Chrony, PTP, Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd)

Sergei_Shablovsky

@sergei_shablovsky said in Chrony, Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

Sentence from official Chrony Docs:

On Linux, chrony supports hardware clocks that some NICs have for PTP. They are called PTP hardware clocks (PHC). They can be used as reference clocks (specified by the refclock directive) and for hardware timestamping of NTP packets (enabled by the hwtimestamp directive) if the NIC can timestamp other packets than PTP, which is usually the case at least for transmitted packets. The ethtool -T command can be used to verify the timestamping support.

I need to add some note about hardware timestamping: no possible to detect correct time correction delta in constantly asymmetrical link.
(For better understanding I will doing that on an example)

Server A make a timestamp (t) and sending packet to Server B
Packet on the road within 30ms
Server B receive packet at time (t+30), make a timestamp and sending reply to Server A
Packet on the road within 70ms (because another route)
Server A receive reply packet with a totally delay (t+30ms+70ms = t+100ms) and Server A make decision that his time need to be corrected on 20ms (100ms / 2 ways - 30ms)

But this is wrong decision (because as You see above one route are 30ms, other route are 70ms).

And no possible at all detecting this by statistics. So, in constantly asymmetrical link, the hardware NIC timestamp also not help to make great correction.

I am not sure is PTP v2 (IEEE-1588-2008) solving this problem?

Sergei_Shablovsky

@johnpoz said in Chrony, Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

@sergei_shablovsky said in Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

**really outdated and vulnerable NTP”” need to be replaced.

What specific vulnerability are you talking about.. Just because NTP has been around long time - does not mean its not been kept up to date for security issues.

One of technics of NTP hacking is described here https://habr.com/ru/companies/ruvds/articles/505938/

(Please use translate.Google.com for reading.)
Only 25mins on Intel Core i5 ;)

RobbieTT

@sergei_shablovsky
Quite a thread resurrection you have there. Regrettably I have become unwilling to click on Russian links.

That said, NTP is easily overlooked as it is a dull topic despite everyone relying on encryption these days.

In my view they called it Network Time Protocol for a reason - primarily it should be on your network, with only redundancy and sanity checks provided by the wider internet.

For years I have had one of these on my LAN:

Dedicated NTP time sources don't have to be expensive or be a hacky DIY job on a RPi.

️

JKnott

@robbiett said in Chrony, PTP, Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

Dedicated NTP time sources don't have to be expensive or be a hacky DIY job on a RPi.

And they're only $639.95!

I'll rely on NTP over the Internet.

stephenw10

@robbiett said in Chrony, PTP, Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

hacky DIY job on a RPi.

But that's the fun part!

RobbieTT

@jknott said

And they're only $639.95!

I'll rely on NTP over the Internet.

Ouch! Mine was 'only' £109 on eBay. When did they become so expensive??

Edit: The last one I purchased was 'just' £100 including expedited delivery, back in 2021:

I guess I should have purchased a boatload of them.

️

RobbieTT

@stephenw10 We are all tinkerers at heart.

Sergei_Shablovsky

@jknott said in Chrony, PTP, Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

@robbiett said in Chrony, PTP, Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

Dedicated NTP time sources don't have to be expensive or be a hacky DIY job on a RPi.

And they're only $639.95!

I'll rely on NTP over the Internet.

For the price like this You able to buy now well-reputable Trimble civil model (see this huge loaded pack for example https://www.ebay.com/itm/155434190550) OR even used MILITARY-grade Trimble set w/ antennas.

Of courses if You need STABILITY.

Sergei_Shablovsky

@robbiett said in Chrony, PTP, Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

@sergei_shablovsky
Quite a thread resurrection you have there. Regrettably I have become unwilling to click on Russian links.

When a write about DANGEROUS of ALL that linked to russia around 3 years ago, here on forum, no one care about this… ;)
But now all see what is russia exactly…

But in case of Habr web resource - this is safe. This is a well reputable forum for Russian-speaking tech geeks with a lot of interesting articles from 2008 prior 2017…

Sergei_Shablovsky

For anyone who “love to play with TIME-server”:

Do You use ntpperf utility to test Your server?

Write back Your appliances and a result in numbers!

Thx!

Sergei_Shablovsky

And again one time: when Netgate implementing modern time-protocols???!

dennypage

@Sergei_Shablovsky said in Chrony, PTP, Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

And again one time: when Netgate implementing modern time-protocols???!

NTP is a modern time protocol. The version in pfSense is ntpd 4.2.8, which implements NTP version 4 and is the current version of the standard.

Is ntpd my favorite NTP implementation? No, it isn't. I would strongly prefer Chrony or even NTPsec, but ntpd is certainly adequate for what is needed.

Unfortunately, Chrony is not considered viable due to license incompatibilities. This has been discussed previously. It's a shame really, because Chrony really is very good in all aspects.

NTPsec is viable on a license basis and is in FreeBSD ports. However, to replace ntpd with NTPsec (or Chrony for that matter), you would also require gpsd as well. Moving to NTPsec and gpsd would require significant effort to integrate and then test. If someone wants to put that effort in, I'm sure that the devs would consider a PR if submitted.

PTP would be a complete waste of time for pfSense.

e-1-1

@dennypage said in Chrony, PTP, Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

@Sergei_Shablovsky said in Chrony, PTP, Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

And again one time: when Netgate implementing modern time-protocols???!

NTP is a modern time protocol. The version in pfSense is ntpd 4.2.8, which implements NTP version 4 and is the current version of the standard.

Is ntpd my favorite NTP implementation? No, it isn't. I would strongly prefer Chrony or even NTPsec, but ntpd is certainly adequate for what is needed.

Unfortunately, Chrony is not considered viable due to license incompatibilities. This has been discussed previously. It's a shame really, because Chrony really is very good in all aspects.

NTPsec is viable on a license basis and is in FreeBSD ports. However, to replace ntpd with NTPsec (or Chrony for that matter), you would also require gpsd as well. Moving to NTPsec and gpsd would require significant effort to integrate and then test. If someone wants to put that effort in, I'm sure that the devs would consider a PR if submitted.

PTP would be a complete waste of time for pfSense.

Ummm what?! License incompatibilities? So all GPLv2 packages are having their license broken by being already present in pfSense? Doesn't make sense to me. Not to mention chrony is already available in FreeBSD.

dennypage

@e-1-1 said in Chrony, PTP, Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

Ummm what?! License incompatibilities? So all GPLv2 packages are having their license broken by being already present in pfSense? Doesn't make sense to me. Not to mention chrony is already available in FreeBSD.

I believe that Chrony is in FreeBSD ports rather than in FreeBSD release (core).

This was a hotly debated topic 10 years ago. The BSD and pfSense folk took the position that GPL components cannot be safely included in a distribution that is issued under the FreeBSD license. Ditto for the Linux folk when looking at ZFS and CDDL. You may or may not agree with their conclusions, but it is theirs to make. Who knows? Maybe you can get them to change their minds. Give it a go.

I've done a bit of work with Chrony on Linux. Some time back I considered making Chrony available as an add-on replacement package for pfSense, but the barriers to entry were large. And I was only looking at chronyd--I wasn't thinking of including gpsd with its associated headaches.

https://forum.netgate.com/topic/106105/chrony

FWIW, ntimed is truly dead at this point.

Patch

I use Chrony on my Proxmox host as the local time reference with pfsense accessing that only as a client.
I agree it would be much better if pfsense ran chrony as it could then be used as the server for local devices.
Sad to hear licensing issues prevent this.

johnpoz

@Patch said in Chrony, PTP, Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

if pfsense ran chrony as it could then be used as the server for local devices.

huh? Why can ntp that running on pfsense not be used for clients? chrony can query just normal ntp server.. If you want to use chrony on them. Chrony would be pretty useless if it couldn't query your standard ntp server

Patch

@johnpoz said in Chrony, PTP, Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

Why can ntp that running on pfsense not be used for clients?

In can but it is an inferior time server.
Chrony is a better time server so I use it.

johnpoz

@Patch said in Chrony, PTP, Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

In can but it is an inferior time server.

ok ;) the standard ntpd keeps pretty accurate time.. I run ntpsec on my ntp server.. Just because I was playing with it one day and set it up on my little gps pi ntp server I run.. few ms is more than accurate enough for me..

Maybe I will look to switching my little pi guy to using chrony ;)

JKnott

@Patch said in Chrony, PTP, Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

Chrony is a better time server so I use it.

In what way? It can have accuracy comparable to PTP, but only if your source is that accurate. This means you'd need your own stratum 0 source, such as GPS or the cell phone network. IIRC, GPS is supposed to be accurate within 30 nS and the cell network within 1.5 uS. If you're using a source on the Internet, it won't get you much. If you do have your own stratum 0, you might also want to get one of those Facebook atomic clock cards to use with it.

I do understand it has some advantages for devices that are not always connected to the Internet.

PTP is designed for networks where extremely precise timing is necessary, including with SyncE, but other than that, it would be hard to justify worrying about it.

dennypage

Yes, chronyd is a much better time keeper than ntpd. ~1us vs a few tens of us against a local stratum 1. But still, a few 10s of us is pretty damn good. But that kind of precision isn't that important for a firewall.