Re: [chrony-dev] [GIT] chrony/chrony.git branch, master, updated. 1.30-4-g8801508

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-dev Archives ]


On Tue, Aug 05, 2014 at 01:19:56PM +0200, Miroslav Lichvar wrote:
> On Tue, Aug 05, 2014 at 01:01:27PM +0200, git@xxxxxxxxxxxxx wrote:
> >     With separate client sockets, allow the initial connect() to fail (e.g.
> >     when the network is not reachable yet) and try to connect later when
> >     sending the packet.
> >     
> >     Also, reconnect the socket when the local address has changed.
> 
> I've received multiple reports for this bug, chronyd doesn't make any
> NTP queries when the initial connect() fails. This happens when
> chronyd starts and resolves the hostname of an online source (or
> chronyc online is issued) before the network is ready. A workaround is
> to disable separate client sockets with the acquisitionport directive.

It seems there are still some cases where this doesn't work as
expected. For instance, when the default route is changed to use a
newly configured interface, which might be better suited for NTP (e.g.
ethernet vs wlan), chronyd will not reconnect the socket until the
original local address disappears. chronyc offline/online command can
be used to force chronyd to reconnect it, but I don't want it to be a
requirement.

There are several ways how the changes in routing could be detected,
but it seems complex and fairly expensive. Instead of trying that I'm
thinking about simply changing the NTP code to create a new socket for
each client query. This could improve the security slightly, as the
socket may be closed immediately when the reply is received, but it
will also mean that a different source port is used with each NTP
query.

The servers will not see the packets as coming from one client and I'm
also wondering if there could be any impact on network latency (e.g.
routers/firewalls tracking the connections). 

Do you think this could be a problem? Thoughts?

-- 
Miroslav Lichvar

-- 
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.


Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/