13c13
< .TH ntp.conf 5 "07 Jan 2016" "4.2.8p5" "File Formats"
---
> .TH ntp.conf 5 "20 Jan 2016" "4.2.8p6" "File Formats"
15c15
< .\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-8qayqp/ag-Vraqpp)
---
> .\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-gsaOxR/ag-XsaGwR)
17c17
< .\" It has been AutoGen-ed January 7, 2016 at 11:30:35 PM by AutoGen 5.18.5
---
> .\" It has been AutoGen-ed January 20, 2016 at 04:17:45 AM by AutoGen 5.18.5
2576c2576
< .NOP \f\*[B-Font]enable\f[] [\f\*[B-Font]auth\f[] | \f\*[B-Font]bclient\f[] | \f\*[B-Font]calibrate\f[] | \f\*[B-Font]kernel\f[] | \f\*[B-Font]mode7\f[] | \f\*[B-Font]monitor\f[] | \f\*[B-Font]ntp\f[] | \f\*[B-Font]stats\f[]]
---
> .NOP \f\*[B-Font]enable\f[] [\f\*[B-Font]auth\f[] | \f\*[B-Font]bclient\f[] | \f\*[B-Font]calibrate\f[] | \f\*[B-Font]kernel\f[] | \f\*[B-Font]mode7\f[] | \f\*[B-Font]monitor\f[] | \f\*[B-Font]ntp\f[] | \f\*[B-Font]stats\f[] | \f\*[B-Font]unpeer_crypto_early\f[] | \f\*[B-Font]unpeer_crypto_nak_early\f[] | \f\*[B-Font]unpeer_digest_early\f[]]
2578c2578
< .NOP \f\*[B-Font]disable\f[] [\f\*[B-Font]auth\f[] | \f\*[B-Font]bclient\f[] | \f\*[B-Font]calibrate\f[] | \f\*[B-Font]kernel\f[] | \f\*[B-Font]mode7\f[] | \f\*[B-Font]monitor\f[] | \f\*[B-Font]ntp\f[] | \f\*[B-Font]stats\f[]]
---
> .NOP \f\*[B-Font]disable\f[] [\f\*[B-Font]auth\f[] | \f\*[B-Font]bclient\f[] | \f\*[B-Font]calibrate\f[] | \f\*[B-Font]kernel\f[] | \f\*[B-Font]mode7\f[] | \f\*[B-Font]monitor\f[] | \f\*[B-Font]ntp\f[] | \f\*[B-Font]stats\f[] | \f\*[B-Font]unpeer_crypto_early\f[] | \f\*[B-Font]unpeer_crypto_nak_early\f[] | \f\*[B-Font]unpeer_digest_early\f[]]
2657a2658,2721
> .TP 7
> .NOP \f\*[B-Font]unpeer_crypto_early\f[]
> By default, if
> \fCntpd\f[]\fR(@NTPD_MS@)\f[]
> receives an autokey packet that fails TEST9,
> a crypto failure,
> the association is immediately cleared.
> This is almost certainly a feature,
> but if, in spite of the current recommendation of not using autokey,
> you are
> .B still
> using autokey
> .B and
> you are seeing this sort of DoS attack
> disabling this flag will delay
> tearing down the association until the reachability counter
> becomes zero.
> You can check your
> \f\*[B-Font]peerstats\f[]
> file for evidence of any of these attacks.
> The
> default for this flag is
> \f\*[B-Font]enable\f[].
> .TP 7
> .NOP \f\*[B-Font]unpeer_crypto_nak_early\f[]
> By default, if
> \fCntpd\f[]\fR(@NTPD_MS@)\f[]
> receives a crypto-NAK packet that
> passes the duplicate packet and origin timestamp checks
> the association is immediately cleared.
> While this is generally a feature
> as it allows for quick recovery if a server key has changed,
> a properly forged and appropriately delivered crypto-NAK packet
> can be used in a DoS attack.
> If you have active noticable problems with this type of DoS attack
> then you should consider
> disabling this option.
> You can check your
> \f\*[B-Font]peerstats\f[]
> file for evidence of any of these attacks.
> The
> default for this flag is
> \f\*[B-Font]enable\f[].
> .TP 7
> .NOP \f\*[B-Font]unpeer_digest_early\f[]
> By default, if
> \fCntpd\f[]\fR(@NTPD_MS@)\f[]
> receives what should be an authenticated packet
> that passes other packet sanity checks but
> contains an invalid digest
> the association is immediately cleared.
> While this is generally a feature
> as it allows for quick recovery,
> if this type of packet is carefully forged and sent
> during an appropriate window it can be used for a DoS attack.
> If you have active noticable problems with this type of DoS attack
> then you should consider
> disabling this option.
> You can check your
> \f\*[B-Font]peerstats\f[]
> file for evidence of any of these attacks.
> The
> default for this flag is
> \f\*[B-Font]enable\f[].
3030c3094
< Copyright (C) 1992-2015 The University of Delaware and Network Time Foundation all rights reserved.
---
> Copyright (C) 1992-2016 The University of Delaware and Network Time Foundation all rights reserved.
< .TH ntp.conf 5 "07 Jan 2016" "4.2.8p5" "File Formats"
---
> .TH ntp.conf 5 "20 Jan 2016" "4.2.8p6" "File Formats"
15c15
< .\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-8qayqp/ag-Vraqpp)
---
> .\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-gsaOxR/ag-XsaGwR)
17c17
< .\" It has been AutoGen-ed January 7, 2016 at 11:30:35 PM by AutoGen 5.18.5
---
> .\" It has been AutoGen-ed January 20, 2016 at 04:17:45 AM by AutoGen 5.18.5
2576c2576
< .NOP \f\*[B-Font]enable\f[] [\f\*[B-Font]auth\f[] | \f\*[B-Font]bclient\f[] | \f\*[B-Font]calibrate\f[] | \f\*[B-Font]kernel\f[] | \f\*[B-Font]mode7\f[] | \f\*[B-Font]monitor\f[] | \f\*[B-Font]ntp\f[] | \f\*[B-Font]stats\f[]]
---
> .NOP \f\*[B-Font]enable\f[] [\f\*[B-Font]auth\f[] | \f\*[B-Font]bclient\f[] | \f\*[B-Font]calibrate\f[] | \f\*[B-Font]kernel\f[] | \f\*[B-Font]mode7\f[] | \f\*[B-Font]monitor\f[] | \f\*[B-Font]ntp\f[] | \f\*[B-Font]stats\f[] | \f\*[B-Font]unpeer_crypto_early\f[] | \f\*[B-Font]unpeer_crypto_nak_early\f[] | \f\*[B-Font]unpeer_digest_early\f[]]
2578c2578
< .NOP \f\*[B-Font]disable\f[] [\f\*[B-Font]auth\f[] | \f\*[B-Font]bclient\f[] | \f\*[B-Font]calibrate\f[] | \f\*[B-Font]kernel\f[] | \f\*[B-Font]mode7\f[] | \f\*[B-Font]monitor\f[] | \f\*[B-Font]ntp\f[] | \f\*[B-Font]stats\f[]]
---
> .NOP \f\*[B-Font]disable\f[] [\f\*[B-Font]auth\f[] | \f\*[B-Font]bclient\f[] | \f\*[B-Font]calibrate\f[] | \f\*[B-Font]kernel\f[] | \f\*[B-Font]mode7\f[] | \f\*[B-Font]monitor\f[] | \f\*[B-Font]ntp\f[] | \f\*[B-Font]stats\f[] | \f\*[B-Font]unpeer_crypto_early\f[] | \f\*[B-Font]unpeer_crypto_nak_early\f[] | \f\*[B-Font]unpeer_digest_early\f[]]
2657a2658,2721
> .TP 7
> .NOP \f\*[B-Font]unpeer_crypto_early\f[]
> By default, if
> \fCntpd\f[]\fR(@NTPD_MS@)\f[]
> receives an autokey packet that fails TEST9,
> a crypto failure,
> the association is immediately cleared.
> This is almost certainly a feature,
> but if, in spite of the current recommendation of not using autokey,
> you are
> .B still
> using autokey
> .B and
> you are seeing this sort of DoS attack
> disabling this flag will delay
> tearing down the association until the reachability counter
> becomes zero.
> You can check your
> \f\*[B-Font]peerstats\f[]
> file for evidence of any of these attacks.
> The
> default for this flag is
> \f\*[B-Font]enable\f[].
> .TP 7
> .NOP \f\*[B-Font]unpeer_crypto_nak_early\f[]
> By default, if
> \fCntpd\f[]\fR(@NTPD_MS@)\f[]
> receives a crypto-NAK packet that
> passes the duplicate packet and origin timestamp checks
> the association is immediately cleared.
> While this is generally a feature
> as it allows for quick recovery if a server key has changed,
> a properly forged and appropriately delivered crypto-NAK packet
> can be used in a DoS attack.
> If you have active noticable problems with this type of DoS attack
> then you should consider
> disabling this option.
> You can check your
> \f\*[B-Font]peerstats\f[]
> file for evidence of any of these attacks.
> The
> default for this flag is
> \f\*[B-Font]enable\f[].
> .TP 7
> .NOP \f\*[B-Font]unpeer_digest_early\f[]
> By default, if
> \fCntpd\f[]\fR(@NTPD_MS@)\f[]
> receives what should be an authenticated packet
> that passes other packet sanity checks but
> contains an invalid digest
> the association is immediately cleared.
> While this is generally a feature
> as it allows for quick recovery,
> if this type of packet is carefully forged and sent
> during an appropriate window it can be used for a DoS attack.
> If you have active noticable problems with this type of DoS attack
> then you should consider
> disabling this option.
> You can check your
> \f\*[B-Font]peerstats\f[]
> file for evidence of any of these attacks.
> The
> default for this flag is
> \f\*[B-Font]enable\f[].
3030c3094
< Copyright (C) 1992-2015 The University of Delaware and Network Time Foundation all rights reserved.
---
> Copyright (C) 1992-2016 The University of Delaware and Network Time Foundation all rights reserved.