No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


Configuration Guide - Device Management

S2720, S5700, and S6720 V200R013C00

This document describes the configurations of Device Management, including device status query, hardware management, Stack, SVF, cloud-based management, PoE, monitoring interface, OPS, energy-saving management, information center, fault management, NTP, synchronous ethernet, PTP.

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
NTP Access Control

NTP Access Control

On a synchronization subnet, timekeeping on other clock servers within the subnet should not be affected by either a faulty time server or a malicious attack. To meet this requirement, NTP provides advanced security mechanisms: access authority, Kiss-o'-Death (KOD) and NTP authentication.

Access Authority

To protect local clocks, devices provide access authority, which is both simple and secure.

NTP access control is implemented based on an access control list (ACL). NTP supports up to five levels of access authority. An ACL rule may be specified for each level of access authority. If an NTP access request matches an ACL rule, a match occurs and the device requesting access is given access authority on that level.

When NTP access requests reach the local end, assuming the access request was successfully matched with an ACL, access authority is matched from the maximum to minimum. The first successfully matched access authority takes effect. This matching order and the access rights of each are as follows:
  1. Peer: This indicates that a time request may be made and a control query may be performed on the local clock. The local clock can also be synchronized to a remote server.

  2. Server: This indicates that a time request may be made and a control query may be performed on the local clock. The local clock cannot be synchronized with the clock of a remote server.

  3. Synchronization: This indicates that time requests may be made of the local clock.

  4. Query: This indicates that control queries may be performed on the local clock.

  5. Limited: When the rate of NTP packets exceeds the upper limit, incoming NTP packets are discarded.


The KOD function can perform access control if enabled on the server. This is useful when a server's loadbearing capabilities are exceeded by receiving a significant number of client access packets within a specified time period. KOD is a modern access control technology implemented in NTPv4. It is used by the server to provide information to the client. Information provided includes status reports and access control.

A KOD packet is a unique variety of NTP packet. The packet is termed a KOD packet when the stratum field in an NTP packet is 0. The ASCII message it conveys is called a kiss code and represents access control information. Two types of kiss codes are supported: DENY and RATE.

With the KOD function enabled on a server, the server sends kiss code DENY or RATE to the client based on configuration. These codes perform the following:

  • When the client receives kiss code DENY, the client terminates all connections to the server and stops sending packets to the server.
  • When the client receives kiss code RATE, the client immediately reduces its polling interval to the server and continues to reduce the interval if receiving subsequent RATE kiss codes.

After the KOD function is enabled, the corresponding ACL rule needs to be configured. With the ACL rule configured to deny, the server sends the DENY kiss code. When the ACL rule is configured as permit and the number of NTP packets received reaches configured upper limits, the server sends the RATE kiss code.


NTP authentication is applicable to the networks requiring high security. Different keys may be configured for different operating modes.

When NTP authentication is enabled in certain NTP operating modes, the system records the key ID in that operating mode. Sending and receiving processes are operating modes in authentication, and are defined as follows:

  • Sending process

    The system determines whether authentication is required in this operating mode. If authentication is not required, the system directly sends a packet. If authentication is required, the system encrypts the packet using both the key ID and an encryption algorithm before sending it.

  • Receiving process

    In this operating mode, the system determines whether the packet needs to be authenticated after receiving that packet. If authentication is not required, the system subsequently processes the packet. If authentication is required, the system authenticates the packet using the key ID and a decryption algorithm. If authentication fails, the system discards the packet. If authentication succeeds, the system processes the received packet.

Updated: 2019-04-20

Document ID: EDOC1100065674

Views: 86993

Downloads: 523

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Previous Next