NTP Broadcast Mode

It is important to keep in mind that NTP broadcast mode usually yields less accuracy than the standard client/server mode.

Normally an NTP client sends a request packets to a server, and the server sends a reply packet back to the client. This allows the client to estimate and thus compensate the network delay for each individual packet exchange. See also Time Synchronization Accuracy With NTP. In broadcast mode the client doesn't know how long a packet has been traveling on the network before the packet was received, so the propagation delay can't be compensated reliably, and thus the resulting accuracy is usually worse than with a standard client/server setup.

Please note authentication is required by default for broadcast mode in order to prevent broadcast clients from accepting NTP broadcasts from unauthenticated sources on the network. Otherwise clients might accept broadcast packets from any device on the network which sends NTP broadcasts intentionally or unintentionally, and set their system time wrong. Usually symmetric key authentication is used with broadcast mode.

ntpd in the role of a server doesn't send broadcast NTP packets by default. If NTP broadcasts are to be enabled anyway then for each subnet which is to receive NTP broadcast packets a broadcast directive has to be added to the ntp.conf file. The following lines let ntpd send out unauthenticated broadcast packets into 2 different subnets. Of course the IP addresses used here are only examples, and have to be replaced by the real broadcast addresses of the existing network:

broadcast 172.16.255.255 minpoll 6 maxpoll 6
broadcast 192.168.1.255 minpoll 6 maxpoll 6 ttl 4

As shown for the 192.168.1.255 address a ttl (Time To Live) value can optionally be specified if the target network is behind one or more routers. Since broadcast packets are usually not forwarded by routers, the routers may need to be specifically configured to do this, or multicast may have to be used instead of broadcast.

The configuration above is sufficient for 3rd party SNTP clients on the subnets which just expect to receive unauthenticated NTP broadcast packets, but ntpd in the role of a broadcast client wouldn't accept such unauthenticated packets by default. Instead, symmetric key authentication can be configured, and either the same key can be used for all subnets, or different keys can be used for different subnets as in the example below:

broadcast 172.16.255.255 minpoll 6 maxpoll 6 key 1
broadcast 192.168.1.255 minpoll 6 maxpoll 6 key 3 ttl 4

keys /etc/ntp.keys    # path to symmetric keys file
trustedkey 1 3        # define trusted keys

Here the specified path to the ntp.keys file is for Unix systems. As usual for symmetric keys, the keys file can contain several keys with different index numbers, and different keys/index numbers can be used for different broadcast networks. Here is the content of an example ntp.keys file with 2 different keys:

1 M I5twlIqb9
3 M fIZxVHlZk

NTP cients which are to receive NTP broadcast packets also need to be explicitely configured as broadcast clients by adding the broadcastclient directive to the ntp.conf file. In addition, authentication has to be configured to match the server's authentication for the particular network. For a Windows client in the 192.168.1.255 broadcast domain running ntpd the ntp.conf file could contain the following lines:

broadcastclient

keys "C:\Program Files\NTP\etc\ntp.keys" # path of symmetric keys file
trustedkey 5

Please note the key index number used on a client doesn't necessarily have to match the key index number on the server, but of course the key type ('M' in this case) and key string ('fIZxVHlZk' in this case) have to match. So if the client's ntp.key file contains the line

5 M fIZxVHlZk

the client key matching the key the server is using for the 192.168.1.255 network has index 5, and hence trustedkey 5 has been specified in the client's ntp.conf file.

If the broadcast server sends only unauthenticated NTP broadcast packets then the requirement for authentication can be disabled on a client by using the following lines in ntp.conf:

broadcastclient
disable auth

However, this setup is not recommended since broadcast packets from any node on the network might be accepted in this case.

— Martin Burnicki 2016-09-06 11:53