Re: [OT] Splitting PPS?
Richard Laager via devel writes: > Upon further investigation, there is a concern about the GPS antenna > placement. What concern(s)? > Does anyone have recommendations for GPS antenna RF-to-fiber converters > or other ways to have the GPS antenna a long way (in a building) from > the GPS receiver? The setup you've described previously should already downconvert and amplify the GPS to something that can be sent through long cheap coax runs (you need to check the exact part numbers since these came in a variety of flavors). This signal can be re-amplified with standard inline LNA you'd use for video feeds. I don't think an "inside the building" run will exceed what you can do with that kind of setup (these kits are typically speced for 300…500m w/o extra amplification). LNA inline amplifiers for unadulterated GPS also exist so you can extend your cable runs w/o converters (that generally requires better coax than you'd be able to use for the downconverted signal). RF downconverted signals are also easy to split via video distribution amps, but of course require matching receivers. If the concern is rather about lightning protection and grounding, then fiber is probably the easier solution, but will be more expensive up-front. If you search for "GPS over fiber" you'll get a good overview of the market. Which kit is most appropriate for your situation depends on a lot of factors. Last but not least, you could get an industrial PC with SFP slot directly on the roof and directly send out NTP from there over fiber. If you want to go all out, make that a WhiteRabbit link. Regards, Achim. -- +<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+ Waldorf MIDI Implementation & additional documentation: http://Synth.Stromeko.net/Downloads.html#WaldorfDocs ___ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
Re: [OT] Splitting PPS?
> Does anyone have recommendations for GPS antenna RF-to-fiber converters or > other ways to have the GPS antenna a long way (in a building) from the GPS > receiver? How far is "a long way"? One approach is amplifiers and coax. The most cost effective coax is the good cable TV stuff. RG-6, I think. It's 75 ohms rather than 50, but that loss is minor relative to the length of the coax. You can get in-line amplifiers. Plan B is to put the receiver out near the antenna and send the signals back at low bandwidth. For anything past a short length you want differential signaling. I've been thinking of building a pair of boards using Ethernet cables. They have 4 pairs. Transmit, Receive, PPS, and power. That's as far as the design has gone. -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
Re: [OT] Splitting PPS?
Upon further investigation, there is a concern about the GPS antenna placement. Does anyone have recommendations for GPS antenna RF-to-fiber converters or other ways to have the GPS antenna a long way (in a building) from the GPS receiver? -- Richard signature.asc Description: OpenPGP digital signature ___ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
Re: CPU load on FreeBSD. Classic NTP 5-6% vs NTPsec 10-17%
> I'm not familiar with how FreeBSD accounts CPU, but NTPsec uses a second > thread for DNS lookups. If the traffic triggers lots of DNS lookups, the CPU > gets accounted for in ticks per core and the ticks are fairly long, you could > probably expect to see about twice the load. The extra thread only does DNS lookups for names on server lines in your ntp.conf. Also the NTS-KE dance to setup the cookies used by NTS. External traffic can't start exttra threads. -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
Re: cloudflare refers NTS users to wrong page
Udo van den Heuvel via devel writes: > On 13-12-2019 11:31, Udo van den Heuvel via devel wrote: >> No change in ntpd behaviour... > > Certificates ended up in /etc/pki/tls/certs/ca-bundle.trust.crt and > /etc/pki/tls/certs/ca-bundle.crt > > But after an ntpd restart no change... You didn't forget that you run in a chroot environment and updated the cert chain in the chroot root as well? Regards, Achim. -- +<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+ Waldorf MIDI Implementation & additional documentation: http://Synth.Stromeko.net/Downloads.html#WaldorfDocs ___ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
Re: CPU load on FreeBSD. Classic NTP 5-6% vs NTPsec 10-17%
Mike Yurlov via devel writes: > I recently started the public server for ntppool (Yo, Ask) on > FreeBSD. Yesterday I was migrate from Classic NTPd to NTPSec (oh, it > was painful!). I'm copy ntp.conf to ntpsec.conf and only convert > "magic" 127.127.20 x to refclock. When I looking to "top" I see NTPsec > eat 10-17% CPU. But Classic NTPd eat only 4-6% on same average > 3-4kpps/queries per second. Why? I'm not familiar with how FreeBSD accounts CPU, but NTPsec uses a second thread for DNS lookups. If the traffic triggers lots of DNS lookups, the CPU gets accounted for in ticks per core and the ticks are fairly long, you could probably expect to see about twice the load. Regards, Achim. -- +<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+ DIY Stuff: http://Synth.Stromeko.net/DIY.html ___ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
Re: CPU load on FreeBSD. Classic NTP 5-6% vs NTPsec 10-17%
My best guess is that we are now using crypto quality random numbers where we don't need them. That and nobody has reported CPU problems yet. You are probably the first one to have enough traffic to notice. Thanks for the data point. Hmmm... When I increase mru size, cpu extremely increased too. Changes of query rate/pps does not affect so much. I will do some test with mru size. Looks like the problem is here. But ntpsec ntp_list.h is totally like classic. I'm at a loss. Perhaps BSD have some issues in CLANG compiler flags or Python, or need another malloc/memory operation calls, I don't know. Therefore I am here. I'm not first one with 3-4kpps traffic (I'm guess many ntp pool hosts have it). But I use 1) BSD, not Linux 2) without gpsd and shm interlayers. Only native "nmea" and only GNGGA/GPGGA messages (all other are switched off). Building on latest BSD have "'AnsiTerm' object has no attribute 'buffer'". Google gives me workaround from mailing list: sh (go to "sh" shell, generally I use tcsh) NOSYNC=1 ./waff configure --refclock=all (or local,nmea,pps) NOSYNC=1 ./waff build NOSYNC=1 ./waff install Anything interesting in ntpq monstats? I test some solutions here. Best filtering tool is the firewall, but unfortunately BSD firewalls does not have a filter function by packetrate or traffic volume like iptables. Now i use traffic collector to count traffic + simple cron script and block overly active hosts and crap for some hours. Therefore, flooders does not load NTP daemon too much and mrulist does not grow excessively. Nevertheless sysstats show ~3% "bad length or format" and ~3% rate limited hosts. Among other things server recieve ~0.5-1% of traffic from "gray" subnets (192.168/16, 10.0.0.0/8 and so on) coming from "big Internet" from other ISP. My recommendation for public NTP server owners: read RFC6890 and block unneeded (for you) ip ranges with firewall. As usual your ISP don't have correct reverse path for this ip and you should not send them back, creating a load on the network. Let's get back to CPU loading :) -- Mike ___ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
Re: CPU load on FreeBSD. Classic NTP 5-6% vs NTPsec 10-17%
> When I looking to "top" I see NTPsec eat 10-17% CPU. But Classic NTPd eat > only 4-6% on same average 3-4kpps/queries per second. Why? I don't have a clean answer. My best guess is that we are now using crypto quality random numbers where we don't need them. That and nobody has reported CPU problems yet. You are probably the first one to have enough traffic to notice. Thanks for the data point. I'm actually working on that area. What should have been a simple fix breaks things in a way that I don't understand (yet) so I can't give you a fix to try. I'll get back to you when I have something ready. --- > mru initmem 10 maxmem 25 maxage 9 minage 3600 incmem 1000 > strange, but when I restart daemon, I does not see ~100M memory in ps/top > output, only ~20M as usual and it increased slowly. After that I went to bed > and ~7 hours later in the morning I have ~100Mb memory and 68-70% ntpd CPU > in "top". WOW! (I met similar behavior in very old traffic collecting > daemons that use linear ip search in arrays without hashes). There is a hash table in there. I'd expect the per-packet processing to be slightly slower after the table gets filled up, but it should be only a few page faults. Anything interesting in ntpq monstats? I'm slightly surprised that you only got to 100M of memory with 7 hours of 3-4kpps/queries per second. I'd expect more. You can get info on bad guys with ntpq -nc "mru mincount=10 sort=avgint" Adjust the 10 to fit. I see things like this on a pool server: lstint avgint rstr r m v count rport remote address = 33146 0.161 d0 . 3 4 538033 39610 184.53.16.164 61 0.395 d0 . 3 4 651622 61856 67.45.32.25 1 1.16 d0 . 3 4 226293 3083 52.37.82.169 2 1.59 d0 . 3 4 164302 30105 192.146.154.1 2 1.89 d0 . 3 4 138149 45984 34.235.70.98 21 2.39 d0 . 3 4 109543 60992 204.186.6.242 -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
Re: cloudflare refers NTS users to wrong page
udo...@xs4all.nl said: > The chroot is the root cause I guess. Thanks for tipping me abotu taht one. > I copied over /etc/pki to /chroot/ntpd/etc and stuff starts to see certs and > such: Thanks for bringing this to our attention and helping to track it down. -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
Re: cloudflare refers NTS users to wrong page
On 13-12-2019 12:37, Hal Murray wrote: > Are you using a chroot jail? If so, does it let ntpd see the root certs? The chroot is the root cause I guess. Thanks for tipping me abotu taht one. I copied over /etc/pki to /chroot/ntpd/etc and stuff starts to see certs and such: Dec 13 12:42:57 sp2 ntpd[1589263]: NTSc: read 880 bytes Dec 13 12:42:57 sp2 ntpd[1589263]: NTSc: Got 8 cookies, length 104, aead=15. Dec 13 12:42:57 sp2 ntpd[1589263]: NTSc: NTS-KE req to ntp1.glypnod.com took 0.659 sec, OK Dec 13 12:42:58 sp2 ntpd[1589263]: NTSc: DNS lookup of ntp2.glypnod.com took 0.001 sec Dec 13 12:42:58 sp2 ntpd[1589263]: NTSc: nts_probe connecting to ntp2.glypnod.com:123 => [2a03:b0c0:1:d0::1f9:f001]:123 Dec 13 12:42:58 sp2 ntpd[1589263]: NTSc: Using TLSv1.3, TLS_AES_256_GCM_SHA384 (256) Dec 13 12:42:58 sp2 ntpd[1589263]: NTSc: certificate subject name: /CN=ntp2.glypnod.com Dec 13 12:42:58 sp2 ntpd[1589263]: NTSc: certificate issuer name: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 Dec 13 12:42:58 sp2 ntpd[1589263]: NTSc: certificate is valid. Dec 13 12:42:58 sp2 ntpd[1589263]: NTSc: read 880 bytes Dec 13 12:42:58 sp2 ntpd[1589263]: NTSc: Got 8 cookies, length 104, aead=15. Dec 13 12:42:58 sp2 ntpd[1589263]: NTSc: NTS-KE req to ntp2.glypnod.com took 0.106 sec, OK Looks better to me... Thanks again for the tip! Kind regards, Udo ___ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
Re: cloudflare refers NTS users to wrong page
> Dec 13 11:07:18 sp2 ntpd[1582985]: NTSc: certificate issuer name: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 > Dec 13 11:07:18 sp2 ntpd[1582985]: NTSc: certificate invalid: 20=>unable to > get local issuer certificate > Dec 13 11:07:18 sp2 ntpd[1582985]: NTSc: NTS-KE req to ntp2.glypnod.com took > 0.086 sec, fail I don't know what's wrong. This is the first time I've seen something like this. That stuff is buried deep inside libssl. Are you using a chroot jail? If so, does it let ntpd see the root certs? -- ntp2 is using a certificate by Let's Encrypt It works from here: $ openssl s_client -showcerts -quiet ntp2.glypnod.com:123 depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 verify return:1 depth=0 CN = ntp2.glypnod.com verify return:1 $ It doesn't say "good", but testing on a self-signed certificate says: verify error:num=20:unable to get local issuer certificate I guess we are supposed to assume it's OK unless there is a nasty message. -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
Re: cloudflare refers NTS users to wrong page
On 13-12-2019 11:31, Udo van den Heuvel via devel wrote: > No change in ntpd behaviour... Certificates ended up in /etc/pki/tls/certs/ca-bundle.trust.crt and /etc/pki/tls/certs/ca-bundle.crt But after an ntpd restart no change... Udo ___ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
Re: cloudflare refers NTS users to wrong page
On 13-12-2019 11:21, Udo van den Heuvel via devel wrote: > On 13-12-2019 11:09, Udo van den Heuvel via devel wrote: >> So is this an isseu in the ca-certificates rpm? > > https://letsencrypt.org/certificates/ shows the relationships between > certificates. > Could it be that the Fedora rpm has no info on the X3 cert? Using the info at https://www.happyassassin.net/2015/01/14/trusting-additional-cas-in-fedora-rhel-centos-dont-append-to-etcpkitlscertsca-bundle-crt-or-etcpkitlscert-pem/ I palced some pem files (sans .txt) in /etc/pki/ca-trust/source/anchors/ and ran sudo update-ca-trust. Stuff looks like: # ls -tl total 12 -rw-r--r-- 1 root root 1647 Dec 13 11:27 lets-encrypt-x3-cross-signed.pem -rw-r--r-- 1 root root 2016 Dec 13 11:27 letsencryptauthorityx3.pem -rw-r--r-- 1 root root 1200 Dec 13 11:25 trustid-x3-root.pem No change in ntpd behaviour... Udo ___ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
Re: cloudflare refers NTS users to wrong page
On 13-12-2019 11:09, Udo van den Heuvel via devel wrote: > So is this an isseu in the ca-certificates rpm? https://letsencrypt.org/certificates/ shows the relationships between certificates. Could it be that the Fedora rpm has no info on the X3 cert? Udo ___ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
Re: cloudflare refers NTS users to wrong page
Hal, On 13-12-2019 10:56, Hal Murray wrote: > On Fedora, it's ca-certificates.noarch Dec 13 11:07:18 sp2 ntpd[1582985]: NTSc: DNS lookup of ntp2.glypnod.com took 0.031 sec Dec 13 11:07:18 sp2 ntpd[1582985]: NTSc: nts_probe connecting to ntp2.glypnod.com:123 => [2a03:b0c0:1:d0::1f9:f001]:123 Dec 13 11:07:18 sp2 ntpd[1582985]: NTSc: Using TLSv1.3, TLS_AES_256_GCM_SHA384 (256) Dec 13 11:07:18 sp2 ntpd[1582985]: NTSc: certificate subject name: /CN=ntp2.glypnod.com Dec 13 11:07:18 sp2 ntpd[1582985]: NTSc: certificate issuer name: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 Dec 13 11:07:18 sp2 ntpd[1582985]: NTSc: certificate invalid: 20=>unable to get local issuer certificate Dec 13 11:07:18 sp2 ntpd[1582985]: NTSc: NTS-KE req to ntp2.glypnod.com took 0.086 sec, fail [root@sp2 ~]# rpm -q ca-certificates ca-certificates-2019.2.32-3.fc31.noarch So is this an isseu in the ca-certificates rpm? Udo ___ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
Re: cloudflare refers NTS users to wrong page
> Can anybody confirm that installing the certificates for ntpd as a server can > fix the client-side certificate issues as well? No. For a client, you need a root certificate for each server's certificate. Most distros have a package with many root certificates and their libssl is setup to know where that lives so you don't have to do anything more than add "nts" to the server line. (Web browsers are normally setup to use that collection.) On Fedora, it's ca-certificates.noarch The sudo package needs it (??) so it is probably installed on your system. For a server, you need a certificate (chain) and the corresponding private key. Your clients need the root certificate. If you have a typical certificate, one that would work for a web site, the root certificate is probably part of the normal package. If you have a self signed certificate, you have to distribute your root certificate and they have to add that to their server line: server mumble.example.com nts ca --- Do you have an "nts ca x" line in your ntp.conf? That would override the default certificate collection? -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
Re: cloudflare refers NTS users to wrong page
On 10-12-2019 06:47, Hal Murray wrote: > Do you have the normal collection of root certificates installed? Are they > up > to date? Can anybody confirm that installing the certificates for ntpd as a server can fix the client-side certificate issues as well? Kind regards, Udo ___ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
Re: cloudflare refers NTS users to wrong page
Hal, On 10-12-2019 06:47, Hal Murray wrote: >> I also might have a local issue as I get: >> NTSc: certificate invalid: 20=>unable to get local issuer certificate >> (for the other servers mentioned at the howto page) > > What OS/distro/version are you using? Fedora 31 Linux with kernel.org, git mesa, git amdgpu, git ntpsec, etc. > Do you have the normal collection of root certificates installed? Are they > up > to date? I do not hav the faintest idea. I guess I need to explain to ntpd that we have a certificate that can confirm the servers at the other side. I was away but will have some time for the next week. Udo ___ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
CPU load on FreeBSD. Classic NTP 5-6% vs NTPsec 10-17%
Hi All! I recently started the public server for ntppool (Yo, Ask) on FreeBSD. Yesterday I was migrate from Classic NTPd to NTPSec (oh, it was painful!). I'm copy ntp.conf to ntpsec.conf and only convert "magic" 127.127.20 x to refclock. When I looking to "top" I see NTPsec eat 10-17% CPU. But Classic NTPd eat only 4-6% on same average 3-4kpps/queries per second. Why? System is FreeBSD 12.1-STABLE r353872, kernel compiled with options PPS_SYNC. Hardware is not new (but overhead for single ntpd) - 1RU MSI server with 6Gb memory and Intel(R) Core(TM)2 Quad CPU Q9400 @2.66GHz. Sources: 1) uBlox 8 GPS+GLONASS on RS232 + PPS (primary and prefer) 2) Garmin 18x LVC on RS232 (backup and "noselect" because it have big jitter and does not have GLONASS) 3) some ntp Stratum1 servers Classic NTPd is from BSD distribution/sources, version 4.2.8p13. NTPSec is 1.1.8 from .tar.gz. I'm copy ntp.conf to ntpsec.conf and only convert "magic" 127.127.20 x to refclock nmea unit 0 prefer mode 0x1 minpoll 2 maxpoll 4 time2 0.1782 refid GPS path /dev/gps0 baud 9600 flag1 1 flag2 0 flag3 1 refclock nmea unit 1 noselect mode 0x1 minpoll 4 maxpoll 4 time2 0.542 refid GPS path /dev/gps1 baud 4800 flag1 0 flag2 0 flag3 1 and run daemon as ntp -c ntpsec.conf I read some topics/issues and suggest "server have many bad/flood queries (i'ts true, I'm inspecting traffic dump), so let's increase mru size?". Ok, I have 6Gb memory and powerfull CPU (for one ntpd task), therefore I' configure (values from some ntpsec issue topic): mru initmem 10 maxmem 25 maxage 9 minage 3600 incmem 1000 strange, but when I restart daemon, I does not see ~100M memory in ps/top output, only ~20M as usual and it increased slowly. After that I went to bed and ~7 hours later in the morning I have ~100Mb memory and 68-70% ntpd CPU in "top". WOW! (I met similar behavior in very old traffic collecting daemons that use linear ip search in arrays without hashes). I comment mru settings and now have 12-17% again. It's 2x times more then Classic. NTPSec positioned as an improved alternative to the classic NTPd with code cleaning and optimization. Why so much CPU? -- Mike ___ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel