It now talks to Martin Langer's server.
I added another hack to ntpq. (The hack is actually in ntpd, but you see in
in ntpq -p) Where it used to show INIT in the refid column to indicate that
it hasn't received any packets yet, it will now show NTS or DNS if it is
waiting for NTS/DNS lookup.
Argh. I forgot to mention that the bits on the wire have changed. If you are
testing NTS, you will have to update both ends.
--
These are my opinions. I hate spam.
___
devel mailing list
devel@ntpsec.org
http://lists.ntpsec.org/mailman/listinfo/
Hal Murray via devel :
> It now talks to Martin Langer's server.
>
> I added another hack to ntpq. (The hack is actually in ntpd, but you see in
> in ntpq -p) Where it used to show INIT in the refid column to indicate that
> it hasn't received any packets yet, it will now show NTS or DNS if it
Eric said:
> So this means ntpd is shipping these strings in the refid field?
Yes
> I want to document this. Not sure where it goes.
For things like that, I grep -r docs/
That misses the man pages that are in the directory with program sources.
INIT gets 2 hits. Neither looked like what you
Hal Murray :
> Eric said:
> > So this means ntpd is shipping these strings in the refid field?
> Yes
Good. I'm in favor of anything it can do to export more meaningful status
information, and this definitely qualifies.
> > I want to document this. Not sure where it goes.
>
> For things like t
Following Hal Murray's interop report, I've updated the documentation
so that it describes NTS as implemented in conformance with the
Version draft RFC.
What still needs to be done to fully land this feature? Key rotation?
Anything else?
--
http://www.catb.org/~esr/";>Eric S. Raym
Eric said:
> Good. I'm in favor of anything it can do to export more meaningful status
> information, and this definitely qualifies.
I assume that includes putting a digit in the t column to show the number of
cookies and hence indicate that a slot is using NTS.
There is currently a bug in th
Hal Murray :
>
> Eric said:
> > Good. I'm in favor of anything it can do to export more meaningful status
> > information, and this definitely qualifies.
>
> I assume that includes putting a digit in the t column to show the number of
> cookies and hence indicate that a slot is using NTS.
Yes.
[0 not showing up in ntpq -p t column for NTS clients.]
Eric said:
> I'd fix this, but I'm not sure whether you're talking server or client side.
The problem is in ntpq. Somebody returns 0 for slots that don't exist. The
check for >= 0 needs to do a preliminary check to see if the slot exists.
> What still needs to be done to fully land this feature? Key rotation?
> Anything else?
I've been collecting major items in devel/TODO-NTS
Mostly, it needs testing and probably an overview level documentation.
Something high level rather than the details of how to configure it. Maybe a
HOW
Yo Hal!
On Fri, 01 Mar 2019 15:46:49 -0800
Hal Murray via devel wrote:
> > What still needs to be done to fully land this feature? Key
> > rotation? Anything else?
>
> I've been collecting major items in devel/TODO-NTS
It is missing key rotation. Also how to share keys between
standalone NT
Hal Murray :
> [0 not showing up in ntpq -p t column for NTS clients.]
>
> Eric said:
> > I'd fix this, but I'm not sure whether you're talking server or client side.
>
> The problem is in ntpq. Somebody returns 0 for slots that don't exist. The
> check for >= 0 needs to do a preliminary check
> I've tried defaulting ntscookies to -1 and testing for > that - change pushed.
Thanks. Looks good.
That now exposes a subtle detail. If you see NTS in the refid column, look at
the t column. If it is "u", then the NTS-KE level didn't work. If you see a
"0" there, then the NTS-KE worked bu
Hal Murray :
>
> > What still needs to be done to fully land this feature? Key rotation?
> > Anything else?
>
> I've been collecting major items in devel/TODO-NTS
Is there some reason this isn't just a section in nts.adoc? (Which
may need some GC at this point.) The whole idea of that document
Eric said:
>> I've been collecting major items in devel/TODO-NTS
> Is there some reason this isn't just a section in nts.adoc? (Which may need
> some GC at this point.) The whole idea of that document was to be a planning
> whiteboard.
Only signal to noise. I was trying to capture the big ide
On Fri, Mar 1, 2019 at 7:01 PM Gary E. Miller via devel
wrote:
> "noval" is not mostly for debugging. It is essential for off
> network operation.
There's no point in doing NTS if you're not doing certificate
validation. The result isn't any more secure than unauthenticated NTP.
Gary said:
> It is missing key rotation. Also how to share keys between standalone NTS-KE
> and NTPD.
Why do we need a standalone NTS-KE server?
> Gary said:
> "noval" is not mostly for debugging. It is essential for off network
> operation.
I don't understand that use case. Without checkin
Yo Hal!
On Fri, 01 Mar 2019 19:55:15 -0800
Hal Murray via devel wrote:
> Gary said:
> > It is missing key rotation. Also how to share keys between
> > standalone NTS-KE and NTPD.
>
> Why do we need a standalone NTS-KE server?
Because that is the initial use case. If each ntpd had nts-ke in
Yo Daniel!
On Fri, 1 Mar 2019 21:26:15 -0500
Daniel Franke wrote:
> On Fri, Mar 1, 2019 at 7:01 PM Gary E. Miller via devel
> wrote:
> > "noval" is not mostly for debugging. It is essential for off
> > network operation.
>
> There's no point in doing NTS if you're not doing certificate
> va
Which ones do you intend to relax? And in any case you don't need a whole
CA, you can pin a self-signed cert and still do full validation on it.
On Fri, Mar 1, 2019, 23:41 Gary E. Miller via devel
wrote:
> Yo Daniel!
>
> On Fri, 1 Mar 2019 21:26:15 -0500
> Daniel Franke wrote:
>
> > On Fri, Mar
Gary said:
> Because that is the initial use case. If each ntpd had nts-ke in it then
> there would be no need for such a complicated protocol.
> The way Mark explained it to me, you want one NTS-KE per aisle, or per rack.
> That limits the number of servers, with keys, that need to be protecte
> And the NTS-KE and NTPD are NOT on the same host?
No. I misinterpreted your question.
>> I don't understand that use case. Without checking the certificate,
>> you have no real security.
> Not complete security, but at least encryption. And there are levels of
> validation. If you are off
> I'll take responsibility for the documentation.
Thanks.
Be sure to include a section that says that NTS doesn't guarantee good time,
just that you are talking to the system you expect to talk to. (modulo typos
and such)
--
These are my opinions. I hate spam.
___
23 matches
Mail list logo
