| Re: [chrony-dev] Experimental NTS support |
[ Thread Index |
Date Index
| More chrony.tuxfamily.org/chrony-dev Archives
]
> On Jul 2, 2019, at 3:00 AM, Miroslav Lichvar <mlichvar@xxxxxxxxxx> wrote:
>
>> Name/IP Address NP NR Span Frequency Freq Skew Offset Std Dev
>> ==============================================================================
>> 10.4.0.88 6 3 86m -0.063 0.350 -55us 129us
>> <vultr public ip> 8 5 120m +0.060 0.475 -155us 540us
>
>> Name/IP Address NP NR Span Frequency Freq Skew Offset Std Dev
>> ==============================================================================
>> 10.4.0.88 13 9 589 +0.318 1.169 +182us 209us
>> <vultr public ip> 8 5 453 +0.055 4.189 -21us 242us
>
>> Name/IP Address NP NR Span Frequency Freq Skew Offset Std Dev
>> ==============================================================================
>> 10.4.0.88 20 11 1107 -0.033 0.771 +14us 291us
>> <vultr public ip> 17 10 1035 +0.028 1.249 -14us 361us
>
>> Name/IP Address NP NR Span Frequency Freq Skew Offset Std Dev
>> ==============================================================================
>> 10.4.0.88 23 11 29m +0.048 0.164 +257us 94us
>> <vultr public ip> 22 14 25m +0.113 0.807 -187us 374us
>
>> Name/IP Address NP NR Span Frequency Freq Skew Offset Std Dev
>> ==============================================================================
>> 10.4.0.88 28 15 59m +0.018 0.076 +365us 98us
>> <vultr public ip> 28 15 51m -0.032 0.386 -309us 432us
>
> So there seems to be a significant offset between the two sources,
> most likely caused by the delays due the WireGuard encryption and
> decryption. Is there a significant difference in CPU speed of the
> server and client?
No significant difference, the 1-core VM at Vultr CPU is 2.4 GHz, the 4-core N2930 CPU is 1.8 GHz
BTW after 24 hours:
Name/IP Address NP NR Span Frequency Freq Skew Offset Std Dev
==============================================================================
10.4.0.88 34 19 430m -0.002 0.014 +122us 162us
<vultr public ip> 23 13 378m +0.023 0.049 -106us 406us
> I think at least in theory it is possible to implement SW/HW
> timestamping over WireGuard interfaces, which would remove that
> difference.
Interesting idea. I'll leave that to others to try if so inclined.
In conclusion, NTP can be secured over UDP, authenticated via Curve25519 and encryption via ChaCha20Poly1305, as demonstrated via WireGuard with good results.
Alternatively, possibly the same Curve25519/ChaCha20Poly1305 technique could be implemented using Frank Denis's libsodium without WireGuard's "Cryptokey Routing".
I'll leave this idea to others to think about, hack on, etc. .
Miroslav, as you said "I think people would be very interested in something simpler than NTS that doesn't use (D)TLS and has similar properties."
Thanks Miroslav for your comments and insights.
Lonnie
--
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble? Email listmaster@xxxxxxxxxxxxxxxxxxxx.