You may use the data to compare to your own server.
I’m curious of the accuracy of this server, what is normal numbers?
Also Im interested in NTS and NTS pool. What does the future holds? @Bas
1 Like
You are asking the wrong person. I do not know if the pool support NTS or not.
That’s upto @ask as he’s the owner/maintainer of the pool.
However, I (and I speak for myself) don’t see the need for NTS and as such my server doesn’t support it.
1 Like
It’s ok, I guess for somebody that uses only other servers.
See mine: http://ntp1.sprintweb.be
But then, it’s PPS-controlled, that will not happen if you are Stratum2.
But you can check one my stratum 2 servers:
It’s about the same as yours.
Stratum 0 and 1 are always more accurate….however, that the client-side they are not that much apart.
As the (internet-)connections make all of them less accurate, so even stratum 5 or higher thould give the same time to clients.
For most clients the stratum doesn’t matter one bit. Except for banks etc. But they probably do not use us anyway, have their own stratum 1 server.
1 Like
Thanks so much for sharing both s1 and s2! Why so few packets/s on s1? Right now its friday night in norway, I see no ppl around me obsessed with ntp, strange. 
Forget those command-packets…I don’t know how to take them out of the graph.
They are NOT ntp-time-requests.
You should ignore the blue line.
The S1 is my home server, my router can’t handle such big loads, also, it’s feeding my other servers.
If you want, you can feed of my S1 server: ntp1.heppen.be
If you set that, it will take my S1 server. No NTS support.
1 Like
BTW I read this on your website….
This is bunch of balony. He’s telling you that NTS is save because it’s using TLS.
Sorry to say, but this guy is a moron. So is NTS.
I tell you why: Use GPS + PPS….ok fixed.
Any timeserver can do this, and have the right time.
Unless you can hack into GPS + PPS, there is no way time can be spoofed.
As such NTS is useless as a lot of servers provide GPS + PPS time and monitors will check them.
The monitors are checked themselves if they have correct time.
As such a false-ticker will be kicked out of the pool so fast, is has no impact.
Do you really believe my monitor (yes I run them too) can tick false and report sites being good when they are not?
That will not happen.
As such to all NTS-freaks….it makes no sense. Sorry it doesn’t. Time is no secret and it’s all over to check. There is no way you can make the pool go bad on normal NTP-protocol.
Unless you hack Stratum 0 servers….good luck with that.
Sorry, that is wrong. An attacker controlling a router or firewall in front of your servers could manipulated the NTP packets and say add 42 Minutes to every packet. Suddenly your server looks to any outside client like it is telling the wrong time, even if your server has PPS.
That is why the whole web shifted to encryption by default, current browsers warn you if your connection to the server can’t be cryptographically verified to the origin.
NTS has the same goal, secure the NTP packets with encryption so no man in the middle can manipulate the packets, resp. the client can detect that the packets were tampered with.
But since certificates are mostly bound to DNS names, it is currently not possible to use NTS in the pool. Or will the pool distribute a set of certificates for all the aliases a user can use to reach a random volunteer run server? I wouldn’t put a cert for 1-4.pool. and all the country and continent zones in my hands, let alon anyone who has signed up here 
2 Likes
I’d suggest adding ntp.justervesenet.no to your sources. That might push your server to sub millisecond accuracy(for itself, not the clients), depending on your server’s location. Though while I’m not aware of Justervesenet’s NTP server supporting NTS, it’ll quickly get disqualified by the majority if someone’s spoofing a fake response.
That said, I haven’t really played around with running NTS on my own servers. Is it more or less similar to set up as HTTPS on webservers, as far as configuring it goes? Just hand it the certificates?
2 Likes
Wrong again.
As I was talking about NTP-servers of the pool.
Sure one could attack your router, but you can’t attack the pool.
The monitors will take your false-ticker out real quickly.
You miss the point. The problem is not the pool, the pool is safe.
NTS won’t alter that. You seem to forget that time can be checked 365/24/7 and monitors do just that.
What will certificates change? There is no point. There is no man-middle-attack possible as monitors watch over that. What is your point?
With chronyd, pretty much yes. Point ntsservercert to the file with the certificate chain, and ntsserverkey to the corresponding private key (mind the proper permissions on the files). Et voilà.
2 Likes
How? This is UDP, not TCP. You can not stop UDP as they have no resend mechanism.
So you need to intercept ALL UDP, manipulate them and resend them to the clients.
As the same time you must FAKE the NTP-server to accept UDP messages that are wrong AND hope it doesn’t check other NTP-servers and because the internal clock is SOOOOOO WAAAAAY OFF that is accepts your fake clock-timings.
Really? You should try it, I did. Won’t work. You are so quickly turned into a false-ticker…not a chance you can pull this off…unless your routers en appliences are real DUMP.
I bumped into this a few times….
It will not work. Sorry.
Attacking each pool server? Would be impractical and wouldn’t achieve much.
More realistic would be to do MITM on the client’s side. Like, if the client decides to trust some random free Wi-Fi.
NTS would allow a client to confirm it is indeed talking to a pool server, rather than whoever’s hosting the suspicious looking free Wi-Fi.
1 Like
Just set a NTP to trust a source and then transmit it to clients…
Else useless.
But then it must be an emplyee trying to make money off wrong time.
I would not see why anybody would try, attempt it. Banks don’t use the pool…
So what purpose would it serve? It’s useless..NTS…come on…plain stupid.
Just because you don’t seem to grasp what NTS is for, what it does (and does not do), does not make it useless or stupid.
1 Like
If you can control the clock, you can do things like replay attacks. Or just pure sabotage, making people late for appointments, or causing their system to no longer trust HTTPS.
And a random free Wi-Fi can be run by some dude with a Raspberry Pi, probably for the sake of doing MITM attacks, or spying. Doesn’t have to be some rogue employee.
1 Like
How much do you affect? Come on.
There’s been some proposals as to how to make NTS work with a pool, e.g., this experimental Internet Draft.
In my current personal view, though, the effort to implement, set it up, and operate it is probably not worth it as long as anybody with an e-mail address can register a server. All NTS would do in this context is to provide you with cryptoghraphic certainty (authentication) that you are connected to a server that someone managed to add to the pool, which only requires an e-mail address.
Integrity might be more interesting to prevent MITM attacks closer to the client. If an attacker can manipulate NTP packets, then they probably could also manipulate, e.g., DNS packets to point the client to rogue NTP servers (unless DNS is protected to guard against manipulation). Either way, NTS could help prevent that.
Overall, I am not saying that NTS couldn’t bring some benefits. Just that I’d currently expect them to be too small to be worthwhile the effort.
2 Likes
I, for one, do understand where it is coming from, but ntps is going to be much harder on the servers, and is only really useful for time critical applications, like airport traffic control systems, banks, military.
And if any of those time critical systems is getting their time from the ntp pool, then they are getting exactly what they are paying for.
I strongly suspect that my ntp appliance came from a military contract house, so companies that need proper time do pay for proper time. And the appliance is designed for LTE cell tower time sync, so cell towers also use their own time sources.
So my conclusion is that ntps, for the home user, isn’t worth the processing capacity required.
As a point of interest, my appliance can handle 140000 packets per second for ntp as the ntp packets are received, and replied to, completely in hardware. Ntpd never sees the ntp time requests. But for ntps, which is handled by ntpd, it has a limit of 500 packets per second.
And as to the original intent of this topic, this is the only useful graph, local appliance time to gnss time error, I can get out of my appliance:
As noted earlier, trying to get the pool to support NTS would be problematic. However, that doesn’t stop people configuring their pool servers to also support NTS. I have two servers that support NTS. This article was useful for the initial setup. There is also an obviously partial list of NTP servers supporting NTS.
If you want to use my NTS-enabled servers, add one or more of these to your chrony.conf or equivalent:
server ntp.miuku.net nts
server stratum1.miuku.net nts
Both of these are in Finland. ntp.miuku.net is a stratum 2 server, stratum1.miuku.net is a stratum 1 server. As the latter server is here at home, its IP address may change. If this happens, chrony will notice this and look up the new IP address automatically (at least the modern versions, not sure about ancient versions).
2 Likes
I tried to explain several times, NTS is useless.
Ok, maybe this helps:
1: Time is PUBLIC…easy to check
2: Own timeserver can be supplied with GPS (even without PPS) to be pretty sure of correct time
3: Why would anybody try to spoof YOUR timeserver, it’s a pool, so it roulates, you can NOT know what clients use it and what server.
4: Time critical installations DO NOT USE the pool, maybe as backup to be sure, but not as main-source.
5: So many ways to check if time is correct.
6: Pool monitors are checked THEMSELVES to be CORRECT and push any false ticker out of the pool…see point 3!
7: NTS only secures traffic between the NTS-server and the Client, you DO NOT KNOW if the server is spoofed itself. How do you know it’s ticking correctly? The POOL does NOT check it!
8: Try to spoof my GPS+PPS server, that also monitors other servers….NTS will do nothing there, like most monitors.
In short. NTS is stupid. We do not need it, as monitors check servers and the DNS only gives proper tickers to you. To attack the system, you need to know ALL servers, ALL links…impossible.
Then THE links of the client to attack.
IN SHORT….NTS is stupid, no matter how you look at it…from the pool’s perspective.
You can buy your own GPS (non-PPS) for less then 5 euro and have time correct to 100ms….I have one…simple USB stick.
People please stop this NTS is secure, it’s not…the monitors are far better at securing you get the right time from the pool.
Time is universal the same…many ways to check it, even outside the pool. No critical system will ever use the pool. None.
Can we stop this discussion please? If you want to support NTS, please do so. Others like me DO NOT.