Re: [chrony-users] chrony and ntpd xleave interoperability |
[ Thread Index |
Date Index
| More chrony.tuxfamily.org/chrony-users Archives
]
Le 23/01/2018 à 13:00, Miroslav Lichvar a écrit :
> On Tue, Jan 23, 2018 at 11:31:38AM +0100, FUSTE Emmanuel wrote:
>> When I try to do the same with ntpd on one side and chrony on the other,
>> things go bad.
>> At best, chrony got a working association with interleave status with
>> very long response time.
> A long response time up to the polling interval of the peer is normal
> in symmetric associations.
>
>> On the ntpd side, the association never work. The chrony server never
>> get the "reach" state and the reach counter is stuck a zero.
> Have you tried the same configuration and the timing of restarts,
> between two ntpd servers? I suspect you would see some of the issues
> in this case too.
>
> There are probably multiple issues involved, which make it difficult
> to see what's going on. I'm aware of the following:
>
> - ntpd doesn't accept packets from peers that are not synchronized
> (yet), so peers have to be configured with other sources in order
> for the symmetric association (in both basic and interleaved modes)
> to start. See https://bugs.ntp.org/show_bug.cgi?id=3445.
> - interleaved mode in ntpd works only when the peers use the same
> polling interval. If they have the same minpoll and maxpoll, but
> minpoll != maxpoll, they should in theory both get to the maxpoll
> if the association doesn't work, but there may be a bug that
> prevents that.
> - chrony switches to the basic mode when the polling intervals don't
> match, but ntpd doesn't accept responses in the basic mode if the
> interleaved mode is enabled
>
>> chrony 3.2
>> ntp-4.2.8p8, ntp-4.2.8p10
>>
>> Could I normally expect xleave interoperability between chrony and ntpd
>> or it is something too much "implementation specific" ?
> With the current versions, if you can avoid the issue with
> unsynchronized sources, they should interoperate, at least when their
> polling intervals match. If it doesn't work for you, I'd like to see a
> tcpdump output.
Ok. I fixed min/max polling interval to 5 for testing purpose.
Then I first restarted chrony. Wait for it to sync on a online source.
Then restarted ntp and take capture.
Will send you all the datas
NTP is stuck in unreachable state
Chrony is stuck with only one valid RX.
>
> Please note that the symmetric mode has some security issues and it's
> generally recommended to use the client/server mode instead. Even if
> authentication is enabled, it is possible to break a symmetric
> association by replaying old packets. (chrony has a partial protection
> against this attack, but it works only in the basic mode when the
> polling intervals match and there are no packets with timestamps from
> future that could be replayed. It's too fragile, don't rely on it!)
Yes I know. It is only used on "trusted" lan segments and/or to try to
inter-operate with ntpd xleave.
>
> It is possible that support for symmetric associations will be dropped
> from chrony in future.
>
I only using it to transition from ntpd to chrony. So It will not be missed.
I hope my clock vendor will sometime transition from ntpd to something
else (chrony) to get good xleave support (and much more).
At most, I mainly use theses clocks with PTP so the NTP part only affect
fail-over scenarios.
Emmanuel.