Re: [chrony-dev] Experimental NTS support

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-dev Archives ]


> On Jul 2, 2019, at 3:00 AM, Miroslav Lichvar <mlichvar@xxxxxxxxxx> wrote:
> 
>> Name/IP Address            NP  NR  Span  Frequency  Freq Skew  Offset  Std Dev
>> ==============================================================================
>> 10.4.0.88                   6   3   86m     -0.063      0.350    -55us   129us
>> <vultr public ip>           8   5  120m     +0.060      0.475   -155us   540us
> 
>> Name/IP Address            NP  NR  Span  Frequency  Freq Skew  Offset  Std Dev
>> ==============================================================================
>> 10.4.0.88                  13   9   589     +0.318      1.169   +182us   209us
>> <vultr public ip>           8   5   453     +0.055      4.189    -21us   242us
> 
>> Name/IP Address            NP  NR  Span  Frequency  Freq Skew  Offset  Std Dev
>> ==============================================================================
>> 10.4.0.88                  20  11  1107     -0.033      0.771    +14us   291us
>> <vultr public ip>          17  10  1035     +0.028      1.249    -14us   361us
> 
>> Name/IP Address            NP  NR  Span  Frequency  Freq Skew  Offset  Std Dev
>> ==============================================================================
>> 10.4.0.88                  23  11   29m     +0.048      0.164   +257us    94us
>> <vultr public ip>          22  14   25m     +0.113      0.807   -187us   374us
> 
>> Name/IP Address            NP  NR  Span  Frequency  Freq Skew  Offset  Std Dev
>> ==============================================================================
>> 10.4.0.88                  28  15   59m     +0.018      0.076   +365us    98us
>> <vultr public ip>          28  15   51m     -0.032      0.386   -309us   432us
> 
> So there seems to be a significant offset between the two sources,
> most likely caused by the delays due the WireGuard encryption and
> decryption. Is there a significant difference in CPU speed of the
> server and client?

No significant difference, the 1-core VM at Vultr CPU is 2.4 GHz, the 4-core N2930 CPU is 1.8 GHz

BTW after 24 hours:

Name/IP Address            NP  NR  Span  Frequency  Freq Skew  Offset  Std Dev
==============================================================================
10.4.0.88                  34  19  430m     -0.002      0.014   +122us   162us
<vultr public ip>          23  13  378m     +0.023      0.049   -106us   406us


> I think at least in theory it is possible to implement SW/HW
> timestamping over WireGuard interfaces, which would remove that
> difference.

Interesting idea. I'll leave that to others to try if so inclined.


In conclusion, NTP can be secured over UDP, authenticated via Curve25519 and encryption via ChaCha20Poly1305, as demonstrated via WireGuard with good results.

Alternatively, possibly the same Curve25519/ChaCha20Poly1305 technique could be implemented using Frank Denis's libsodium without WireGuard's "Cryptokey Routing".

I'll leave this idea to others to think about, hack on, etc. .

Miroslav, as you said "I think people would be very interested in something simpler than NTS that doesn't use (D)TLS and has similar properties."

Thanks Miroslav for your comments and insights.

Lonnie




--
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.


Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/