| Re: [chrony-users] Decision algorithm, compatibility |
[ Thread Index |
Date Index
| More chrony.tuxfamily.org/chrony-users Archives
]
- To: chrony-users@xxxxxxxxxxxxxxxxxxxx
- Subject: Re: [chrony-users] Decision algorithm, compatibility
- From: Miroslav Lichvar <mlichvar@xxxxxxxxxx>
- Date: Mon, 20 Sep 2021 09:09:08 +0200
- Authentication-results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=mlichvar@xxxxxxxxxx
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1632121755; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=SyMF9hjZ5byvuSBjF4xhShbUfYLJBpfGGgTcqlCAZMY=; b=OWrmKRxcTX4LyKNx5vPJjFtwVXR+8EQe+OsiP2UCRyGVAKBuJgo0vWnWvmDypXbSCbVJPs 5N2S9RLnj7Ml19z0GwSgFv+LzDw8EkrlJQZe0bHsrv61zK/5U31WeYTVoo4N8ukdFTk7iE fqKmdZ36EOfUsbYjQvky0+LDST8iKO4=
On Thu, Sep 16, 2021 at 02:04:06PM +0200, Uwe Fechner wrote:
> /ISPs may block or rate limit longer NTP packets as a mitigation for
> amplification attacks using NTP mode 6 and 7. NTS-KE supports port
> negotiation and servers can provide an alternative port to avoid this
> issue./
>
> Questions:
>
> 1. Does chrony supports port negotiation?
Yes.
> 2. If yes, does it needs to be enabled on the server or the client or both?
A non-standard port needs to be set on the server.
> 3. How can it be enabled, if that is an option?
On the server set "port" to whatever port you like, but note that non-NTS
clients will not know about it and even NTS clients may have troubles
if they are behind a firewall which blocks all UDP ports except few
known ones like the standard NTP (123).
With the alternative NTP port, the servers will be listening on two
different ports and clients will try to use the one which works, so
this should be better in compatibility.
--
Miroslav Lichvar
--
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "help" in the subject.
Trouble? Email listmaster@xxxxxxxxxxxxxxxxxxxx.