No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


Configuration Guide - Device Management

CloudEngine 12800 and 12800E V200R003C00

This document describes the configurations of Device Management, including device status query, hardware management, Information Center Configuration, NTP, Synchronous Ethernet Configuration, Fault Management Configuration, Energy-Saving Management Configuration, Performance Management Configuration, Maintenance Assistant Configuration, and OPS Configuration.

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
NTP Access Control

NTP Access Control

When a time server on a synchronization subnet is faulty or is subject to an attack, it is important that timekeeping on other clock servers on the subnet is not affected. To achieve this, NTP provides the following security mechanisms to ensure network security: access authority, Kiss-o'-Death (KOD) and NTP authentication.

Access Authority

A device provides access authority, which is relatively simple and secure, to protect a local clock.

NTP access control is implemented based on an access control lists (ACLs). NTP supports five levels of access authority, and a corresponding ACL rule can be specified for each level. If an NTP access request matches the ACL rule for a level of access authority, they are successfully matched and the access request enjoys the access authority at this level.

When an NTP access request reaches the local end, the access request is matched against the access authorities, starting from the maximum one and ending with the minimum one. The first successfully matched access authority takes effect. The matching order is as follows:
  1. peer: indicates that a time request may be made for the local clock and a control query may be performed on the local clock. The local clock can also be synchronized to a remote server.

  2. server: indicates that a time request may be made for the local clock and a control query may be performed on the local clock, but the local clock cannot be synchronized with the clock of the remote server.

  3. synchronization: indicates that only a time request can be made for the local clock.

  4. query: indicates that only a control query can be performed on the local clock.

  5. limited: When the rate of NTP packets exceeds the upper limit, the incoming NTP packets are discarded, and a Kiss code is sent if the KOD function is enabled.


When a server receives a large number of client access packets within a specified period of time and cannot bear the load, the KOD function can be enabled on the server to perform access control. KOD is a brand new access control technology starting from NTPv4, and it is used by the server to provide information, such as a status report and access control, for the client.

A KOD packet is a special NTP packet. When the Stratum field in an NTP packet is 0, the packet is called a KOD packet and the ASCII message it conveys is called kiss code and represents access control information. Currently, only two types of kiss codes are supported: DENY and RATE.

After the KOD function is enabled on the server, the server sends kiss code DENY or RATE to the client based on the configuration.


After the KOD function is enabled, the corresponding ACL rule needs to be configured. When the ACL rule is configured as deny, the server sends the kiss code DENY. When the ACL rule is configured as permit and the rate of NTP packets received reaches the configured upper limit, the server sends the kiss code RATE.

The following describes how the client responds to receiving packets with the two types of kiss codes:

  • When the client receives kiss code DENY, the client terminates all connections to the server and stops sending packets to the server.
  • When the client receives kiss code RATE, the client immediately reduces its polling interval to the server and continues to reduce the interval each time it receives a RATE kiss code.


The NTP authentication function can be enabled on networks demanding high security. Different keys may be configured in different operating modes.

When a user enables the NTP authentication function in a certain NTP operating mode, the system records the key ID in this operating mode.

  • Sending process

    The system determines whether authentication is required in this operating mode. If authentication is not required, the system directly sends a packet. If authentication is required, the system encrypts the packet using the key ID and an encryption algorithm and sends it.

  • Receiving process

    After receiving a packet, the system determines whether the packet needs to be authenticated. If the packet does not need to be authenticated, the system directly performs subsequent processing on the packet. If the packet needs to be authenticated, the system authenticates the packet using the key ID and a decryption algorithm. If the authentication fails, the system directly discards the packet. If the authentication succeeds, the system processes the received packet.

Updated: 2019-05-05

Document ID: EDOC1100004193

Views: 70874

Downloads: 26

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Previous Next