status"><![CDATA[ +-------------+---------------------------------------------------+ | Peerfollows:</dd> </dl> <table anchor="PeerStatus"> <name>Peer Status| Meaning | | bit | | +-------------+---------------------------------------------------+ | 0 | configured (peer.config) | | 1 | authenticationBits</name> <thead> <tr> <th>Peer Status bit</th> <th>Meaning</th> </tr> </thead> <tbody> <tr> <td>0</td> <td>configured (peer.config)</td> </tr> <tr> <td>1</td> <td>authentication enabled(peer.authenable) | | 2 | authentication(peer.authenable)</td> </tr> <tr> <td>2</td> <td>authentication okay(peer.authentic) | | 3 | reachability(peer.authentic)</td> </tr> <tr> <td>3</td> <td>reachability okay (peer.reach !=0) | | 4 | broadcast association | +-------------+---------------------------------------------------+ ]]></artwork> </figure></t> <t>Peer0)</td> </tr> <tr> <td>4</td> <td>broadcast association</td> </tr> </tbody> </table> <dl newline="true" spacing="normal"> <dt>Peer Selection(SEL): This(SEL):</dt><dd>This is athree-bit3-bit integer indicating the status of the peer determined by the clock-selection procedure, with values coded asfollows:</t> <t><figure> <artwork align="center" name="Peer Selection"><![CDATA[ +-----+-------------------------------------------------------------+ | Sel | Meaning | +-----+-------------------------------------------------------------+ | 0 | rejected | | 1 | discardedfollows:</dd> </dl> <table anchor="PeerSelection"> <name>Peer Selection Values</name> <thead> <tr> <th>Sel</th> <th>Meaning</th> </tr> </thead> <tbody> <tr> <td>0</td> <td>rejected</td> </tr> <tr> <td>1</td> <td>discarded by intersectionalgorithm | | 2 | discardedalgorithm</td> </tr> <tr> <td>2</td> <td>discarded by table overflow (not currentlyused) | | 3 | discardedused)</td> </tr> <tr> <td>3</td> <td>discarded by the clusteralgorithm | | 4 | includedalgorithm</td> </tr> <tr> <td>4</td> <td>included by the combinealgorithm | | 5 | backupalgorithm</td> </tr> <tr> <td>5</td> <td>backup source (with more than sys.maxclocksurvivors) | | 6 | systemsurvivors)</td> </tr> <tr> <td>6</td> <td>system peer (synchronizationsource) | | 7 | PPSsource)</td> </tr> <tr> <td>7</td> <td>PPS (pulse per second)peer | +-----+-------------------------------------------------------------+ ]]></artwork> </figure></t> <t>Peerpeer</td> </tr> </tbody> </table> <dl newline="true" spacing="normal"> <dt>Peer Event Counter(Count): This(Count):</dt><dd>This is afour-bit4-bit integer indicating the number of peer exception events that occurred since the last time the peer event code changed. Upon reaching 15, subsequent events with the same code are notcounted.</t> <t>Peercounted.</dd> <dt>Peer Event Code(Code): This(Code):</dt><dd>This is afour-bit4-bit integer identifying the latest peer exception event, with new values overwriting previous values, and coded asfollows:</t> <t><figure> <artwork align="center" name="Peer Event Code"><![CDATA[ +-------+--------------------------------------------------------+ | Peer | | |follows:</dd> </dl> <table anchor="PeerEventCode"> <name>Peer Event| Meaning | |Code| | +-------+--------------------------------------------------------+ | 0 | unspecified | | 1 | association mobilized | | 2 | association demobilized | | 3 | peerValues</name> <thead> <tr> <th>Peer Event Code</th> <th>Meaning</th> </tr> </thead> <tbody> <tr> <td>0</td> <td>unspecified</td> </tr> <tr> <td>1</td> <td>association mobilized</td> </tr> <tr> <td>2</td> <td>association demobilized</td> </tr> <tr> <td>3</td> <td>peer unreachable (peer.reach was nonzero nowzero) | | 4 | peerzero)</td> </tr> <tr> <td>4</td> <td>peer reachable (peer.reach was zero nownonzero) | | 5 | associationnonzero)</td> </tr> <tr> <td>5</td> <td>association restarted or timedout | | 6 | noout</td> </tr> <tr> <td>6</td> <td>no reply (only used with one-shot clock setcommand) | | 7 | peercommand)</td> </tr> <tr> <td>7</td> <td>peer rate limit exceeded (kiss code RATEreceived) | | 8 | accessreceived)</td> </tr> <tr> <td>8</td> <td>access denied (kiss code DENYreceived) | | 9 | leapreceived)</td> </tr> <tr> <td>9</td> <td>leap second insertion/deletion at month's end armed| | |by peervote | | 10 | becamevote</td> </tr> <tr> <td>10</td> <td>became system peer(sys.peer) | | 11 | reference(sys.peer)</td> </tr> <tr> <td>11</td> <td>reference clock event (see clock statusword) | | 12 | authentication failed | | 13 | popcornword)</td> </tr> <tr> <td>12</td> <td>authentication failed</td> </tr> <tr> <td>13</td> <td>popcorn spike suppressed by peer clock filterregister | | 14 | enteringregister</td> </tr> <tr> <td>14</td> <td>entering interleavedmode | | 15 | recoveredmode</td> </tr> <tr> <td>15</td> <td>recovered from interleaveerror | +-------+--------------------------------------------------------+ ]]></artwork> </figure></t>error</td> </tr> </tbody> </table> </section> <sectiontitle="Clocknumbered="true" toc="default"> <name>Clock StatusWord ">Word</name> <t>There are two ways a reference clock can be attached toaan NTP servicehost,host: as a dedicated device managed by the operating system and as a synthetic peer managed by NTP. As in the read status command, theassociation identifierAssociation ID is used to identifywhich one,the correct variable for each clock: zero for the system clock and nonzero for a peer clock. Only one system clock is supported by the protocol, although many peer clocks can be supported. A system or peer clock status word appears in the status field of the response to a read clock variables or write clock variables command. This word can be considered to be an extension of the system status word or the peer status word as appropriate. The format of the clock status word is as follows:</t><t>Reserved: An eight-bit<dl newline="true" spacing="normal"> <dt>Reserved:</dt><dd>This is an 8-bit integer that is ignored by requesters and zeroed byresponders.</t> <t>Count: Thisresponders.</dd> <dt>Count:</dt><dd>This is afour-bit4-bit integer indicating the number of clock events that occurred since the last time the clock event code changed. Upon reaching 15, subsequent events with the same code are notcounted.</t> <t>Clockcounted.</dd> <dt>Clock Code(Code): This(Code):</dt><dd>This is afour-bit4-bit integer indicating the current clock status, with values coded asfollows:</t> <t><figure> <artwork align="center" name="Clock Status"><![CDATA[ +--------------+--------------------------------------------------+ | Clock Status | Meaning | +--------------+--------------------------------------------------+ | 0 | clockfollows:</dd> </dl> <table anchor="ClockStatus"> <name>Clock Code Values</name> <thead> <tr> <th>Clock Status</th> <th>Meaning</th> </tr> </thead> <tbody> <tr> <td>0</td> <td>clock operating withinnominals | | 1 | reply timeout | | 2 | badnominals</td> </tr> <tr> <td>1</td> <td>reply timeout</td> </tr> <tr> <td>2</td> <td>bad replyformat | | 3 | hardwareformat</td> </tr> <tr> <td>3</td> <td>hardware or softwarefault | | 4 | propagation failure | | 5 | badfault</td> </tr> <tr> <td>4</td> <td>propagation failure</td> </tr> <tr> <td>5</td> <td>bad date format orvalue | | 6 | badvalue</td> </tr> <tr> <td>6</td> <td>bad time format orvalue | | 7-15 | reserved | +--------------+--------------------------------------------------+ ]]></artwork> </figure></t>value</td> </tr> <tr> <td>7-15</td> <td>reserved</td> </tr> </tbody> </table> </section> <sectiontitle="Errornumbered="true" toc="default"> <name>Error StatusWord">Word</name> <t>An error status word is returned in the status field of an error response as the result of invalid message format or contents. Its presence is indicated when the E (error) bit is set along with the response (R) bit in the response. It consists of aneight-bit8-bit integer coded as follows:</t><t><figure> <artwork align="center" name="Error Status"><![CDATA[ +--------------+--------------------------------------------------+ | Error<table anchor="ErrorStatus"> <name>Error Status| Meaning | +--------------+--------------------------------------------------+ | 0 | unspecified | | 1 | authentication failure | | 2 | invalidWord Codes</name> <thead> <tr> <th>Error Status</th> <th>Meaning</th> </tr> </thead> <tbody> <tr> <td>0</td> <td>unspecified</td> </tr> <tr> <td>1</td> <td>authentication failure</td> </tr> <tr> <td>2</td> <td>invalid message length orformat | | 3 | invalid opcode | | 4 | unknown association identifier | | 5 | unknownformat</td> </tr> <tr> <td>3</td> <td>invalid opcode</td> </tr> <tr> <td>4</td> <td>unknown Association ID</td> </tr> <tr> <td>5</td> <td>unknown variablename | | 6 | invalidname</td> </tr> <tr> <td>6</td> <td>invalid variablevalue | | 7 | administratively prohibited | | 8-255 | reserved | +--------------+--------------------------------------------------+ ]]></artwork> </figure></t>value</td> </tr> <tr> <td>7</td> <td>administratively prohibited</td> </tr> <tr> <td>8-255</td> <td>reserved</td> </tr> </tbody> </table> </section> </section> <sectiontitle="Commands">anchor="commands" numbered="true" toc="default"> <name>Commands</name> <t>Commands consist of the header and optional data field shown in <xref target="M6Hdr"/>.format="default"/>. When present, the data field contains a list of identifiers or assignments in the form <<identifier>>[=<<value>>],<<identifier>>[=<<value>>],... where <<identifier>> is the ASCII name of a system or peer variable such as the ones specified in RFC 5905 and <<value>> is expressed as a decimal,hexadecimalhexadecimal, or string constant in the syntax of the C programming language. Where no ambiguity exists, the "sys." or "peer." prefixes can be suppressed.WhitespaceSpace characters (ASCII nonprinting format effectors) can be added to improve readability for simple monitoring programs that do not reformat the data field.Internet addressesRepresentations of note arerepresentedasfollows:follows:</t> <ul><li> IPv4 internet addresses are written in the form [n.n.n.n], where n is in decimal notation and the brackets areoptional; IPv6optional</li> <li>IPv6 internet addresses are formulated based on the guidelines defined in <xref target="RFC5952"/>. Timestamps, includingformat="default"/>.</li> <li>Timestamps (including reference, originate,receivereceive, and transmitvalues, as well asvalues) and the logicalclock,clock are represented in units of seconds and fractions, preferably in hexadecimalnotation. Delay,notation.</li> <li>Delay, offset,dispersiondispersion, and distance values are represented in units of milliseconds and fractions, preferably in decimalnotation. Allnotation.</li> <li>All other values are representedas-is,as is, preferably in decimalnotation.</t>notation.</li> </ul> <t>Implementations may define variables other than those described in RFC5905. Called extramural variables,5905; called "extramural variables", these are distinguished by the inclusion of some character type other than alphanumeric or "." in the name. For those commands that return a list of assignments in the response data field, if the command data field is empty, it is expected that all available variables defined in RFC 5905 will be included in the response. For the read commands, if the command data field is nonempty, an implementation may choose to process this field to individually select which variables are to be returned.</t> <t>Commands are interpreted as follows:</t><t>Read<dl newline="true" spacing="normal"> <dt>Read Status(1): The(1):</dt><dd>The command data field is empty or contains a list of identifiers separated by commas. The command operates in two ways depending on the value of theassociation identifier.Association ID. If this identifier is nonzero, the response includes the peer identifier and status word. Optionally, the response data field may contain other information, such as described in the Read Variables command. If the association identifier is zero, the response includes the system identifier (0) and statusword, whileword; the data field contains a list of binary-coded pairs<<association identifier>><<Association ID>> <<status word>>, one for each currently definedassociation.</t> <t>Readassociation.</dd> <dt>Read Variables(2): The(2):</dt><dd>The command data field is empty or contains a list of identifiers separated by commas. If theassociation identifierAssociation ID is nonzero, the response includes the requested peer identifier and statusword, whileword; the data field contains a list of peer variables and values as described above. If theassociation identifierAssociation ID is zero, the data field contains a list of system variables. If a peer has been selected as the synchronization source, the response includes the peer identifier and status word; otherwise, the response includes the system identifier (0) and statusword.</t> <t>Writeword.</dd> <dt>Write Variables(3): The(3):</dt><dd>The command data field contains a list of assignments as described above. The variables are updated as indicated. The response is as described for the Read Variablescommand.</t> <t>Readcommand.</dd> <dt>Read Clock Variables(4): The(4):</dt><dd>The command data field is empty or contains a list of identifiers separated by commas. Theassociation identifierAssociation ID selects the system clock variables or peer clock variables in the same way as in the Read Variables command. The response includes the requested clock identifier and statusword andword; the data field contains a list of clock variables and values, including the last timecode message received from theclock.</t> <t>Writeclock.</dd> <dt>Write Clock Variables(5): The(5):</dt><dd>The command data field contains a list of assignments as described above. The clock variables are updated as indicated. The response is as described for theRead Clock Variables command.</t> <t>Setread clock variables command.</dd> <dt>Set Trap Address/Port(6): The(6):</dt><dd>The commandassociation identifier, statusAssociation ID, status, and data fields are ignored. The address and port number for subsequent trap messages are taken from the source address and port of the control message itself. The initial trap counter for trap response messages is taken from the sequence field of the command. The response association identifier,statusstatus, and data fields are not significant. Implementations should includesanitylogical timeoutswhichthat prevent trap transmissions if the monitoring program does not renew this information after a lengthyinterval.</t> <t>Trapinterval.</dd> <dt>Trap Response(7): This(7):</dt><dd>This message is sent when a system,peerpeer, or clock exception event occurs. The opcode field is 7 and the R bit is set. The trap counter is incremented by one for each trap sent and the sequence field set to that value. The trap message is sent using the IP address and port fields established by the set trap address/port command. If a systemtraptrap, theassociation identifierAssociation ID field is set to zero and the status field contains the system status word. If a peertraptrap, theassociation identifierAssociation ID field is set to that peer and the status field contains the peer status word. Optional ASCII-coded information can be included in the datafield.</t> <t>Configure (8): Thefield.</dd> <dt>Configure (8):</dt><dd>The command data is parsed and applied as if supplied in the daemon configurationfile.</t> <t>Savefile.</dd> <dt>Save Configuration(9): Write(9):</dt><dd>Writes a snapshot of the current configuration to the file name supplied as the command data. Further, the command is refused unless a directory in which to store the resulting files has been explicitly configured by theoperator.</t> <t>Readoperator.</dd> <dt>Read Most Recently Used (MRU) list(10): Retrieves(10):</dt><dd>Retrieves records of recently seen remote addresses and associated statistics. This command supports all of the state variables defined inSection 9 of<xref target="RFC5905"/>.sectionFormat="of" section="9"/>. Command data consists of name=value pairs controlling the selection of records, as well as a requestor-specific nonce previously retrieved using this command or opcode12, Request Nonce.12 (Request Nonce). The response consists of name=value pairs where some names can appear multiple times using a dot followed by a zero-based index to distinguishthem,them and to associate elements of the same record with the same index. A new nonce is provided with each successfulresponse.</t> <t>Readresponse.</dd> <dt>Read ordered list(11): Retrieves(11):</dt><dd>Retrieves a list ordered by IP address (IPv4 information precedes IPv6 information). If the command data is empty or is the seven characters "ifstats", the associated statistics,statusstatus, and counters for each local address are returned. If the command data is the characters"addr_restrictions""addr_restrictions", then the set of IPv4 remote address restrictions followed by the set of IPv6 remote address restrictions (access control lists) are returned. Other command data returns error code 5 (unknown variable name). Similar to Read MRU, response information uses zero-based indexes as part of the variable name preceding the equals sign and value, where each index relates information for a single address or network. This opcode requiresauthentication.</t> <t>Requestauthentication.</dd> <dt>Request Nonce(12): Retrieves(12):</dt><dd>Retrieves a 96-bit nonce specific to the requesting remote address, which is valid for a limited period. Command data is not used in the request. The nonce consists of a 64-bit NTP timestamp and 32 bits of hash derived from that timestamp, the remote address, and salt known only to theserverserver, which varies between daemon runs. Inclusion of the nonce by a management agent demonstrates to the server that the agent can receive datagrams sent to the source address of the request, making source address "spoofing" more difficult in a similar way as TCP's three-wayhandshake.</t> <t>Unsethandshake.</dd> <dt>Unset Trap(31): Removes(31):</dt><dd>Removes the requesting remote address and port from the list of trap receivers. Command data is not used in the request. If the address and port are not in the list of trap receivers, the error code is4, bad association.</t>4 (bad association).</dd> </dl> </section> <section anchor="IANA"title="IANA Considerations">numbered="true" toc="default"> <name>IANA Considerations</name> <t>This documentmakeshas norequest of IANA.</t> <t>Note to RFC Editor: this section may be removed on publication as an RFC.</t>IANA actions.</t> </section> <section anchor="Security"title="Security Considerations">numbered="true" toc="default"> <name>Security Considerations</name> <t>A number of security vulnerabilities have been identified with these control messages.</t> <t>NTP's control query interface allows reading and writing of system, peer, and clock variables remotely from arbitrary IP addresses using commands mentioned inSection 4. Traditionally, overwriting<xref target="commands"/>. Overwriting these variables, but not reading them, requires authentication by default. However, this document argues that an NTP host must authenticate all control queries and not just ones that overwrite these variables. Alternatively, the host can use an access control list to explicitly list IP addresses that are allowed to control query the clients. These access controls are required for the followingreasons:<list style="symbols"> <t>NTPreasons:</t> <dl newline="true" spacing="normal"> <dt>NTP as a Distributed Denial-of-Service (DDoS)vector. NTPvector:</dt><dd>NTP timing query and response packets (modes 1-2, 3-4, and 5) are usually short in size. However, some NTP control queries generate a very long packet in response to a short query. As such, there is a history of use of NTP's control queries, which exhibit such behavior, to performDDoSDoS attacks. These off-path attacks exploit the large size of NTP control queries to cause UDP-based amplification attacks (e.g., mode 7 monlist command generates a very long packet in response to a small query <xref target="CVE-DOS"/>).format="default"/>). These attacks only use NTP as a vector for DoS attacks on other protocols, but do not affect the time service on the NTP host itself. To limit the sources of these malicious commands, NTP server operators are recommended to deploy ingress filtering <xref target="RFC3704"/>.</t> <t>Time-shiftingformat="default"/>.</dd> <dt>Time-shifting attacks through informationleakage/overwriting. NTPleakage/overwriting:</dt><dd>NTP hosts save important system and peer state variables. An off-path attacker who can read these variables remotely can leverage the information leaked by these control queries to perform time-shifting andDoSDDoS attacks on NTP clients. These attacks do affect time synchronization on the NTP hosts. Forinstance,<list style="symbols"> <t>Ininstance:</dd> </dl> <ul spacing="normal"> <li>In the client/server mode, the client stores its local time when it sends the query to the server in its xmt peer variable. This variable is used to perform TEST2 to non-cryptographically authenticate theserver, i.e.,server (i.e., if the origin timestamp field in the corresponding server response packet matches the xmt peer variable, then the client accepts thepacket.packet). An off-pathattacker,attacker with the ability to read this variable can easily spoof server response packets for the client, which will passTEST2,TEST2 and can deny service or shift time on the NTP client. The specific attack is described in <xref target="CVE-SPOOF"/>.</t> <t>Theformat="default"/>.</li> <li>The client also stores its local time when the server response is received in its rec peer variable. This variable is used for authentication in interleaved-pivot mode. An off-path attacker with the ability to read this state variable can easily shift time on the client by passing this test. This attack is described in <xref target="CVE-SHIFT"/>.</t> </list></t> <t>Fast-Scanning. NTPformat="default"/>.</li> </ul> <dl newline="true" spacing="normal"> <dt>Fast-Scanning:</dt><dd>NTP mode 6 control messages are usually small UDP packets. Fast-scanning tools like ZMap can be used to spray the entire (potentially reachable) Internet with these messages within hours to identify vulnerable hosts. To make things worse, these attacks can be extremely low-rate, only requiring a control query for reconnaissance and a spoofed response to shift time on vulnerableclients.</t> <t>Theclients.</dd> <dt>The mode 6 and 7 messages are vulnerable to replay attacks <xref target="CVE-Replay"/>.format="default"/>:</dt><dd> If an attacker observes mode 6/7 packets that modify the configuration of the server in any way, the attacker can apply the same change at any time latersimplyby simply sending the packets to the server again. The use of the nonce (Request Nonce command) provides limited protection against replayattacks.</t> </list></t>attacks.</dd> </dl> <t>NTP best practices recommend configuring NTP with the no-query parameter. The no-query parameter blocks access to all remote control queries. However, sometimes the hosts do not want to block all queries and want to give access for certain control queries remotely. This could be for the purpose of remote management and configuration of the hosts in certain scenarios. Such hosts tend to use firewalls or other middleboxes to blacklist certain queries within the network.</t> <t>Significantly fewer hosts respond to mode 7 monlist queries as compared to other control queries because it is a well-known and exploited control query. These queries are likely blocked using blacklists on firewalls and middleboxes rather than the no-query option on NTP hosts. The remaining control queries that can be exploited likely remain out of the blacklist because they are undocumented in the current NTP specification <xref target="RFC5905"/>.</t>format="default"/>.</t> <t>This document describes all of the mode 6 control queries allowed by NTP and can help administrators make informed decisions on security measures to protect NTP devices from harmful queries and likely make those systems less vulnerable. The use of the legacy mode 6 interface isNOT RECOMMENDED.Regardless<bcp14>NOT RECOMMENDED</bcp14>. Regardless of which mode 6 commands an administrator may elect to allow, remote access to this facility needs to be protected from unauthorized access (e.g., strictACLs).Access Control Lists (ACLs)). Additionally, the legacy interface for mode 6 commandsSHOULD NOT<bcp14>SHOULD NOT</bcp14> be utilized in new deployments or implementation of NTP.</t> </section><section title="Contributors"> <t>Dr. David Mills specified the vast majority of the mode 6 commands during the development of RFC 1305 <xref target="RFC1305" /> and deserves the credit for their existence and use.</t> </section> <section anchor="Acknowledgements" title="Acknowledgements"> <t>Tim Plunkett created the original version of this document. Aanchal Malhotra provided the initial version of the Security Considerations section.</t> <t>Karen O'Donoghue, David Hart, Harlan Stenn, and Philip Chimento deserve credit for portions of this document due to their earlier efforts to document these commands.</t> <t>Miroshav Lichvar, Ulrich Windl, Dieter Sibold, J Ignacio Alvarez-Hamelin, and Alex Campbell provided valuable comments on various versions of this document.</t> </section></middle> <back><references title="Normative References"> <?rfc include="reference.RFC.1305"?> <?rfc include="reference.RFC.5905"?> <?rfc include="reference.RFC.5952"?> <?rfc include="reference.RFC.3704"?><references> <name>References</name> <references> <name>Normative References</name> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.1305.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5905.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5952.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3704.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/> </references><references title="Informative References"> <?rfc include="reference.RFC.0791"?> <?rfc include="reference.RFC.2460"?><references> <name>Informative References</name> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.0791.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8200.xml"/> <referenceanchor="CVE-SHIFT">anchor="CVE-SHIFT" target="https://nvd.nist.gov/vuln/detail/CVE-2016-1548"> <front><title>CVE-2016-1548, https://nvd.nist.gov/vuln/detail/CVE-2016-1548</title><title>CVE-2016-1548 Detail</title> <author> <organization>NIST National Vulnerability Database</organization> </author> <date month="January" year="2017"day="06" />day="06"/> </front> </reference> <referenceanchor="CVE-SPOOF">anchor="CVE-SPOOF" target="https://nvd.nist.gov/vuln/detail/CVE-2015-8139"> <front><title>CVE-2015-8139, https://nvd.nist.gov/vuln/detail/CVE-2015-8139</title><title>CVE-2015-8139 Detail</title> <author> <organization>NIST National Vulnerability Database</organization> </author> <date month="January" year="2017"day="30" />day="30"/> </front> </reference> <referenceanchor="CVE-Replay">anchor="CVE-Replay" target="https://nvd.nist.gov/vuln/detail/CVE-2015-8140"> <front><title>CVE-2015-8140, https://nvd.nist.gov/vuln/detail/CVE-2015-8140</title><title>CVE-2015-8140 Detail</title> <author> <organization>NIST National Vulnerability Database</organization> </author> <date month="January" year="2015"day="30" />day="30"/> </front> </reference> <referenceanchor="CVE-DOS">anchor="CVE-DOS" target="https://nvd.nist.gov/vuln/detail/CVE-2013-5211"> <front><title>CVE-2013-5211, https://nvd.nist.gov/vuln/detail/CVE-2013-5211</title><title>CVE-2013-5211 Detail</title> <author> <organization>NIST National Vulnerability Database</organization> </author> <date month="January" year="2014"day="02" />day="02"/> </front> </reference> </references> </references> <section anchor="mode7"title="NTPnumbered="true" toc="default"> <name>NTP Remote Facility MessageFormat">Format</name> <t>The format of the NTP Remote Facility Message header, which immediately follows the UDP header, is shown in <xref target="M7Hdr"/>. Following is aformat="default"/>. A description of itsfields.fields follows <xref target="M7Hdr" format="default"/>. Bit positions marked as zero are reserved and should always be transmitted as zero.</t> <figureanchor="M7Hdr" title="NTPanchor="M7Hdr"> <name>NTP Remote Facility MessageHeader">Header</name> <artworkalign="center"><![CDATA[align="center" name="" type="" alt=""><![CDATA[ 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |R|M| VN |Mode |A| Sequence | Implementation| Req Code | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Err | Count | MBZ | Size | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | / Data (up to 500 bytes) / | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Encryption KeyID (when A bit set) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | / Message Authentication Code (when A bit set) / | |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ]]></artwork>+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+]]></artwork> </figure><t>Response<dl newline="true" spacing="normal"> <dt>Response Bit(R) : Set(R):</dt><dd>Set to 0 if the packet is a request. Set to 1 if the packet is aresponse.</t> <t>Moreresponse.</dd> <dt>More Bit(M) : Set(M):</dt><dd>Set to 0 if this is the last packet in aresponse, otherwiseresponse; otherwise, set to 1 in responses requiring more than onepacket.</t> <t>Versionpacket.</dd> <dt>Version Number(VN) : Set(VN):</dt><dd>Set to the version number of the NTPdaemon.</t> <t>Mode : Setdaemon.</dd> <dt>Mode:</dt><dd>Set to 7 for Remote Facilitymessages.</t> <t>Authenticatedmessages.</dd> <dt>Authenticated Bit(A) : If(A):</dt><dd>If set to 1, this packet contains authenticationinformation.</t> <t>Sequence : Forinformation.</dd> <dt>Sequence:</dt><dd>For a multi-packet response, this field contains the sequence number of this packet. Packets in a multi-packet response are numbered starting with 0. The More Bit is set to 1 for all packets but thelast.</t> <t>Implementation : Thelast.</dd> <dt>Implementation:</dt><dd>The version number of the implementation that defined the request code used in this message. An implementation number of 0 is used for aRequest Coderequest code supported by all versions of the NTP daemon. The value 255 is reserved for futureextensions.</t> <t>Requestextensions.</dd> <dt>Request Code (ReqCode) : AnCode):</dt><dd>An implementation-specific codewhichthat specifies the operation being requested. ARequest Coderequest code definition includes the format and semantics of the data included in thepacket.</t> <t>Error (Err) : Setpacket.</dd> <dt>Error (Err):</dt><dd><t>Set to 0 for a request. For a response, this field contains an error code relating to the request. If the Error isnon-zero,nonzero, the operation requested wasn'tperformed. <list style="empty"> <t>0 - no error</t> <t>1 - incompatibleperformed.</t> <dl newline="false" spacing="normal"> <dt>0:</dt><dd>no error</dd> <dt>1:</dt><dd>incompatible implementationnumber</t> <t>2 - unimplementednumber</dd> <dt>2:</dt><dd>unimplemented requestcode</t> <t>3 - format error</t> <t>4 - no data available</t> <t>7 - authentication failure</t> </list></t> <t>Count : Thecode</dd> <dt>3:</dt><dd>format error</dd> <dt>4:</dt><dd>no data available</dd> <dt>7:</dt><dd>authentication failure</dd> </dl> </dd> </dl> <dl newline="true" spacing="normal"> <dt>Count:</dt><dd>The number of data items in the packet. Range is 0 to500.</t> <t>Must500.</dd> <dt>Must Be Zero(MBZ) : A(MBZ):</dt><dd>A reserved field set to 0 in requests andresponses.</t> <t>Size : Theresponses.</dd> <dt>Size:</dt><dd>The size of each data item in the packet. Range is 0 to500.</t> <t>Data : A500.</dd> <dt>Data:</dt><dd>A variable-sized field containing request/response data. For requests and responses, the size in octets must be greater than or equal to the product of the number of data items (Count) and the size of a data item (Size). For requests, the data area is exactly 40 octets in length. For responses, the data area will range from 0 to 500 octets,inclusive.</t> <t>Encryption KeyID : Ainclusive.</dd> <dt>Encryption KeyID:</dt><dd>A 32-bit unsigned integer used to designate the key used for the Message Authentication Code. This field is included only when the A bit is set to1.</t> <t>Message1.</dd> <dt>Message AuthenticationCode : AnCode:</dt><dd>An optional Message Authentication Code defined by the version of the NTP daemon indicated in the Implementation field. This field is included only when the A bit is set to1.</t>1.</dd> </dl> </section> <section anchor="Acknowledgements" numbered="false" toc="default"> <name>Acknowledgements</name> <t><contact fullname="Tim Plunkett"/> created the original version of this document. <contact fullname="Aanchal Malhotra"/> provided the initial version of the Security Considerations section.</t> <t><contact fullname="Karen O'Donoghue"/>, <contact fullname="David Hart"/>, <contact fullname="Harlan Stenn"/>, and <contact fullname="Philip Chimento"/> deserve credit for portions of this document due to their earlier efforts to document these commands.</t> <t><contact fullname="Miroshav Lichvar"/>, <contact fullname="Ulrich Windl"/>, <contact fullname="Dieter Sibold"/>, <contact fullname="J Ignacio Alvarez-Hamelin"/>, and <contact fullname="Alex Campbell"/> provided valuable comments on various draft versions of this document.</t> </section> <section numbered="false" toc="default"> <name>Contributors</name> <t>Dr. <contact fullname="David Mills"/> specified the vast majority of the mode 6 commands during the development of <xref target="RFC1305" format="default"/> and deserves the credit for their existence and use.</t> </section> </back> </rfc>