| Re: [chrony-dev] Experimental NTS support |
[ Thread Index |
Date Index
| More chrony.tuxfamily.org/chrony-dev Archives
]
> On Mar 27, 2019, at 6:22 AM, Miroslav Lichvar <mlichvar@xxxxxxxxxx> wrote:
>
> I've been working on an implementation of the new NTP public-key
> authentication called Network Time Security (NTS). Its specification
> will hopefully be finalized in near future.
Hi Miroslav,
While reading about NTS, possibly my thinking is misguided, but NTS seems overly complicated.
I'm a big fan of Jason Donenfeld's Wireguard [1], and wondered how wrapping NTP with WireGuard would effect delay/accuracy.
So, I ran a simple test, using a local Intel N2930 (NAT'ed) box to a remote single core Vultr instance in the cloud with a public ip.
Simultaneously I established both an unencrypted NTP path and an NTP path within a WireGuard tunnel, all else being equal.
Both endpoints use Linux 3.16.69, chronyd 3.5 and WireGuard 0.0.20190601
WireGuard local client ip is 10.4.0.3 and remote server ip is 10.4.0.88
Test Duration: 394 minutes
== At the local Intel N2930 box (chrony client)
# chronyc sources
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^+ 10.4.0.88 2 10 377 82 -1279us[-1279us] +/- 31ms
^* <vultr public ip> 2 10 377 602 -1950us[-1935us] +/- 30ms
# chronyc ntpdata
Remote address : 10.4.0.88 (0A040058) (Encrypted WireGuard path)
Remote port : 123
Local address : 10.4.0.3 (0A040003)
Leap status : Normal
Version : 4
Mode : Server
Stratum : 2
Poll interval : 10 (1024 seconds)
Precision : -25 (0.000000030 seconds)
Root delay : 0.026199 seconds
Root dispersion : 0.004959 seconds
Reference ID : C7xxxxxx ()
Reference time : Mon Jul 01 01:47:38 2019
Offset : +0.001278974 seconds
Peer delay : 0.024941294 seconds
Peer dispersion : 0.000000117 seconds
Response time : 0.000094465 seconds
Jitter asymmetry: -0.50
NTP tests : 111 111 1111
Interleaved : No
Authenticated : No
TX timestamping : Daemon
RX timestamping : Kernel
Total TX : 58
Total RX : 58
Total valid RX : 58
Remote address : <vultr public ip> (xxxxxxxx) (Unencrypted network path)
Remote port : 123
Local address : 10.10.50.64 (0A0A3240)
Leap status : Normal
Version : 4
Mode : Server
Stratum : 2
Poll interval : 10 (1024 seconds)
Precision : -25 (0.000000030 seconds)
Root delay : 0.026199 seconds
Root dispersion : 0.004395 seconds
Reference ID : C7xxxxxx ()
Reference time : Mon Jul 01 01:47:38 2019
Offset : +0.001934602 seconds
Peer delay : 0.024867952 seconds
Peer dispersion : 0.000000117 seconds
Response time : 0.000471027 seconds
Jitter asymmetry: -0.47
NTP tests : 111 111 1111
Interleaved : No
Authenticated : No
TX timestamping : Daemon
RX timestamping : Kernel
Total TX : 57
Total RX : 57
Total valid RX : 57
== At the remote Vultr host (chrony server)
# chronyc clients
Hostname NTP Drop Int IntL Last Cmd Drop Int Last
===============================================================================
<client public ip> 75 0 10 - 917 0 0 - -
10.4.0.3 62 0 10 - 397 0 0 - -
WireGuard transfer: 55.34 KiB received, 22.99 KiB sent
==
To my eye, the NTP wrapped by Wireguard performed quite well, authenticated via Curve25519 and authenticated-encryption via ChaCha20Poly1305.
Would it make sense to leverage a part of WireGuard's authentication/encryption to provide security for NTP ? Only the server's public key (something like "HIgo9xNzJMWLKASShiTqIybxZ0U3wGLiUeJ1PKf8ykw=") would need to be known by the client, which could be provided via a DNS record.
Lonnie
[1] https://www.wireguard.com/
--
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble? Email listmaster@xxxxxxxxxxxxxxxxxxxx.