Eric said:
>> I don't want the UI side of HTTP in ntpd.
> I'd like to understand better what you mean by "the UI side" and
> what your objection is.
Web stuff is complicated. We'll get into UI wars.
You can't easily script things.
If you want a web UI, we should build that on top of Mode 6 (or
dfoxfra...@gmail.com said:
[using ALPN]
> I've never tried it myself, but I think Nginx can handle this. Use
> ngx_stream_ssl_preread_module to check ALPN, then based on what's there
> either terminate TLS locally or forward traffic at the TCP layer to some
> other port on ::1. AFAIK Apache users
On 3/5/19 1:26 PM, Gary E. Miller via devel wrote:
>> and by what
>> mechanism (i.e. are you using the Mode 6 writable parameter(s) being
>> proposed for removal)?
>
> I do it with: killall ntpd
The mode 6 changes aren't really relevant to you then. I see the
security (and complexity) benefit to
> Maybe this isn't a good path to go down after all.
This has been requested for a long time. I think it's worth the effort. We
just have to find the right person (team?) and the right time.
It may involve cleaning up that area, but that's not bad. Or maybe just
rearranging, or maybe just a
Hal Murray via devel :
> The config file touches a lot of stuff. You basically have to diff the old
> and new config file. Removing a server is simple. Adding a new server is
> simple. Removing a tinker operation requires knowing what the default
> is/was.
> That's probably another slot in
Still accurate.
OTOH, OS X finally got clock_gettime() in 10.12.
On Tue, Mar 5, 2019 at 4:28 PM Hal Murray via devel wrote:
>
>
> wscript says MacOS doesn't have it.
>
> timer_create seems pretty basic. Is that still accurate? Or perhaps leftover
> from an old version that is no longer support
Hal Murray via devel :
>
> wscript says MacOS doesn't have it.
>
> timer_create seems pretty basic. Is that still accurate? Or perhaps
> leftover
> from an old version that is no longer supported?
Sorry, no clue here. My Mac-fu is weak.
--
http://www.catb.org/~esr/";>Eric S.
On Tue, Mar 5, 2019 at 4:10 PM Hal Murray wrote:
> How does that work in practice? 443 is for HTTPS. Does Apache have a call
> out mode? Is there a standard utility that does ALPN dispatching? What
> fraction of clients send ALPN info?
I've never tried it myself, but I think Nginx can handle
wscript says MacOS doesn't have it.
timer_create seems pretty basic. Is that still accurate? Or perhaps leftover
from an old version that is no longer supported?
--
These are my opinions. I hate spam.
___
devel mailing list
devel@ntpsec.org
ht
Gary said:
> But I would like something like SIGHUP to get ntpd to re-read the config file
> and yet keep state.
I think something like that is possible. It's not simple, but not horrible.
The HUP logic is there. It works for a new leap file and new log file when it
gets rotated.
The confi
> The spec already mandates that ALPN always be used and allocates a tag with
> IANA.
My call to
SSL_CTX_set_alpn_protos(client_ctx, alpn, sizeof(alpn));
is inside
#if (OPENSSL_VERSION_NUMBER > 0x1000200fL)
> tcp/123 is already a new firewall hole. If you want to work around
> unchangeabl
On Tue, Mar 05, 2019 at 12:46:29PM -0600, Richard Laager via devel wrote:
> On 3/5/19 12:45 PM, Gary E. Miller via devel wrote:
> > Yo Eric!
> >
> > On Tue, 5 Mar 2019 02:11:52 -0500
> > "Eric S. Raymond via devel" wrote:
> >
> >>> That would leave the configure option. I've never used it.
>
Achim Gratz via devel :
> > You want to reconfure your ntpd? Bounce it. This won't happen often.
>
> Depends. While you're trying to figure out the correct fudge times for
> instance you need a fully converged ntpd to see what's going on. If I
> have to restart ntpd each time I want to adjust t
On Tue, Mar 5, 2019 at 2:28 PM Eric S. Raymond wrote:
> Thanks. I didn't see that in the RFC draft. Did I simply miss it or is
> it in a registry that is entirely separate?
Last sentence of section 3, first sentence of section 4, and section 7.2.
___
Daniel Franke :
> On Tue, Mar 5, 2019 at 1:52 PM Eric S. Raymond wrote:
> > If you end up going with a non-123 port number, I requst that the RFC
> > allow use on other ports when and if ALPN is available and specify
> > the ALPN tag to be used.
>
> The spec already mandates that ALPN always be u
Yo Richard!
On Tue, 5 Mar 2019 12:46:29 -0600
Richard Laager via devel wrote:
> On 3/5/19 12:45 PM, Gary E. Miller via devel wrote:
> > Yo Eric!
> >
> > On Tue, 5 Mar 2019 02:11:52 -0500
> > "Eric S. Raymond via devel" wrote:
> >
> >>> That would leave the configure option. I've never used
On Tue, Mar 5, 2019 at 1:52 PM Eric S. Raymond wrote:
> If you end up going with a non-123 port number, I requst that the RFC
> allow use on other ports when and if ALPN is available and specify
> the ALPN tag to be used.
The spec already mandates that ALPN always be used and allocates a tag
with
Daniel Franke :
> On Tue, Mar 5, 2019 at 7:21 AM Eric S. Raymond wrote:
> > You yourself advocated that Mode 6 ought to be replaced by an HTTP
> > service on TCP port 123. I think that's a good idea, if we can do
> > it. The problem is than NTS-KE *also* wants to have TCP 123.
>
> Like Hal pointe
Daniel Franke via devel writes:
> The intended design for running NTS with pool servers is that only the
> pool operator runs an NTS-KE server. The NTS-KE server then picks an
> NTS-enabled NTP server out of the pool and serves you an appropriate
> NTPv4 Server Negotiation Record. Individual server
On 3/5/19 12:45 PM, Gary E. Miller via devel wrote:
> Yo Eric!
>
> On Tue, 5 Mar 2019 02:11:52 -0500
> "Eric S. Raymond via devel" wrote:
>
>>> That would leave the configure option. I've never used it.
>>
>> I think we can justify both removals on security. If Mode 6 is a
>> read-only channe
Yo Eric!
On Tue, 5 Mar 2019 02:11:52 -0500
"Eric S. Raymond via devel" wrote:
> > That would leave the configure option. I've never used it.
>
> I think we can justify both removals on security. If Mode 6 is a
> read-only channel there can never be any exploits over it. That's
> a significa
Hal Murray via devel writes:
> Gary said:
>>> I would assume that critical infrastructure would be run in a less
>>> insecure environment.
>> Bad assumption. Just look at any data center. There is no way to secure
>> customer machines. Unless you get rid of the customers.
>
> Right. But why wo
Eric S. Raymond via devel writes:
>> That would leave the configure option. I've never used it.
I did. It's one of the few ways you can change (some) things around
without haveing to re-start ntpd, with all the chaff that produces.
> I think we can justify both removals on security. If Mode 6 i
On Tue, Mar 5, 2019 at 7:21 AM Eric S. Raymond wrote:
> You yourself advocated that Mode 6 ought to be replaced by an HTTP
> service on TCP port 123. I think that's a good idea, if we can do
> it. The problem is than NTS-KE *also* wants to have TCP 123.
Like Hal pointed out, ALPN makes this a non
Hal Murray :
>
> Eric said:
> > You yourself advocated that Mode 6 ought to be replaced by an HTTP service
> > on
> > TCP port 123. I think that's a good idea, if we can do it. The problem is
> > than NTS-KE *also* wants to have TCP 123.
>
> I don't want the UI side of HTTP in ntpd.
I'd like t
Eric said:
> You yourself advocated that Mode 6 ought to be replaced by an HTTP service on
> TCP port 123. I think that's a good idea, if we can do it. The problem is
> than NTS-KE *also* wants to have TCP 123.
I don't want the UI side of HTTP in ntpd.
> What that says to me is that whatever
Daniel Franke :
> I'll post a rebuttal sometime later this week. As for IETF processes,
> though, you're years late. The WG already had a consensus call in 2016
> on what NTS-KE's framing format should look like, and it was
> unanimous. You can still comment during IETF Last Call and try to
> convi
> There is one interesting area that it doesn't cover. The kernel (on most
> OSes) has an optional PLL that locks on to a PPS source. ntpd acts as a
> sanity check and turns that on and off. If we want to use that mode, we need
> a back channel, or an ugly wart in ntpd. We can probably get t
> The intended design for running NTS with pool servers is that only the pool
> operator runs an NTS-KE server. The NTS-KE server then picks an NTS-enabled
> NTP server out of the pool and serves you an appropriate NTPv4 Server
> Negotiation Record. Individual server operators, on a one-time basi
29 matches
Mail list logo
