Now that chrony is available in rolling release, support for Network Time Security (NTS) can be enabled in crony configuration.
References:
https://docs.ntpsec.org/latest/NTS-QuickStart.html
https://fedoramagazine.org/secure-ntp-with-nts/
Now that chrony is available in rolling release, support for Network Time Security (NTS) can be enabled in crony configuration.
References:
https://docs.ntpsec.org/latest/NTS-QuickStart.html
https://fedoramagazine.org/secure-ntp-with-nts/
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Resolved | FEATURE REQUEST | c-po | T3008 Migrate from ntpd to chronyd | ||
Resolved | FEATURE REQUEST | indrajitr | T5112 Enable support for Network Time Security (NTS) for chrony |
Using VyOS 1.4-rolling-202308250021.
Before change:
set service ntp allow-client address '127.0.0.1' set service ntp interface 'eth1' set service ntp listen-address '127.0.0.1' set service ntp server 194.58.200.20 prefer set service ntp vrf 'INTERNET'
vyos@vyos:~$ show ntp .- Number of sample points in measurement set. / .- Number of residual runs with same sign. | / .- Length of measurement set (time). | | / .- Est. clock freq error (ppm). | | | / .- Est. error in freq. | | | | / .- Est. offset. | | | | | | On the -. | | | | | | samples. \ | | | | | | | Name/IP Address NP NR Span Frequency Freq Skew Offset Std Dev ============================================================================== ntp.netnod.se 6 6 86m -0.002 0.097 -1416ns 48us
After change:
set service ntp allow-client address '127.0.0.1' set service ntp interface 'eth1' set service ntp listen-address '127.0.0.1' set service ntp server 194.58.200.20 prefer set service ntp server sth1.nts.netnod.se nts set service ntp server sth2.nts.netnod.se nts set service ntp vrf 'INTERNET'
vyos@vyos:~$ show ntp .- Number of sample points in measurement set. / .- Number of residual runs with same sign. | / .- Length of measurement set (time). | | / .- Est. clock freq error (ppm). | | | / .- Est. error in freq. | | | | / .- Est. offset. | | | | | | On the -. | | | | | | samples. \ | | | | | | | Name/IP Address NP NR Span Frequency Freq Skew Offset Std Dev ============================================================================== ntp.netnod.se 4 3 6 +23.396 137.007 +61us 16us sth1-ts.nts.netnod.se 4 4 6 -4.033 190.994 -127us 23us sth2-ts.nts.netnod.se 4 3 6 +12.769 328.153 -19us 37us
NOTE!
NTS doesnt use UDP123 as with NTP but rather TCP4460 _AND_ UDP4123.
If you dont have proper access to the NTS-server at TCP4460 the output of show ntp will look something like this:
vyos@vyos:~$ show ntp .- Number of sample points in measurement set. / .- Number of residual runs with same sign. | / .- Length of measurement set (time). | | / .- Est. clock freq error (ppm). | | | / .- Est. error in freq. | | | | / .- Est. offset. | | | | | | On the -. | | | | | | samples. \ | | | | | | | Name/IP Address NP NR Span Frequency Freq Skew Offset Std Dev ============================================================================== ntp.netnod.se 4 3 6 +3.151 91.866 +235us 12us sth1.nts.netnod.se 0 0 0 +0.000 2000.000 +0ns 4000ms sth2.nts.netnod.se 0 0 0 +0.000 2000.000 +0ns 4000ms
While if TCP4460 is allowed but not UDP4123 it will look like (because chronyc is being used):
vyos@vyos:~$ show ntp .- Number of sample points in measurement set. / .- Number of residual runs with same sign. | / .- Length of measurement set (time). | | / .- Est. clock freq error (ppm). | | | / .- Est. error in freq. | | | | / .- Est. offset. | | | | | | On the -. | | | | | | samples. \ | | | | | | | Name/IP Address NP NR Span Frequency Freq Skew Offset Std Dev ============================================================================== ntp.netnod.se 4 3 6 +3.151 91.866 +235us 12us sth1-ts.nts.netnod.se 0 0 0 +0.000 2000.000 +0ns 4000ms sth2-ts.nts.netnod.se 0 0 0 +0.000 2000.000 +0ns 4000ms
I would say that this task can be set to resolved.
Ref: