Verifying an NTPSec server

ebahapo · February 20, 2023, 8:05pm

How can I check that a client can securely connect to my NTPSec server?

Many thanks.

stevesommars · February 20, 2023, 9:30pm

Does this meet your needs: NTP Server Online Test Tool (IPv4 & IPv6)

ebahapo · February 21, 2023, 12:22am

That link seems to just use the traditional, insecure NTP protocol: time.cloudflare.com. But thanks.

stevesommars · February 21, 2023, 2:47am

You asked about NTPsec, which supports both NTP and NTS. Did you mean NTS?
I am unaware of a similar public website for NTS.

If you don’t find other resources, I’d be glad to poll your NTS server.
Note: Since NTS packets are larger than the traditional 48 bytes, they are vulnerable to NTP filtering.

ebahapo · February 21, 2023, 7:10am

I did say that the client should be able to connect securely to the server.

I find it lacking that the utilities that are provided along with NTPSec do not provide an option to connect to a server securely.

marco.davids · February 22, 2023, 5:59pm

Not sure if this is what you are looking for, but I sometimes do this:

openssl s_client -connect ntppool1.time.nl:4460 -tlsextdebug -alpn 'ntske/1' -status < /dev/null

Or, after replacing certs, I also do this:

https://whatsmychaincert.com/?ntppool1.time.nl:4460

If your client is Chrony, than perhaps this:

chronyc -N authdata

Name/IP address             Mode KeyID Type KLen Last Atmp  NAK Cook CLen
=========================================================================
ntp.time.nl                    -     0    0    0    -    0    0    0    0
ntppool1.time.nl             NTS     3   15  256  25d    0    0    8  100
ntppool2.time.nl             NTS     4   15  256   9d    0    0    8  100

If the daemon is not running, this is also an option:

chronyd -q -t 1 'server ntppool1.time.nl iburst nts maxsamples 1'

And with ntpq you could do this (see the ‘auth’ column, but it’s worth noting that this column isn’t solely reserved for NTS authentication; it’s also used for traditional NTP authentication methods, if I’m not mistaken.):

ntpq> associations

ind assid status  conf reach auth condition  last_event cnt
===========================================================
  1 17767  b61a   yes   yes  none  sys.peer    sys_peer  1
  2 17768  f314   yes   yes   ok    outlier   reachable  1
  3 17769  f414   yes   yes   ok  candidate   reachable  1
ntpq>

ebahapo · February 22, 2023, 9:13pm

Yes, I verified the TLS aspects using openssl.

However, short of adding one’s own server to a client, there’s no easy way to poke an NTPSec server.

Bas · February 24, 2023, 4:58pm

Why would you even want to secure a time protocol at all?

It’s just giving time and people that rely on time will use more then 1 source and use GPS to check the correct time.

I’m very sorry, but if time is important, you have your own GPS in use.

Even if you use the ‘secure’ protocol, how do you know the time they supply is correct?
As such it’s useless to put time in such, just use more then 1 server to verify and if needed use your own GPS module to make sure it’s correct.

It’s the same nonsense as forcing public websites to https when there is no sensitive information being transferred.

Sorry, I do not get this, not at all.

ebahapo · February 24, 2023, 6:22pm

Obviously, you do not. And this is not the right thread to discuss it.

ebahapo · February 24, 2023, 6:26pm

Out of curiosity, I determined that my ISP filters out packets through port 123 longer than 450 bytes.

Topic		Replies	Views
Chrony: NTS and Authenticated NTP packets	5	557	January 9, 2024
Recommendations to use NTP pool Pool Development	7	3640	March 15, 2019
Time.cloudflare.com	14	7578	January 6, 2020
How can I setup chrony to be a nts server?	4	2269	May 3, 2022
NTPSec, opinions?	17	3964	November 26, 2023

Verifying an NTPSec server

Related Topics