Le 23/01/2018 à 13:00, Miroslav Lichvar a écrit : > On Tue, Jan 23, 2018 at 11:31:38AM +0100, FUSTE Emmanuel wrote: >> When I try to do the same with ntpd on one side and chrony on the other, >> things go bad. >> At best, chrony got a working association with interleave status with >> very long response time. > A long response time up to the polling interval of the peer is normal > in symmetric associations. > >> On the ntpd side, the association never work. The chrony server never >> get the "reach" state and the reach counter is stuck a zero. > Have you tried the same configuration and the timing of restarts, > between two ntpd servers? I suspect you would see some of the issues > in this case too. > > There are probably multiple issues involved, which make it difficult > to see what's going on. I'm aware of the following: > > - ntpd doesn't accept packets from peers that are not synchronized > (yet), so peers have to be configured with other sources in order > for the symmetric association (in both basic and interleaved modes) > to start. See https://bugs.ntp.org/show_bug.cgi?id=3445. > - interleaved mode in ntpd works only when the peers use the same > polling interval. If they have the same minpoll and maxpoll, but > minpoll != maxpoll, they should in theory both get to the maxpoll > if the association doesn't work, but there may be a bug that > prevents that. > - chrony switches to the basic mode when the polling intervals don't > match, but ntpd doesn't accept responses in the basic mode if the > interleaved mode is enabled > >> chrony 3.2 >> ntp-4.2.8p8, ntp-4.2.8p10 >> >> Could I normally expect xleave interoperability between chrony and ntpd >> or it is something too much "implementation specific" ? > With the current versions, if you can avoid the issue with > unsynchronized sources, they should interoperate, at least when their > polling intervals match. If it doesn't work for you, I'd like to see a > tcpdump output. Ok. I fixed min/max polling interval to 5 for testing purpose. Then I first restarted chrony. Wait for it to sync on a online source. Then restarted ntp and take capture. Will send you all the datas
NTP is stuck in unreachable state Chrony is stuck with only one valid RX. > > Please note that the symmetric mode has some security issues and it's > generally recommended to use the client/server mode instead. Even if > authentication is enabled, it is possible to break a symmetric > association by replaying old packets. (chrony has a partial protection > against this attack, but it works only in the basic mode when the > polling intervals match and there are no packets with timestamps from > future that could be replayed. It's too fragile, don't rely on it!) Yes I know. It is only used on "trusted" lan segments and/or to try to inter-operate with ntpd xleave. > > It is possible that support for symmetric associations will be dropped > from chrony in future. > I only using it to transition from ntpd to chrony. So It will not be missed. I hope my clock vendor will sometime transition from ntpd to something else (chrony) to get good xleave support (and much more). At most, I mainly use theses clocks with PTP so the NTP part only affect fail-over scenarios. Emmanuel.