Re: [chrony-users] Extra timestamp validation |
[ Thread Index |
Date Index
| More chrony.tuxfamily.org/chrony-users Archives
]
On Wed, Mar 02, 2016 at 02:24:08PM +0000, Juhasz Gabor wrote:
> Hi All,
>
> According to this comparison : http://chrony.tuxfamily.org/comparison.html
> the chrony does not support "Extra timestamp validation" at "NTP Client section".
>
> Is there any plan to put this feature into chrony in the future?
There is currently no plan to add support for HTTPS as an
authenticated time source to validate NTP timestamps. The plan is to
implement the new Network Time Security protocol [1]. It should be a
proper NTP authentication using public-key crypto. It should be much
more accurate and efficient than HTTPS. The specification is still a
work in progress, but I think it may already be in a state where it's
possible to start working on an implementation for chrony.
If you need something now and don't care much about efficiency, you
could combine a SHM refclock using HTTPS date with NTP sources to get
something similar to what openntpd does.
Omnisync [2] is a SHM refclock that can use HTTPS. It doesn't seem to
check how long the HTTP request took, so a MITM attacker could
possibly insert a large offset to the measurement by delaying the
packets. That shouldn't be difficult to fix. I think it just needs to
check if the request didn't take more than say one second.
[1] https://datatracker.ietf.org/wg/ntp/documents/
[2] https://www.vanheusden.com/time/omnisync/
--
Miroslav Lichvar
--
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "help" in the subject.
Trouble? Email listmaster@xxxxxxxxxxxxxxxxxxxx.