{"id":439,"date":"2020-10-04T21:17:59","date_gmt":"2020-10-04T20:17:59","guid":{"rendered":"https:\/\/blog.thomarite.uk\/?p=439"},"modified":"2020-10-24T18:40:31","modified_gmt":"2020-10-24T17:40:31","slug":"nts","status":"publish","type":"post","link":"https:\/\/blog.thomarite.uk\/index.php\/2020\/10\/04\/nts\/","title":{"rendered":"NTS"},"content":{"rendered":"\n

From a new Cloudflare post<\/a>, I learned that NTS is a standard. To be honest, I can’t remember there was work for making NTP secure. In the last years I have seen development in PTP<\/a> for time sync in financial systems but nothing else. So it is nice to see this happening. We only need to encrypt BGP and we are done in the internet.. oh wait. Dreaming is free.<\/p>\n\n\n\n

So I am trying to install and configure NTS in my system following these links: link1<\/a> link2<\/a><\/p>\n\n\n\n

I have just installed ntpsec via debian packages system and that’s it, ntpsec is running…<\/p>\n\n\n\n

# apt install ntpsec\n...\n# service ntpsec status\n\u25cf ntpsec.service - Network Time Service\nLoaded: loaded (\/lib\/systemd\/system\/ntpsec.service; enabled; vendor preset: enabled)\nActive: active (running) since Sun 2020-10-04 20:35:58 BST; 6min ago\nDocs: man:ntpd(8)\nMain PID: 292116 (ntpd)\nTasks: 1 (limit: 9354)\nMemory: 10.2M\nCGroup: \/system.slice\/ntpsec.service\n\u2514\u2500292116 \/usr\/sbin\/ntpd -p \/run\/ntpd.pid -c \/etc\/ntpsec\/ntp.conf -g -N -u ntpsec:ntpsec\nOct 04 20:36:02 athens ntpd[292116]: DNS: dns_check: processing 3.debian.pool.ntp.org, 8, 101\nOct 04 20:36:02 athens ntpd[292116]: DNS: Pool taking: 81.128.218.110\nOct 04 20:36:02 athens ntpd[292116]: DNS: Pool poking hole in restrictions for: 81.128.218.110\nOct 04 20:36:02 athens ntpd[292116]: DNS: Pool taking: 139.162.219.252\nOct 04 20:36:02 athens ntpd[292116]: DNS: Pool poking hole in restrictions for: 139.162.219.252\nOct 04 20:36:02 athens ntpd[292116]: DNS: Pool taking: 62.3.77.2\nOct 04 20:36:02 athens ntpd[292116]: DNS: Pool poking hole in restrictions for: 62.3.77.2\nOct 04 20:36:02 athens ntpd[292116]: DNS: Pool taking: 213.130.44.252\nOct 04 20:36:02 athens ntpd[292116]: DNS: Pool poking hole in restrictions for: 213.130.44.252\nOct 04 20:36:02 athens ntpd[292116]: DNS: dns_take_status: 3.debian.pool.ntp.org=>good, 8\n#<\/pre>\n\n\n\n
Checking the default config, there is nothing configured to use NTS so I made some changes based on the links above:<\/p>\n\n\n\n
# vim \/etc\/ntpsec\/ntp.conf\n...\n\n\n# Public NTP servers supporting Network Time Security:\nserver time.cloudflare.com:1234 nts\n\n# Example 2: NTS-secured NTP (default NTS-KE port (123); using certificate pool of the operating system)\nserver ntp1.glypnod.com iburst minpoll 3 maxpoll 6 nts\n\n#Via https:\/\/www.netnod.se\/time-and-frequency\/how-to-use-nts\nserver nts.ntp.se:3443 nts iburst\nserver nts.sth1.ntp.se:3443 nts iburst\nserver nts.sth2.ntp.se:3443 nts iburst<\/pre>\n\n\n\n
After restart, still not seeing NTS in sync \ud83d\ude41<\/p>\n\n\n\n
# service ntpsec restart\n...\n# ntpq -puw\nremote refid st t when poll reach delay offset jitter\ntime.cloudflare.com .NTS. 16 0 - 64 0 0ns 0ns 119ns\nntp1.glypnod.com .NTS. 16 5 - 32 0 0ns 0ns 119ns\n2a01:3f7:2:202::202 .NTS. 16 1 - 64 0 0ns 0ns 119ns\n2a01:3f7:2:52::11 .NTS. 16 1 - 64 0 0ns 0ns 119ns\n2a01:3f7:2:62::11 .NTS. 16 1 - 64 0 0ns 0ns 119ns\n0.debian.pool.ntp.org .POOL. 16 p - 256 0 0ns 0ns 119ns\n1.debian.pool.ntp.org .POOL. 16 p - 256 0 0ns 0ns 119ns\n2.debian.pool.ntp.org .POOL. 16 p - 256 0 0ns 0ns 119ns\n3.debian.pool.ntp.org .POOL. 16 p - 64 0 0ns 0ns 119ns\n-229.191.57.185.no-ptr.as201971.net .GPS. 1 u 25 64 177 65.754ms 26.539ms 7.7279ms\n+ns3.turbodns.co.uk 85.199.214.99 2 u 23 64 177 12.200ms 2.5267ms 1.5544ms\n+time.cloudflare.com 10.21.8.19 3 u 25 64 177 5.0848ms 2.6248ms 2.6293ms\n-ntp1.wirehive.net 202.70.69.81 2 u 21 64 177 9.6036ms 2.3986ms 1.9814ms\n+ns4.turbodns.co.uk 195.195.221.100 2 u 21 64 177 10.896ms 2.9528ms 1.5288ms\n-lond-web-1.speedwelshpool.com 194.58.204.148 2 u 23 64 177 5.6202ms 5.8218ms 3.2582ms\n-time.shf.uk.as44574.net 85.199.214.98 2 u 29 64 77 9.0190ms 4.9419ms 2.5810ms\nlux.22pf.org .INIT. 16 u - 64 0 0ns 0ns 119ns\nns1.thorcom.net .INIT. 16 u - 64 0 0ns 0ns 119ns\ntime.cloudflare.com .INIT. 16 u - 64 0 0ns 0ns 119ns\ntime.rdg.uk.as44574.net .INIT. 16 u - 64 0 0ns 0ns 119ns\n-herm4.doylem.co.uk 185.203.69.150 2 u 19 64 177 15.024ms 9.5098ms 3.2011ms\n-213.251.53.217 193.62.22.74 2 u 17 64 177 5.7211ms 1.4122ms 2.1895ms\n*babbage.betadome.net 85.199.214.99 2 u 20 64 177 4.8614ms 4.1187ms 2.5533ms\n#\n#\n# ntpq -c nts\nNTS client sends: 56\nNTS client recvs good: 0\nNTS client recvs w error: 0\nNTS server recvs good: 0\nNTS server recvs w error: 0\nNTS server sends: 0\nNTS make cookies: 0\nNTS decode cookies: 0\nNTS decode cookies old: 0\nNTS decode cookies too old: 0\nNTS decode cookies error: 0\nNTS KE probes good: 8\nNTS KE probes_bad: 0\nNTS KE serves good: 0\nNTS KE serves_bad: 0\n#<\/pre>\n\n\n\n
I ran tcpdump filtering on TCP ports 1234 (cloudflare) and 3443 (netnod), and I can see my system trying to negotiate NTS with Cloudflare and NetNod but both sessions are TCP RST \ud83d\ude41<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Need to carry on researching…<\/p>\n","protected":false},"excerpt":{"rendered":"
From a new Cloudflare post, I learned that NTS is a standard. To be honest, I can’t remember there was work for making NTP secure. In the last years I have seen development in PTP for time sync in financial systems but nothing else. So it is nice to see this happening. We only need … Continue reading “NTS”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,22,2],"tags":[],"class_list":["post-439","post","type-post","status-publish","format-standard","hentry","category-unix","category-monitoring","category-networks"],"_links":{"self":[{"href":"https:\/\/blog.thomarite.uk\/index.php\/wp-json\/wp\/v2\/posts\/439","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.thomarite.uk\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.thomarite.uk\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.thomarite.uk\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.thomarite.uk\/index.php\/wp-json\/wp\/v2\/comments?post=439"}],"version-history":[{"count":1,"href":"https:\/\/blog.thomarite.uk\/index.php\/wp-json\/wp\/v2\/posts\/439\/revisions"}],"predecessor-version":[{"id":441,"href":"https:\/\/blog.thomarite.uk\/index.php\/wp-json\/wp\/v2\/posts\/439\/revisions\/441"}],"wp:attachment":[{"href":"https:\/\/blog.thomarite.uk\/index.php\/wp-json\/wp\/v2\/media?parent=439"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.thomarite.uk\/index.php\/wp-json\/wp\/v2\/categories?post=439"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.thomarite.uk\/index.php\/wp-json\/wp\/v2\/tags?post=439"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}