NTP
netverdict models NTP as a deterministic UDP/123 service for lab time-sync scenarios. It tracks configured servers and peers, source selection, stratum, reachability, authentication, access-groups, and show output.
Support level
Section titled “Support level”| Area | Level | Notes |
|---|---|---|
| NTP client/server association | Supported | Clients poll configured servers and track reach/sync state. |
| NTP peer association | Supported | Synchronized peers can serve time to each other. |
| Stratum solver | Supported | Multi-tier stratum cascades and unsynchronized state are modelled. |
| Best source selection | Supported | Lower stratum wins; prefer wins among equal-stratum reachable sources. |
| Source interface | Supported | Per-server source overrides global source interface. |
| Authentication | Behaviour model | Key ID plus deterministic shared-key token gates replies. |
| Access groups | Supported | ACL-backed serve/access checks apply to structured NTP packets. |
| Wire fidelity | Partial | Mode-3/mode-4 request/reply semantics, timestamps, and validation are modelled; no real cryptographic MAC. |
Standards coverage
Section titled “Standards coverage”| Standard | Coverage | Notes |
|---|---|---|
| RFC 5905 | Behaviour model | Client/server and peer synchronization, stratum, timestamps, reachability. |
| Cisco NTP auth/access syntax | Behaviour model | ntp authenticate, keys, trusted keys, access-groups. |
Feature matrix
Section titled “Feature matrix”| Feature | Status | Notes |
|---|---|---|
ntp server <ip> | Supported | Adds a configured source. |
ntp peer <ip> | Supported | Adds a peer association. |
prefer | Supported | Preferred source wins among equal-stratum reachable sources. |
version <1-4> | Supported | Stored/emitted; invalid versions are rejected. |
key <id> | Supported | Selects authentication key for the association. |
source <iface> | Supported | Per-association source interface. |
ntp source <iface> | Supported | Global source interface. |
ntp master <stratum> | Supported | Local master source. |
ntp authenticate | Supported | Enables auth enforcement. |
ntp authentication-key <id> md5 <secret> | Behaviour model | Stable token derived from key material. |
ntp trusted-key <id> | Supported | Marks key as trusted. |
ntp access-group serve <acl> | Supported | ACL-gated service. |
ntp update-calendar | Config-backed | Stored/emitted for config fidelity. |
ntp logging | Config-backed | Stored/emitted for config fidelity. |
| Originate timestamp validation | Supported | Replies must echo the active client transmit timestamp. |
| Invalid sample rejection | Supported | Invalid stratum and negative-delay replies are dropped. |
Vendor command matrix
Section titled “Vendor command matrix”| Command | IOS-style | Junos-style | VyOS-style | Notes |
|---|---|---|---|---|
ntp server 10.0.0.1 prefer version 4 key 7 source Gi0/0 | Supported | n/a | Partial | IOS options are stored and emitted. |
ntp peer 10.0.0.1 prefer version 4 key 7 source Gi0/0 | Supported | n/a | n/a | Peer association. |
ntp authenticate | Supported | n/a | Partial | Enables auth behaviour. |
ntp authentication-key 7 md5 SECRET | Supported | n/a | Partial | Shared-key model. |
ntp trusted-key 7 | Supported | n/a | Partial | Trust list. |
ntp access-group serve NTP_SERVE | Supported | n/a | n/a | ACL-gated service. |
set system ntp server 10.0.0.10 version 4 | n/a | Supported | n/a | Junos commit lowers into canonical services. |
set system ntp server 10.0.0.11 prefer | n/a | Supported | n/a | Junos preferred source. |
set system ntp server 10.0.0.1 | n/a | n/a | Supported | VyOS parser/import surface. |
show ntp status | Supported | Supported | Partial | Runtime sync status. |
show ntp associations | Supported | Supported | Partial | Association table. |
Behaviour notes
Section titled “Behaviour notes”NTP polling is event-driven. The simulator does not sleep for wall-clock poll intervals; it schedules deterministic exchanges so shared URLs and tests replay the same way.
Access-groups are evaluated against structured NTP packets. If an ACL denies a
client, reach remains 0 and the client does not synchronize.
Authentication is a behaviour model, not a real RFC MAC. A request carries the configured key ID plus a stable token derived from algorithm and secret; the server replies only when the trusted key material matches.
Examples
Section titled “Examples”Authenticated client and preferred source
configure terminalntp authenticatentp authentication-key 7 md5 SECRETntp trusted-key 7ntp server 10.0.0.1 prefer version 4 key 7 source Gi0/0endshow ntp statusshow ntp associationsVendor styles
IOS-style
ntp authenticatentp authentication-key 7 md5 SECRETntp trusted-key 7ntp server 10.0.0.1 prefer version 4 key 7 source Gi0/0show ntp statusshow ntp associationsJunos-style
set system ntp server 10.0.0.10 version 4set system ntp server 10.0.0.11 prefercommitrun show ntp statusrun show ntp associationsVyOS-style
set system ntp server 10.0.0.10set system ntp server 10.0.0.11 preferServe access-group with local master
configure terminalaccess-list 10 permit 10.0.0.0 0.0.0.255ntp access-group serve 10ntp master 3endshow ntp statusKnown limits
Section titled “Known limits”Real cryptographic MAC calculation, leap-second handling, orphan mode, manycast and broadcast modes, clock discipline PLL/FLL detail, and vendor-specific poll backoff are not modelled.