Chrony, PTP, Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd)

Patch

I use Chrony on my Proxmox host as the local time reference with pfsense accessing that only as a client.
I agree it would be much better if pfsense ran chrony as it could then be used as the server for local devices.
Sad to hear licensing issues prevent this.

johnpoz

@Patch said in Chrony, PTP, Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

if pfsense ran chrony as it could then be used as the server for local devices.

huh? Why can ntp that running on pfsense not be used for clients? chrony can query just normal ntp server.. If you want to use chrony on them. Chrony would be pretty useless if it couldn't query your standard ntp server

Patch

@johnpoz said in Chrony, PTP, Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

Why can ntp that running on pfsense not be used for clients?

In can but it is an inferior time server.
Chrony is a better time server so I use it.

johnpoz

@Patch said in Chrony, PTP, Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

In can but it is an inferior time server.

ok ;) the standard ntpd keeps pretty accurate time.. I run ntpsec on my ntp server.. Just because I was playing with it one day and set it up on my little gps pi ntp server I run.. few ms is more than accurate enough for me..

Maybe I will look to switching my little pi guy to using chrony ;)

JKnott

@Patch said in Chrony, PTP, Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

Chrony is a better time server so I use it.

In what way? It can have accuracy comparable to PTP, but only if your source is that accurate. This means you'd need your own stratum 0 source, such as GPS or the cell phone network. IIRC, GPS is supposed to be accurate within 30 nS and the cell network within 1.5 uS. If you're using a source on the Internet, it won't get you much. If you do have your own stratum 0, you might also want to get one of those Facebook atomic clock cards to use with it.

I do understand it has some advantages for devices that are not always connected to the Internet.

PTP is designed for networks where extremely precise timing is necessary, including with SyncE, but other than that, it would be hard to justify worrying about it.

dennypage

Yes, chronyd is a much better time keeper than ntpd. ~1us vs a few tens of us against a local stratum 1. But still, a few 10s of us is pretty damn good. But that kind of precision isn't that important for a firewall.

johnpoz

@dennypage yeah was just reading some of the difference between chrony and ntp.. While it does seem like good stuff, Im with you a few ms here or there makes little matter to be honest.. But I think I have added something new to look at when I find some time - switching my little pi ntp server over to chrony ;)

JKnott

@johnpoz said in Chrony, PTP, Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

switching my little pi ntp server over to chrony ;)

Don't forget to add a GPS receiver and Facebook atomic clock card!

I first came across precision clocks about 35 years ago, when I worked for a telecom. Back then, the networks used Time Division Multiplexing and everything had to be precisely synced. We used the LORAN C signal as our clock source. However, that was a signal clock only and not time of day.

johnpoz

@JKnott my pi ntp server has gps already.

Sergei_Shablovsky

@e-1-1 said in Chrony, PTP, Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

Doesn't make sense to me. Not to mention chrony is already available in FreeBSD.

Because of this I’m asking again and again about Chrony implementation in pfSense.

I really think that so famous and rich company like Netgear have a budget for this.

Sergei_Shablovsky

@JKnott

Need to note that local RS-232 directly (not through RS-232<~>USB adapter) connected GPS receiver with PPS signals OR GSM receiver with PPS signal -> are Stratum 1.

Stratum 0 - this is for local-connected atomic clock. Yeah, some hi-education Institutes, financial and militarily of course in US already have it. ;)

Sergei_Shablovsky

@JKnott said in Chrony, PTP, Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

@Patch said in Chrony, PTP, Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

Chrony is a better time server so I use it.

In what way? It can have accuracy comparable to PTP, but only if your source is that accurate. This means you'd need your own stratum 0 source, such as GPS or the cell phone network. IIRC, GPS is supposed to be accurate within 30 nS and the cell network within 1.5 uS. If you're using a source on the Internet, it won't get you much. If you do have your own stratum 0, you might also want to get one of those Facebook atomic clock cards to use with it.

Thank You for very interesting link. I hear about but now see the real results, need to dive in …:)

I do understand it has some advantages for devices that are not always connected to the Internet.

No, this would be more for systems that may suffer from GPS spiffing and jamming (war in Ukraine, war in Israel and possible next escalation between China and US, EU and russia, South and North Koreas - all this rapidly involves civil GSM technologies right now …).

PTP is designed for networks where extremely precise timing is necessary, including with SyncE, but other than that, it would be hard to justify worrying about it.

If I understand all “time card” docs and specifications, bulky and proprietary rack time-servers would be replaced by tiny 1CPU server with 2xPSU and this “time card” (and a little bit antennas from server room to rooftop;)

BTW, I cannot read anything about how to resolving radio interference on antennas in server room… Looks like developers are focused more on electronics and less on radio/antennas-related things. Am I wrong?

Sergei_Shablovsky

@dennypage said in Chrony, PTP, Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

Yes, chronyd is a much better time keeper than ntpd. ~1us vs a few tens of us against a local stratum 1. But still, a few 10s of us is pretty damn good. But that kind of precision isn't that important for a firewall.

Hm… Are You sure that chrony are enough for speeds 10G+ per interface? :)

JKnott

@Sergei_Shablovsky said in Chrony, PTP, Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

Need to note that local RS-232 directly (not through RS-232<~>USB adapter) connected GPS receiver with PPS signals OR GSM receiver with PPS signal -> are Stratum 1.

I have wondered about this. While the instantaneous time could be off with USB, NTP averages in the long term. How much is the clock in error after it's been running for a while?

Stratum 0 - this is for local-connected atomic clock. Yeah, some hi-education Institutes, financial and militarily of course in US already have it. ;)

The source, such as GPS, is stratum 0 and the first NTP server is stratum 1. The atomic clock provides stability to the local time.

BTW, one thing some people don't seem to understand is NTP is supposed to be traceable to International Atomic Time. A few years ago, I was working on a project for a light rail transit system in Toronto. The spec called for the NTP servers to be connected to the parent company's NTP server, falling back to the GPS receivers should that connection fail. Whoever wrote that clearly had no idea how NTP worked. They should have said to peer or at least be a client of the parent NTP servers, in addition to GPS. Since both the local and parent NTP servers were traceable back to IAT, there should be no significant difference between them.

Here's an interesting read about time:
From Sundials To Atomic Clocks

JKnott

@Sergei_Shablovsky said in Chrony, PTP, Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

If I understand all “time card” docs and specifications, bulky and proprietary rack time-servers would be replaced by tiny 1CPU server with 2xPSU and this “time card” (and a little bit antennas from server room to rooftop;)

BTW, I cannot read anything about how to resolving radio interference on antennas in server room… Looks like developers are focused more on electronics and less on radio/antennas-related things. Am I wrong?

I'm not sure what you're getting at, but if that's a concern just put the receiver someplace other than the server room. In fact, GPS might not work at all in a server room simply because the signal is blocked by reinforced concrete.

I had an example of this when I worked at IBM. My office was in the Canadian HQ and the building held about 5000 employees. You could get FM radio reception near the windows, but not if you were well away from them.

dennypage

@Sergei_Shablovsky said in Chrony, PTP, Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

Need to note that local RS-232 directly (not through RS-232<~>USB adapter) connected GPS receiver with PPS signals OR GSM receiver with PPS signal -> are Stratum 1.

Stratum 0 - this is for local-connected atomic clock. Yeah, some hi-education Institutes, financial and militarily of course in US already have it. ;)

• Stratum 0 is any reference clock. It may be an atomic clock, GNSS receiver, WWV receiver, a crystal oscillator from your watch, etc.
• Stratum 1 is the system (host) directly connected to the reference clock offering NTP services.

Yes, you can actually have a USB connected GPS stratum 0 device. They were done as a special project by Eric Raymond, the original author of gpsd. They're rare, but I think you can even still buy one. Good for a few milliseconds. I probably still have one in a box somewhere, along with several other of my early stratum 0 devices.

dennypage

@JKnott said in Chrony, PTP, Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

BTW, one thing some people don't seem to understand is NTP is supposed to be traceable to International Atomic Time.

Traceability is to Coordinated Universal Time (UTC) rather than International Atomic Time (TAI). There's a 37 second difference.

stephenw10

@dennypage said in Chrony, PTP, Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

There's a 37 second difference.

Gah. indeed!

JKnott

@dennypage said in Chrony, PTP, Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

Traceability is to Coordinated Universal Time (UTC) rather than International Atomic Time (TAI). There's a 37 second difference.

UTC is based on IAT and then adjusted for leap seconds. From that article I linked to:

"International Atomic Time (abbreviated TAI, from its French name temps atomique international[1]) is a high-precision atomic coordinate time standard based on the notional passage of proper time on Earth's geoid.[2] TAI is a weighted average of the time kept by over 450 atomic clocks in over 80 national laboratories worldwide.[3] It is a continuous scale of time, without leap seconds, and it is the principal realisation of Terrestrial Time (with a fixed offset of epoch). It is the basis for Coordinated Universal Time (UTC), which is used for civil timekeeping all over the Earth's surface and which has leap seconds."

JKnott

@stephenw10 said in Chrony, PTP, Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

@dennypage said in Chrony, PTP, Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

There's a 37 second difference.

Gah. indeed!

That's already adjusted for with UTC.