Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Chrony, PTP, Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd)

    Scheduled Pinned Locked Moved General pfSense Questions
    136 Posts 14 Posters 51.0k Views 18 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DaddyGoD Offline
      DaddyGo @bingo600
      last edited by

      @bingo600 said in Chrony, Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

      i have seen lots of bugs related to RouterOS ....

      Yes I also have some 10G capable MikroTik on the shelf waiting to finally get a stable FW for it, because otherwise they are not bad...

      Good prices among the 10G things on the market, but then if have say VLAN and say QoS problems not to mention 10G speed negotiation errors (on SFP+ ports) you can't use it well.
      They'll fix it hope, - they continue to gather dust on the shelf :)

      Cats bury it so they can't see it!
      (You know what I mean if you have a cat)

      1 Reply Last reply Reply Quote 0
      • Sergei_ShablovskyS Offline
        Sergei_Shablovsky @DaddyGo
        last edited by Sergei_Shablovsky

        @daddygo said in Chrony, Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

        @bingo600 said in Chrony, Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

        Could they be checkking for new firmware ??

        Nope, unfortunately FW can only be installed manually...

        As I followed along with Wireshark, the time is synchronized from a Chinese source via some cPanel route, that in itself is very strange, because it puts you through a lot of redirection.

        by default you can't even specify it, NTP servers only have their own Chinese source hard coded into them...

        Neither from GUI nor from CLI you can specify a time server path, say 216.239.35.0 or 162.159.200.123 or etc.

        I don't like this kind of solution, I want to be in control 😉

        We goes a little bit off topic, but I also need a drop a few lines:

        Two years ago, before pandemic started, before attacks on oil/gas lines happened, before issue with SolarWind, I wrote on this forum about our obligation as Security Admins / SysAdmins to stay away from any products from russia/china. Because this authority regimes using ANY TECHNOLOGY and ANY ABILITY as a weapon in a war against US and other democratic countries.
        Many users reply something like “my friend, take a foil hat and no worry about!”.

        But let me to point on again and again: from 2018 russia and China would be more and more aggressive in their attacks, using multivectors attacks, complex hardware&software based attacks.

        And popularity of very cheap/budget price of many network appliances & devices made in China - only one channel of many other to put their weapon in Your business infrastructure and in Your home.

        P.S. from Jan 2024
        Two Years ago I wrote this. No any reaction here on forum, even no one set “likel. But now You see russians attack to Colonel Pipeline, Pentagon internal lans, Chinas drones over the US military bases, russians drones over Bundeswer army’s buildings in Europe and oil/gas terminals in Norvay, lots of attacks on US government lans, russia help Iran and Hamas to attack Israel….
        Ordinary US SysAdmins not bother too much about all of this (“so far away”, etc…), but here in EU we clearly see how 3-rd Wirld War happened RIGHT NOW and only matter of time when US receive power hit from russia and China…
        Because may be too late.

        —
        CLOSE SKY FOR UKRAINE https://youtu.be/_tU1i8VAdCo !
        Help Ukraine to resist, save civilians people’s lives !
        (Take an active part in public protests, push on Your country’s politics, congressmans, mass media, leaders of opinion.)

        1 Reply Last reply Reply Quote 0
        • E Offline
          e-1-1
          last edited by

          Opened #10404 a year or so ago for this topic - migration from ntpd to chronyd.
          In an uninspired moment I set it to "Private" and can't change it to "Public", maybe @Netgate can help.

          stephenw10S 1 Reply Last reply Reply Quote 0
          • stephenw10S Online
            stephenw10 Netgate Administrator @e-1-1
            last edited by

            Ha, I wondered why that was set private. Fixed.

            1 Reply Last reply Reply Quote 0
            • Sergei_ShablovskyS Offline
              Sergei_Shablovsky @q54e3w
              last edited by Sergei_Shablovsky

              @q54e3w said in Chrony, Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

              I'd rather have PTP personally.

              How You to comment this sentence from official Chrony Docs:

              2.12. Does chrony support PTP?
              No, the Precision Time Protocol (PTP) is not supported as a protocol for synchronisation of clocks and there are no plans to support it.
              It is a complex protocol, which shares some issues with the NTP broadcast mode.
              One of the main differences between NTP and PTP is that PTP was designed to be easily supported in hardware (e.g. network switches and routers) in order to make more stable and accurate measurements. PTP relies on the hardware support. NTP does not rely on any support in the hardware, but if it had the same support as PTP, it could perform equally well.

              On Linux, chrony supports hardware clocks that some NICs have for PTP. They are called PTP hardware clocks (PHC). They can be used as reference clocks (specified by the refclock directive) and for hardware timestamping of NTP packets (enabled by the hwtimestamp directive) if the NIC can timestamp other packets than PTP, which is usually the case at least for transmitted packets. The ethtool -T command can be used to verify the timestamping support.

              —
              CLOSE SKY FOR UKRAINE https://youtu.be/_tU1i8VAdCo !
              Help Ukraine to resist, save civilians people’s lives !
              (Take an active part in public protests, push on Your country’s politics, congressmans, mass media, leaders of opinion.)

              Sergei_ShablovskyS 1 Reply Last reply Reply Quote 0
              • Sergei_ShablovskyS Offline
                Sergei_Shablovsky @Sergei_Shablovsky
                last edited by Sergei_Shablovsky

                @sergei_shablovsky said in Chrony, Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

                Sentence from official Chrony Docs:

                On Linux, chrony supports hardware clocks that some NICs have for PTP. They are called PTP hardware clocks (PHC). They can be used as reference clocks (specified by the refclock directive) and for hardware timestamping of NTP packets (enabled by the hwtimestamp directive) if the NIC can timestamp other packets than PTP, which is usually the case at least for transmitted packets. The ethtool -T command can be used to verify the timestamping support.

                I need to add some note about hardware timestamping: no possible to detect correct time correction delta in constantly asymmetrical link.
                (For better understanding I will doing that on an example)

                Server A make a timestamp (t) and sending packet to Server B
                Packet on the road within 30ms
                Server B receive packet at time (t+30), make a timestamp and sending reply to Server A
                Packet on the road within 70ms (because another route)
                Server A receive reply packet with a totally delay (t+30ms+70ms = t+100ms) and Server A make decision that his time need to be corrected on 20ms (100ms / 2 ways - 30ms)

                But this is wrong decision (because as You see above one route are 30ms, other route are 70ms).

                And no possible at all detecting this by statistics. So, in constantly asymmetrical link, the hardware NIC timestamp also not help to make great correction.

                I am not sure is PTP v2 (IEEE-1588-2008) solving this problem?

                —
                CLOSE SKY FOR UKRAINE https://youtu.be/_tU1i8VAdCo !
                Help Ukraine to resist, save civilians people’s lives !
                (Take an active part in public protests, push on Your country’s politics, congressmans, mass media, leaders of opinion.)

                1 Reply Last reply Reply Quote 0
                • Sergei_ShablovskyS Sergei_Shablovsky referenced this topic on
                • Sergei_ShablovskyS Sergei_Shablovsky referenced this topic on
                • Sergei_ShablovskyS Offline
                  Sergei_Shablovsky @johnpoz
                  last edited by

                  @johnpoz said in Chrony, Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

                  @sergei_shablovsky said in Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

                  **really outdated and vulnerable NTP”” need to be replaced.

                  What specific vulnerability are you talking about.. Just because NTP has been around long time - does not mean its not been kept up to date for security issues.

                  One of technics of NTP hacking is described here https://habr.com/ru/companies/ruvds/articles/505938/

                  (Please use translate.Google.com for reading.)
                  Only 25mins on Intel Core i5 ;)

                  —
                  CLOSE SKY FOR UKRAINE https://youtu.be/_tU1i8VAdCo !
                  Help Ukraine to resist, save civilians people’s lives !
                  (Take an active part in public protests, push on Your country’s politics, congressmans, mass media, leaders of opinion.)

                  RobbieTTR 1 Reply Last reply Reply Quote 0
                  • RobbieTTR Offline
                    RobbieTT @Sergei_Shablovsky
                    last edited by RobbieTT

                    @sergei_shablovsky
                    Quite a thread resurrection you have there. Regrettably I have become unwilling to click on Russian links.

                    That said, NTP is easily overlooked as it is a dull topic despite everyone relying on encryption these days.

                    In my view they called it Network Time Protocol for a reason - primarily it should be on your network, with only redundancy and sanity checks provided by the wider internet.

                    For years I have had one of these on my LAN:

                    20210831-TimeNet Pro-VTN-TN-PRO-Front Ports.png

                    Dedicated NTP time sources don't have to be expensive or be a hacky DIY job on a RPi.

                    ☕️

                    JKnottJ Sergei_ShablovskyS NollipfSenseN 3 Replies Last reply Reply Quote 1
                    • JKnottJ Offline
                      JKnott @RobbieTT
                      last edited by

                      @robbiett said in Chrony, PTP, Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

                      Dedicated NTP time sources don't have to be expensive or be a hacky DIY job on a RPi.

                      And they're only $639.95!

                      I'll rely on NTP over the Internet.

                      PfSense running on Qotom mini PC
                      i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                      UniFi AC-Lite access point

                      I haven't lost my mind. It's around here...somewhere...

                      RobbieTTR Sergei_ShablovskyS 2 Replies Last reply Reply Quote 0
                      • stephenw10S Online
                        stephenw10 Netgate Administrator
                        last edited by

                        @robbiett said in Chrony, PTP, Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

                        hacky DIY job on a RPi.

                        But that's the fun part! 😉

                        RobbieTTR 1 Reply Last reply Reply Quote 0
                        • RobbieTTR Offline
                          RobbieTT @JKnott
                          last edited by RobbieTT

                          @jknott said

                          And they're only $639.95!

                          I'll rely on NTP over the Internet.

                          Ouch! Mine was 'only' £109 on eBay. When did they become so expensive??

                          Edit: The last one I purchased was 'just' £100 including expedited delivery, back in 2021:

                           2023-04-25 at 14.03.20.png

                          I guess I should have purchased a boatload of them. 😂

                          ☕️

                          1 Reply Last reply Reply Quote 1
                          • RobbieTTR Offline
                            RobbieTT @stephenw10
                            last edited by

                            @stephenw10 We are all tinkerers at heart. 🙃

                            1 Reply Last reply Reply Quote 0
                            • Sergei_ShablovskyS Offline
                              Sergei_Shablovsky @JKnott
                              last edited by

                              @jknott said in Chrony, PTP, Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

                              @robbiett said in Chrony, PTP, Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

                              Dedicated NTP time sources don't have to be expensive or be a hacky DIY job on a RPi.

                              And they're only $639.95!

                              I'll rely on NTP over the Internet.

                              For the price like this You able to buy now well-reputable Trimble civil model (see this huge loaded pack for example https://www.ebay.com/itm/155434190550) OR even used MILITARY-grade Trimble set w/ antennas.

                              Of courses if You need STABILITY.

                              —
                              CLOSE SKY FOR UKRAINE https://youtu.be/_tU1i8VAdCo !
                              Help Ukraine to resist, save civilians people’s lives !
                              (Take an active part in public protests, push on Your country’s politics, congressmans, mass media, leaders of opinion.)

                              1 Reply Last reply Reply Quote 0
                              • Sergei_ShablovskyS Offline
                                Sergei_Shablovsky @RobbieTT
                                last edited by

                                @robbiett said in Chrony, PTP, Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

                                @sergei_shablovsky
                                Quite a thread resurrection you have there. Regrettably I have become unwilling to click on Russian links.

                                When a write about DANGEROUS of ALL that linked to russia around 3 years ago, here on forum, no one care about this… ;)
                                But now all see what is russia exactly…

                                But in case of Habr web resource - this is safe. This is a well reputable forum for Russian-speaking tech geeks with a lot of interesting articles from 2008 prior 2017…

                                —
                                CLOSE SKY FOR UKRAINE https://youtu.be/_tU1i8VAdCo !
                                Help Ukraine to resist, save civilians people’s lives !
                                (Take an active part in public protests, push on Your country’s politics, congressmans, mass media, leaders of opinion.)

                                1 Reply Last reply Reply Quote 0
                                • Sergei_ShablovskyS Offline
                                  Sergei_Shablovsky
                                  last edited by Sergei_Shablovsky

                                  For anyone who “love to play with TIME-server”:

                                  Do You use ntpperf utility to test Your server?

                                  Write back Your appliances and a result in numbers!

                                  Thx!

                                  —
                                  CLOSE SKY FOR UKRAINE https://youtu.be/_tU1i8VAdCo !
                                  Help Ukraine to resist, save civilians people’s lives !
                                  (Take an active part in public protests, push on Your country’s politics, congressmans, mass media, leaders of opinion.)

                                  1 Reply Last reply Reply Quote 0
                                  • Sergei_ShablovskyS Offline
                                    Sergei_Shablovsky
                                    last edited by

                                    And again one time: when Netgate implementing modern time-protocols???!

                                    —
                                    CLOSE SKY FOR UKRAINE https://youtu.be/_tU1i8VAdCo !
                                    Help Ukraine to resist, save civilians people’s lives !
                                    (Take an active part in public protests, push on Your country’s politics, congressmans, mass media, leaders of opinion.)

                                    dennypageD 1 Reply Last reply Reply Quote 0
                                    • dennypageD Offline
                                      dennypage @Sergei_Shablovsky
                                      last edited by

                                      @Sergei_Shablovsky said in Chrony, PTP, Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

                                      And again one time: when Netgate implementing modern time-protocols???!

                                      NTP is a modern time protocol. The version in pfSense is ntpd 4.2.8, which implements NTP version 4 and is the current version of the standard.

                                      Is ntpd my favorite NTP implementation? No, it isn't. I would strongly prefer Chrony or even NTPsec, but ntpd is certainly adequate for what is needed.

                                      Unfortunately, Chrony is not considered viable due to license incompatibilities. This has been discussed previously. It's a shame really, because Chrony really is very good in all aspects.

                                      NTPsec is viable on a license basis and is in FreeBSD ports. However, to replace ntpd with NTPsec (or Chrony for that matter), you would also require gpsd as well. Moving to NTPsec and gpsd would require significant effort to integrate and then test. If someone wants to put that effort in, I'm sure that the devs would consider a PR if submitted.

                                      PTP would be a complete waste of time for pfSense.

                                      E 1 Reply Last reply Reply Quote 1
                                      • E Offline
                                        e-1-1 @dennypage
                                        last edited by e-1-1

                                        @dennypage said in Chrony, PTP, Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

                                        @Sergei_Shablovsky said in Chrony, PTP, Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

                                        And again one time: when Netgate implementing modern time-protocols???!

                                        NTP is a modern time protocol. The version in pfSense is ntpd 4.2.8, which implements NTP version 4 and is the current version of the standard.

                                        Is ntpd my favorite NTP implementation? No, it isn't. I would strongly prefer Chrony or even NTPsec, but ntpd is certainly adequate for what is needed.

                                        Unfortunately, Chrony is not considered viable due to license incompatibilities. This has been discussed previously. It's a shame really, because Chrony really is very good in all aspects.

                                        NTPsec is viable on a license basis and is in FreeBSD ports. However, to replace ntpd with NTPsec (or Chrony for that matter), you would also require gpsd as well. Moving to NTPsec and gpsd would require significant effort to integrate and then test. If someone wants to put that effort in, I'm sure that the devs would consider a PR if submitted.

                                        PTP would be a complete waste of time for pfSense.

                                        Ummm what?! License incompatibilities? So all GPLv2 packages are having their license broken by being already present in pfSense? Doesn't make sense to me. Not to mention chrony is already available in FreeBSD.

                                        dennypageD Sergei_ShablovskyS 2 Replies Last reply Reply Quote 1
                                        • dennypageD Offline
                                          dennypage @e-1-1
                                          last edited by dennypage

                                          @e-1-1 said in Chrony, PTP, Network Time Security (NTS, NTPsec) to replace unsecure/old NTP (ntpd):

                                          Ummm what?! License incompatibilities? So all GPLv2 packages are having their license broken by being already present in pfSense? Doesn't make sense to me. Not to mention chrony is already available in FreeBSD.

                                          I believe that Chrony is in FreeBSD ports rather than in FreeBSD release (core).

                                          This was a hotly debated topic 10 years ago. The BSD and pfSense folk took the position that GPL components cannot be safely included in a distribution that is issued under the FreeBSD license. Ditto for the Linux folk when looking at ZFS and CDDL. You may or may not agree with their conclusions, but it is theirs to make. Who knows? Maybe you can get them to change their minds. Give it a go.

                                          I've done a bit of work with Chrony on Linux. Some time back I considered making Chrony available as an add-on replacement package for pfSense, but the barriers to entry were large. And I was only looking at chronyd--I wasn't thinking of including gpsd with its associated headaches.

                                          https://forum.netgate.com/topic/106105/chrony

                                          FWIW, ntimed is truly dead at this point.

                                          P 1 Reply Last reply Reply Quote 1
                                          • P Offline
                                            Patch @dennypage
                                            last edited by

                                            I use Chrony on my Proxmox host as the local time reference with pfsense accessing that only as a client.
                                            I agree it would be much better if pfsense ran chrony as it could then be used as the server for local devices.
                                            Sad to hear licensing issues prevent this.

                                            johnpozJ 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.