Re: [chrony-users] chrony and ntpd xleave interoperability

[ Thread Index | Date Index | More Archives ]

On Tue, Jan 23, 2018 at 11:31:38AM +0100, FUSTE Emmanuel wrote:
> When I try to do the same with ntpd on one side and chrony on the other, 
> things go bad.
> At best, chrony got a working association with interleave status with 
> very long response time.

A long response time up to the polling interval of the peer is normal
in symmetric associations.

> On the ntpd side, the association never work. The chrony server never 
> get the "reach" state and the reach counter is stuck a zero.

Have you tried the same configuration and the timing of restarts,
between two ntpd servers? I suspect you would see some of the issues
in this case too.

There are probably multiple issues involved, which make it difficult
to see what's going on. I'm aware of the following:

- ntpd doesn't accept packets from peers that are not synchronized
  (yet), so peers have to be configured with other sources in order
  for the symmetric association (in both basic and interleaved modes)
  to start. See
- interleaved mode in ntpd works only when the peers use the same
  polling interval. If they have the same minpoll and maxpoll, but
  minpoll != maxpoll, they should in theory both get to the maxpoll
  if the association doesn't work, but there may be a bug that
  prevents that.
- chrony switches to the basic mode when the polling intervals don't
  match, but ntpd doesn't accept responses in the basic mode if the
  interleaved mode is enabled

> chrony 3.2
> ntp-4.2.8p8, ntp-4.2.8p10
> Could I normally expect xleave interoperability between chrony and ntpd 
> or it is something too much "implementation specific" ?

With the current versions, if you can avoid the issue with
unsynchronized sources, they should interoperate, at least when their
polling intervals match. If it doesn't work for you, I'd like to see a
tcpdump output.

Please note that the symmetric mode has some security issues and it's
generally recommended to use the client/server mode instead. Even if
authentication is enabled, it is possible to break a symmetric
association by replaying old packets. (chrony has a partial protection
against this attack, but it works only in the basic mode when the
polling intervals match and there are no packets with timestamps from
future that could be replayed. It's too fragile, don't rely on it!)

It is possible that support for symmetric associations will be dropped
from chrony in future.

Miroslav Lichvar

To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.

Mail converted by MHonArc 2.6.19+