Re: [ntp:questions] ntpd -q and driftfile
Chris Albertson wrote: I'd bet any musician could do better than 0.1 sec. If you are playing piano and the timing of a note is off by as much as .1 sec it sounds like an error.MIDI is used to record musical performances and it uses a tick about every 10ms or 100 or 128 per second. That is about the range of human hearing, if you are good, delays smaller seem to us a simultaneous. I'd say that people who pratice every day such as pianists could get to the 0.01 second range You're probably right. My cousin Nils who's a very talented musician/composer used to claim that anyone can learn to sing in tune, but timing was something you had to be born with. (He's got the kind of ear that can listen to a 15-min piece of music once, then sit down and write out the score for all the instruments.) Terje -- - Terje.Mathisen at tmsw.no almost all programming can be viewed as an exercise in caching ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] ntpd -q and driftfile
Hi All, Thanks for the discussion and suggestions. I accept there are disadvantages in syncing the local clock using ntpd -q. My only question was whether the drift file will be created/used/ updated by ntpd when it is used with -q option. Thanks and Regards, Prashant ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
[ntp:questions] Secure NTP
Hello! I am installing an NTP server, but requires authentication for that clients can be synchronized with the server, and also that authentication should be with public and private keys. Let me know if I can work with certificates issued by any authority or can only use the certificates generated by the ntp-keygen. Thank you very much! I hope you can answer. PS: I'm working with ntp v4 ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
[ntp:questions] Secure NTP
Hello! I am installing an NTP server, but requires authentication for that clients can be synchronized with the server, and also that authentication should be with public and private keys. Let me know if I can work with certificates issued by any authority or can only use the certificates generated by the ntp-keygen. Thank you very much! I hope you can answer. PS: I'm working with ntp v4 ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] ntpd -q and driftfile
On Thu, Mar 24, 2011 at 1:45 AM, prashant sherin pvs...@yahoo.com wrote: Hi All, Thanks for the discussion and suggestions. I accept there are disadvantages in syncing the local clock using ntpd -q. My only question was whether the drift file will be created/used/ updated by ntpd when it is used with -q option. The best clue is from the man page: ...With the -q option ntpd operates as in continous mode, but exits just after setting the clock for the first time with the configured servers. ... The point of having a drift file is just to give ntpd a hint when it starts up so that it can sync faster. So by the above I'd say that ntpd does the same thing on startup with and without the -q option. As for setting the drift file I don't know if that is even meaningful for a short run. Typically you want to run for hours or days to get an accurate drift. By the above quote I'm pretty sure ntpd must use the file but if it sets the file, well you could determine yourself by looking at the file's time stamp to see the last time of modification. If ntpd is not allowed to run long enough to set the drift file then after some time (weeks, months) it will hardly matter if ntp reads the drift file as the data inside will be outdated. -- = Chris Albertson Redondo Beach, California ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Odd offset for PPS DCD w/ Garmin GPS 18x LVC
On Mar 23, 11:21 pm, Dave Hart daveh...@gmail.com wrote: On Thu, Mar 24, 2011 at 04:17 UTC, Dave Hart daveh...@gmail.com wrote: 4.2.7p24 came out in April 2009 Correction: 4.2.7p24 came out 13 April 2010. Nothing between p23 and p24 jumps out at me as likely related. I wonder if this cset from October 2010 (first included in 4.2.5p237-RC) I need coffee. 4.2.5p237-RC came out 26 October 2009. Cheers, Dave Hart I can only reaffirm my willingness to try any build provided. I would suppose this is somehow related to the Garmin's weird NMEA message timing with respect to the PPS output. I don't remember the details, and I also know that things changed from the original GPS 18 model to the improved GPS 18x. And then, there's 3.20 firmware vs other firmware to bring into the mix. I still have the older GPS 18 somewhere. I'll try it to see if there's a difference. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Secure NTP
Yassica, In principle, NTP Autokey can use certificates generated by OpenSSL or by other certificate authorities (CA); however, there are some very minor details with these certificates, including the sequence number and use of the X.500 extension fields. Ideally, the CA would run the Autokey protocol and serve as the TH itself, which would be consistent with the TC model. Absent that, the choice is to use the certificates generated by the ntp-keygen program. Yessica wrote: Hello! I am installing an NTP server, but requires authentication for that clients can be synchronized with the server, and also that authentication should be with public and private keys. Let me know if I can work with certificates issued by any authority or can only use the certificates generated by the ntp-keygen. Thank you very much! I hope you can answer. PS: I'm working with ntp v4 ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Odd offset for PPS DCD w/ Garmin GPS 18x LVC
On 2011-03-24, lellis larry.el...@gmail.com wrote: On Mar 23, 11:21?pm, Dave Hart daveh...@gmail.com wrote: On Thu, Mar 24, 2011 at 04:17 UTC, Dave Hart daveh...@gmail.com wrote: 4.2.7p24 came out in April 2009 Correction: 4.2.7p24 came out 13 April 2010. Nothing between p23 and p24 jumps out at me as likely related. I wonder if this cset from October 2010 (first included in 4.2.5p237-RC) I need coffee. ?4.2.5p237-RC came out 26 October 2009. Cheers, Dave Hart I can only reaffirm my willingness to try any build provided. I would suppose this is somehow related to the Garmin's weird NMEA message timing with respect to the PPS output. I don't remember the details, and I also know that things changed from the original GPS 18 model to the improved GPS 18x. And then, there's 3.20 firmware vs other firmware to bring into the mix. It delayed the nmea messages to just more than a second after the associated PPS pulse ( ie the nmea sentence came more than a second after the time it was reporting). This make the system seem to be out by a second. It is a bug. I still have the older GPS 18 somewhere. I'll try it to see if there's a difference. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Secure NTP
Yessica yessima...@gmail.com wrote: Hello! I am installing an NTP server, but requires authentication for that clients can be synchronized with the server, and also that authentication should be with public and private keys. Let me know if I can work with certificates issued by any authority or can only use the certificates generated by the ntp-keygen. Thank you very much! I hope you can answer. PS: I'm working with ntp v4 When I see questions like this my first response is Why all the bother?. There is nothing secret or proprietary about the time of day. Since all NTP servers provide UTC, the service reveals nothing about the machine other than the fact that the clock is correct. If you don't want your resources utilized by outsiders, you just block access to the NTP port for everyone but your own clients as a blocked port uses less resources than denying an unsucessful authorization does. Am I missing something?? -- Jim Pennino Remove .spam.sux to reply. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Secure NTP
In article ghps58-1a@mail.specsol.com, j...@specsol.spam.sux.com writes: When I see questions like this my first response is Why all the bother?. There is nothing secret or proprietary about the time of day. Since all NTP servers provide UTC, the service reveals nothing about the machine other than the fact that the clock is correct. If you don't want your resources utilized by outsiders, you just block access to the NTP port for everyone but your own clients as a blocked port uses less resources than denying an unsucessful authorization does. Am I missing something?? Yes. The encryption also verifies that you are talking to the server you think you are talking to rather than an imposter. -- These are my opinions, not necessarily my employer's. I hate spam. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Secure NTP
On Thu, Mar 24, 2011 at 2:26 PM, j...@specsol.spam.sux.com wrote: When I see questions like this my first response is Why all the bother?. There is nothing secret or proprietary about the time of day. Security is so that you know you are not being spoofed. Or if you are providing the time so that you can prove to your users that you are who you claim to be and are not spoofing them. There is the chance that someone might impersonate one of your servers or a server you use. and then make a computer's clock be set to the wrong time. Again who cares if you only use your computer to serf the web and read emails but what if you were a bank processing ATM or visa card transactions or worse a computer routing trans or airplanes or controlling stop lights. If I were smart enough to remotely control a computer's time, then I could maybe make stock trades with an effective trade date of four hours ago. I could make a fortune. -- = Chris Albertson Redondo Beach, California ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Secure NTP
Hal Murray hal-use...@ip-64-139-1-69.sjc.megapath.net wrote: In article ghps58-1a@mail.specsol.com, j...@specsol.spam.sux.com writes: When I see questions like this my first response is Why all the bother?. There is nothing secret or proprietary about the time of day. Since all NTP servers provide UTC, the service reveals nothing about the machine other than the fact that the clock is correct. If you don't want your resources utilized by outsiders, you just block access to the NTP port for everyone but your own clients as a blocked port uses less resources than denying an unsucessful authorization does. Am I missing something?? Yes. The encryption also verifies that you are talking to the server you think you are talking to rather than an imposter. If you specify the server by IP address, how does that happen and who would bother to do it? IP hijacking will disrupt a lot more than just NTP. If your server and its clients are on a corporate network, which is the usual case for having one's own server, how does this happen? -- Jim Pennino Remove .spam.sux to reply. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Secure NTP
On Thu, Mar 24, 2011 at 4:18 PM, j...@specsol.spam.sux.com wrote: Hal Murray hal-use...@ip-64-139-1-69.sjc.megapath.net wrote: In article ghps58-1a@mail.specsol.com, j...@specsol.spam.sux.com writes: When I see questions like this my first response is Why all the bother?. There is nothing secret or proprietary about the time of day. Since all NTP servers provide UTC, the service reveals nothing about the machine other than the fact that the clock is correct. If you don't want your resources utilized by outsiders, you just block access to the NTP port for everyone but your own clients as a blocked port uses less resources than denying an unsucessful authorization does. Am I missing something?? Yes. The encryption also verifies that you are talking to the server you think you are talking to rather than an imposter. If you specify the server by IP address, how does that happen and who would bother to do it? The most obvious and easy way is that I cut the wire that goes from your house to your ISP and place a computer (and modems) at the cut point. It can change any bit in any packet. I would not bother with your house but a bank, maybe. If I could make transactions that were backdated I could make a lot of money even if only slightly back dated by 10 seconds. IP hijacking will disrupt a lot more than just NTP. It can but, that is up to the hijacker. A man in the middle attack can filter network packets and change only the bits he wants changed If your server and its clients are on a corporate network, which is the usual case for having one's own server, how does this happen? Outsider has taken control of a computer that lives inside your network In general your arguments follows a common mistake. It is equivalent to I can't figure it out so therefor it can't happen. It is never valid to argue it's imposable because I can't figure any way to. To claim something is imposable you need something that is very much like a mathematical proof. -- = Chris Albertson Redondo Beach, California ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Secure NTP
Chris Albertson albertson.ch...@gmail.com wrote: On Thu, Mar 24, 2011 at 2:26 PM, j...@specsol.spam.sux.com wrote: When I see questions like this my first response is Why all the bother?. There is nothing secret or proprietary about the time of day. Security is so that you know you are not being spoofed. Or if you are providing the time so that you can prove to your users that you are who you claim to be and are not spoofing them. The question was about clients authenticating to the server. See below. There is the chance that someone might impersonate one of your servers or a server you use. and then make a computer's clock be set to the wrong time. Again who cares if you only use your computer to serf the web and read emails but what if you were a bank processing ATM or visa card transactions or worse a computer routing trans or airplanes or controlling stop lights. If I were smart enough to remotely control a computer's time, then I could maybe make stock trades with an effective trade date of four hours ago. I could make a fortune. If the time on a client is that important, you run multiple local servers with backup like a GPS NTP box and you don't depend on getting the time across the Internet. If the time on a client is only kind of important, you still run multiple servers, which means a majority of your servers would have to be spoofed in sync before it would have any effect on the clients. If your clients and server are on your local network, it is not very likely your servers are going to be spoofed, and if it is you have bigger issues than the time of day. -- Jim Pennino Remove .spam.sux to reply. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Secure NTP
On 2011-03-24, Hal Murray hal-use...@ip-64-139-1-69.sjc.megapath.net wrote: In article ghps58-1a@mail.specsol.com, j...@specsol.spam.sux.com writes: When I see questions like this my first response is Why all the bother?. There is nothing secret or proprietary about the time of day. [snip] Am I missing something?? Yes. The encryption also verifies that you are talking to the server you think you are talking to rather than an imposter. NTP Authentication adds signatures to the packets. There is no encryption. -- Steve Kostecke koste...@ntp.org NTP Public Services Project - http://support.ntp.org/ ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Secure NTP
On 2011-03-25, j...@specsol.spam.sux.com j...@specsol.spam.sux.com wrote: Chris Albertson albertson.ch...@gmail.com wrote: On Thu, Mar 24, 2011 at 2:26 PM, j...@specsol.spam.sux.com wrote: When I see questions like this my first response is Why all the bother?. There is nothing secret or proprietary about the time of day. Security is so that you know you are not being spoofed. Or if you are providing the time so that you can prove to your users that you are who you claim to be and are not spoofing them. The question was about clients authenticating to the server. NTP Authentication authenticates the server to the clients. It is not a client access control mechanism. -- Steve Kostecke koste...@ntp.org NTP Public Services Project - http://support.ntp.org/ ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Secure NTP
NTP Authentication adds signatures to the packets. There is no encryption. What are signatures?How are they generated? Signatures are typically encrypted hashes of the message. They are typically used when you don't really care to hide the content of the message but you do want to verify the sender of the message. Signatures depend on cryptography -- = Chris Albertson Redondo Beach, California ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions