NTP, I'm doing something wrong

Hi,

I have checked the NTP-server in OpenWRT and its working but I don't understand how. When I use netcat to scan port 123:

# nc -z 192.168.1.1 123;echo $?
1

So I used NMAP to confirm, just in case:

# nmap -p123 192.168.1.1
Starting Nmap 7.80 ( https://nmap.org ) at 2022-11-26 07:55 CET
Nmap scan report for myrouter (192.168.1.1)
Host is up (0.00068s latency).

PORT    STATE  SERVICE
123/tcp closed ntp

Nmap done: 1 IP address (1 host up) scanned in 6.71 seconds

Hopped over to the router, clearly no listening port for ipv4.

# netstat -an|grep 123
udp        0      0 :::123                  :::*    

I expected something like this:

tcp        0      0 127.0.0.1:123            0.0.0.0:*               LISTEN

So what do I not understand? and how can I check if an NTP-server is accepting connections?

First, NTP is UDP, not TCP. This explains why some of your tests ended up in no responses.

Next:

I have the same behavior, I haven't noticed a change since version 19 or 20.

On a client: ntpdate -q 192.168.1.1

This works for me, which made me wonder why. The answer is IPv4-mapped IPv6 addresses. See:

root@OpenWrt:~# sysctl net.ipv6.bindv6only
net.ipv6.bindv6only = 0

No, It would be 0.0.0.0:* if IPv4-only

2 Likes

This is a dual stack socket that is listening for udp packets on any address, ipv4 and ipv6. Try netstat -anp | grep 123 and you will see what process services that socket. Like the previous reply says, ntp uses stateless send-it-and-forget-it udp, which makes sense because ntp is a latency sensitive application that doesn't benefit from tcp resending outdated lost packets.

2 Likes

Ahhh.. UDP

That explains a lot. I feel so useless sometimes :smile: I will dive into the RFC next time.

Thanks guys.

1 Like

But what IP is the npt server? 192.168.1.1, isn’t that your device (ntp client?)
The client at startup burst the request time from all the servers port 123 and finds the best server for the job and locks on to that one for synchronization and after about 30min goes over to only maintaining the time from the servers.
The client port is normal outgoing internet traffic so that port isn’t 123 and the port on the client doesn’t matter anyway.

OP enabled/was inquiring about this:

screen422

They wanted to know why there was no corresponding IPv4 netstat sever (listening) entry. It's because the IPv6 listener entry covers the entire IPv4 space as well.

192.168.1.1 Translation
IPV6 Compressed: ::ffff:c0a8:101
IPV6 Expanded (Shortened): 0:0:0:0:0:ffff:c0a8:0101
IPV6 Expanded: 0000:0000:0000:0000:0000:ffff:c0a8:0101
1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.