Re: [chrony-dev] 'Bug/Implementation' fix for v3 NTP client using 'authentication' with key id == 0

[Miroslav Lichvar <mlichvar@xxxxxxxxxx>]

On Thu, May 07, 2026 at 02:35:26PM +0200, Jan Vanhercke wrote:
> On 07/05/2026 13:08, Miroslav Lichvar wrote:
> > On Thu, May 07, 2026 at 11:42:02AM +0200, Jan Vanhercke wrote:
> > > Anyhow the appliances we use expect no authentication occur. Since we really
> > > wanted to switch to chrony we implemented a patch that reverts to no
> > > authentication when the keyid == 0 to cover this gray zone.
> > To me that sounds like a buggy implementation that should be patched to
> > send well-formatted NTP requests. Have you asked the vendor?
> No sure if it is a buggy implementation. For me it is a border edge
> situation. When I read the pseudo code of RFC 5905 at the bottom of page 81,
> there seems to be a 'fall-through' to allow processing in case the key id ==
> 0. It's a gray zone in my opinion. The spec always defines the key to be 1
> or higher, but never addresses the expected behaviour when it is 0.

RFC 5905 is not clear on whether the pseudo code in the appendix is
normative and most people seem to not read it that way.

For NTPv3 there is RFC 1305. This spec is not clear on whether a key
ID of zero is allowed in the NTP message either. Looking at the xntpd
source code, it seems to be handled as an unauthenticated packet.