Re: [chrony-users] NTP bogus timestamps - Chrony on openSUSE 15.1
On Thu, 22 Aug 2019, Stuart Longland wrote: On 22/8/19 12:00 am, James Knott wrote: The calculations based on those time stamps were meant to determine that latency and correct for it. As I understand it, the server doesn't care and simply round-trips it. The client does the RTT calculations and adjusts accordingly. Yes. It is also a crude way to authenticate the response -- since the client presumably knows what it sent, if it gets a "spoofed" reply from a The client HAS to know what it sent since that is the index into the list linking time-sent in the packet to time-actually-sent. ntp already dumps any packet whose packet time is not a time at which it was sent. However a spoofer knows what the time is and thus has a very small range of packets which he can try to subvert your ntp process. However, the time is something like 128 bits and if they are random, then the spoofer simply cannot send out 2^64 =10^20 packets in an exhaustive attempt to subvert your ntpd.(even at Gbit ethernet, it would take about 10^12sec=10^5 years to send them) server, this adds a (weak) way to detect this. Not so weak. It cannot protect against MITM attacks since they can read what you sent, but it can against blind attacks. Ie, it is very strong protection against blind attacks. -- Stuart Longland (aka Redhatter, VK4MSL) I haven't lost my mind... ...it's backed up on a tape somewhere. -- To unsubscribe email chrony-users-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-users-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org. -- To unsubscribe email chrony-users-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-users-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
Re: [chrony-users] NTP bogus timestamps - Chrony on openSUSE 15.1
On 22/8/19 12:00 am, James Knott wrote: > The calculations based on those time stamps > were meant to determine that latency and correct for it. As I understand it, the server doesn't care and simply round-trips it. The client does the RTT calculations and adjusts accordingly. It is also a crude way to authenticate the response -- since the client presumably knows what it sent, if it gets a "spoofed" reply from a server, this adds a (weak) way to detect this. -- Stuart Longland (aka Redhatter, VK4MSL) I haven't lost my mind... ...it's backed up on a tape somewhere. -- To unsubscribe email chrony-users-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-users-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
Re: [chrony-users] NTP bogus timestamps - Chrony on openSUSE 15.1
On Wed, 21 Aug 2019, James Knott wrote: On 2019-08-21 09:44 AM, Miroslav Lichvar wrote: It has no impact on accuracy. Maybe not on my local network, but what if the server was some distance away? I realize NTP was developed back in the days when a 56 Kb/s connection was really something, but even with today's high bandwidth connections there is some latency that would cause the client to be slightly behind the server. The calculations based on those time stamps were meant to determine that latency and correct for it. NOTHING changes in the ntp protocol. The protocol does NOT use the sent timestamp, but the time from a saved table in which that sent timestamp is associated with the correct time that the packet was sent. The timestamp acts purely as an identifier of the packet. Incidentally, at work a few months ago, there was some discussion about NTP on a major LRT project I was working on, though I wasn't directly involved with the NTP servers. On this system, they have 2 GPS/NTP servers, at different locations, that were to be synced with 2 other servers. This system runs over a fibre backbone, that's 11 Km long and they're somewhat fussy about NTP. I had to explain, to one of my co-workers, how NTP worked. Great. But in your explanation, just insert a line which says "When the client receives back the packet from the server, it uses the T1 timestamp to look up in a local table what time it was when that first client packet was sent to the server and uses that, instead of the timestamp in the packet as the T1 in the ntp protocol. Remember that the server does NOTHING with that T1 timestamp. All the server does is to fill in the the next two slots, when the server received the packet and when it sent it out again. Only the client, which can have ( and does if the client is designed to impliment that "NTP Client Data Minimization" note. ) the needed data, ever does anything with that first timestamp. -- To unsubscribe email chrony-users-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-users-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
Re: [chrony-users] NTP bogus timestamps - Chrony on openSUSE 15.1
On Wed, 21 Aug 2019, James Knott wrote: On 2019-08-21 04:33 AM, Miroslav Lichvar wrote: That's a privacy and security feature. Please see this draft Yeah, I guess there's a real security threat in the 2' between my desktop computer and my firewall. ;-) Not at all sure what this sarcastic comment is supposed to mean. The contention is that there are situations in which that first transmit timestamp can be used to identify the source, and that randomising this time makes NO DIFFERENCE to the operation of the NTP protocol. It does NOT mean that you local clock is set to that random time. It is ONLY a packet identifier which has no effect whatsoever on anyone's times. Is there any way to disable this "feature"? While it might not make much of a difference on a desktop system, there are plenty of situations where an accurate clock is needed. The randomization makes no difference to any clock. The client keeps a record of when a packet with tranmit timestamp with time TT was sent. It is that time which is used in all of the ntp calculations, not the time in the timestamp. Ie, it has no implications whatsoever on the accuracy of the clock. -- To unsubscribe email chrony-users-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-users-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
Re: [chrony-users] NTP bogus timestamps - Chrony on openSUSE 15.1
Le 21/08/2019 à 16:00, James Knott a écrit : > On 2019-08-21 09:44 AM, Miroslav Lichvar wrote: >> It has no impact on accuracy. > Maybe not on my local network, but what if the server was some distance > away? I realize NTP was developed back in the days when a 56 Kb/s > connection was really something, but even with today's high bandwidth > connections there is some latency that would cause the client to be > slightly behind the server. The calculations based on those time stamps > were meant to determine that latency and correct for it. > > Incidentally, at work a few months ago, there was some discussion about > NTP on a major LRT project I was working on, though I wasn't directly > involved with the NTP servers. On this system, they have 2 GPS/NTP > servers, at different locations, that were to be synced with 2 other > servers. This system runs over a fibre backbone, that's 11 Km long and > they're somewhat fussy about NTP. I had to explain, to one of my > co-workers, how NTP worked. > Please, read the spec. It is not used as you think. It has NO impact on the way the calculations are done so no impact on accuracy. Emmanuel.
Re: [chrony-users] NTP bogus timestamps - Chrony on openSUSE 15.1
On 2019-08-21 09:44 AM, Miroslav Lichvar wrote: > It has no impact on accuracy. Maybe not on my local network, but what if the server was some distance away? I realize NTP was developed back in the days when a 56 Kb/s connection was really something, but even with today's high bandwidth connections there is some latency that would cause the client to be slightly behind the server. The calculations based on those time stamps were meant to determine that latency and correct for it. Incidentally, at work a few months ago, there was some discussion about NTP on a major LRT project I was working on, though I wasn't directly involved with the NTP servers. On this system, they have 2 GPS/NTP servers, at different locations, that were to be synced with 2 other servers. This system runs over a fibre backbone, that's 11 Km long and they're somewhat fussy about NTP. I had to explain, to one of my co-workers, how NTP worked. -- To unsubscribe email chrony-users-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-users-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
Re: [chrony-users] NTP bogus timestamps - Chrony on openSUSE 15.1
On Wed, Aug 21, 2019 at 09:19:32AM -0400, James Knott wrote: > On 2019-08-21 04:33 AM, Miroslav Lichvar wrote: > > That's a privacy and security feature. Please see this draft > > Yeah, I guess there's a real security threat in the 2' between my > desktop computer and my firewall. ;-) > > Is there any way to disable this "feature"? While it might not make > much of a difference on a desktop system, there are plenty of situations > where an accurate clock is needed. It has no impact on accuracy. You could specify the server as a "peer". That will disable the feature. But I'm not sure why would you want to do that. -- Miroslav Lichvar -- To unsubscribe email chrony-users-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-users-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
Re: [chrony-users] NTP bogus timestamps - Chrony on openSUSE 15.1
On 2019-08-21 04:33 AM, Miroslav Lichvar wrote: > That's a privacy and security feature. Please see this draft Yeah, I guess there's a real security threat in the 2' between my desktop computer and my firewall. ;-) Is there any way to disable this "feature"? While it might not make much of a difference on a desktop system, there are plenty of situations where an accurate clock is needed. -- To unsubscribe email chrony-users-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-users-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
Re: [chrony-users] NTP bogus timestamps - Chrony on openSUSE 15.1
On Tue, Aug 20, 2019 at 02:11:19PM -0400, James Knott wrote: > I was just looking at some NTP packets between my openSUSE desktop > system and my firewall, which has a NTP server. I see the request > timestamps are all bogus values. That's a privacy and security feature. Please see this draft https://datatracker.ietf.org/doc/draft-ietf-ntp-data-minimization/ -- Miroslav Lichvar -- To unsubscribe email chrony-users-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-users-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
[chrony-users] NTP bogus timestamps - Chrony on openSUSE 15.1
I was just looking at some NTP packets between my openSUSE desktop system and my firewall, which has a NTP server. I see the request timestamps are all bogus values. Reference ID: NULL Reference Timestamp: Jan 1, 1970 00:00:00.0 UTC Origin Timestamp: Jan 1, 1970 00:00:00.0 UTC Receive Timestamp: Jan 1, 1970 00:00:00.0 UTC Transmit Timestamp: Jun 23, 1983 00:21:14.440064618 UTC However, the reply from the server shows correct values. Reference ID: 132.246.11.238 Reference Timestamp: Aug 20, 2019 15:46:02.939010883 UTC Origin Timestamp: Jun 23, 1983 00:21:14.440064618 UTC Receive Timestamp: Aug 20, 2019 16:02:07.892748690 UTC Transmit Timestamp: Aug 20, 2019 16:02:07.892798979 UTC Why are the values from the client nonsense? Proper NTP operation requires accurate time stamps in both directions, to ensure accurate time. For example, the transit time is used to determine the local offset from the server. The packets between my pfSense firewall and the public NTP server show correct values. Reference ID: 132.246.11.238 Reference Timestamp: Aug 20, 2019 16:21:22.937971724 UTC Origin Timestamp: Aug 20, 2019 16:23:07.952061086 UTC Receive Timestamp: Aug 20, 2019 16:23:07.971987723 UTC Transmit Timestamp: Aug 20, 2019 16:31:44.921310040 UTC https://en.wikipedia.org/wiki/Network_Time_Protocol#Timestamps -- To unsubscribe email chrony-users-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-users-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.
