Now that chrony is available in rolling release, support for Network Time Security (NTS) can be enabled in crony configuration.
References:
https://docs.ntpsec.org/latest/NTS-QuickStart.html
https://fedoramagazine.org/secure-ntp-with-nts/
Description
Description
Details
Details
- Version
- 1.4
- Is it a breaking change?
- Config syntax change (non-migratable)
- Issue type
- Feature (new functionality)
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | FEATURE REQUEST | c-po | T3008 Migrate from ntpd to chronyd | ||
| Resolved | FEATURE REQUEST | indrajitr | T5112 Enable support for Network Time Security (NTS) for chrony |
Event Timeline
Comment Actions
Using VyOS 1.4-rolling-202308250021.
Before change:
set service ntp allow-client address '127.0.0.1' set service ntp interface 'eth1' set service ntp listen-address '127.0.0.1' set service ntp server 194.58.200.20 prefer set service ntp vrf 'INTERNET'
vyos@vyos:~$ show ntp
.- Number of sample points in measurement set.
/ .- Number of residual runs with same sign.
| / .- Length of measurement set (time).
| | / .- Est. clock freq error (ppm).
| | | / .- Est. error in freq.
| | | | / .- Est. offset.
| | | | | | On the -.
| | | | | | samples. \
| | | | | | |
Name/IP Address NP NR Span Frequency Freq Skew Offset Std Dev
==============================================================================
ntp.netnod.se 6 6 86m -0.002 0.097 -1416ns 48usAfter change:
set service ntp allow-client address '127.0.0.1' set service ntp interface 'eth1' set service ntp listen-address '127.0.0.1' set service ntp server 194.58.200.20 prefer set service ntp server sth1.nts.netnod.se nts set service ntp server sth2.nts.netnod.se nts set service ntp vrf 'INTERNET'
vyos@vyos:~$ show ntp
.- Number of sample points in measurement set.
/ .- Number of residual runs with same sign.
| / .- Length of measurement set (time).
| | / .- Est. clock freq error (ppm).
| | | / .- Est. error in freq.
| | | | / .- Est. offset.
| | | | | | On the -.
| | | | | | samples. \
| | | | | | |
Name/IP Address NP NR Span Frequency Freq Skew Offset Std Dev
==============================================================================
ntp.netnod.se 4 3 6 +23.396 137.007 +61us 16us
sth1-ts.nts.netnod.se 4 4 6 -4.033 190.994 -127us 23us
sth2-ts.nts.netnod.se 4 3 6 +12.769 328.153 -19us 37usNOTE!
NTS doesnt use UDP123 as with NTP but rather TCP4460 _AND_ UDP4123.
If you dont have proper access to the NTS-server at TCP4460 the output of show ntp will look something like this:
vyos@vyos:~$ show ntp
.- Number of sample points in measurement set.
/ .- Number of residual runs with same sign.
| / .- Length of measurement set (time).
| | / .- Est. clock freq error (ppm).
| | | / .- Est. error in freq.
| | | | / .- Est. offset.
| | | | | | On the -.
| | | | | | samples. \
| | | | | | |
Name/IP Address NP NR Span Frequency Freq Skew Offset Std Dev
==============================================================================
ntp.netnod.se 4 3 6 +3.151 91.866 +235us 12us
sth1.nts.netnod.se 0 0 0 +0.000 2000.000 +0ns 4000ms
sth2.nts.netnod.se 0 0 0 +0.000 2000.000 +0ns 4000msWhile if TCP4460 is allowed but not UDP4123 it will look like (because chronyc is being used):
vyos@vyos:~$ show ntp
.- Number of sample points in measurement set.
/ .- Number of residual runs with same sign.
| / .- Length of measurement set (time).
| | / .- Est. clock freq error (ppm).
| | | / .- Est. error in freq.
| | | | / .- Est. offset.
| | | | | | On the -.
| | | | | | samples. \
| | | | | | |
Name/IP Address NP NR Span Frequency Freq Skew Offset Std Dev
==============================================================================
ntp.netnod.se 4 3 6 +3.151 91.866 +235us 12us
sth1-ts.nts.netnod.se 0 0 0 +0.000 2000.000 +0ns 4000ms
sth2-ts.nts.netnod.se 0 0 0 +0.000 2000.000 +0ns 4000msI would say that this task can be set to resolved.
Ref: