Feature #8149
open
NTPsec
0%
Description
Would pfSense integrate NTPsec client/sever support to help protect OpenVPN against MITM attacks? Denial of service can happen if the clocks fall of out synchronization.
Updated by Wilhelm Johansen over 4 years ago
Clouflare is supporting this- https://blog.cloudflare.com/secure-time/ (time.cloudflare.com:1234).
https://www.reddit.com/r/PFSENSE/comments/86hlvo/any_plans_to_migrate_ntp_ntpsec/
Updated by Wilhelm Johansen over 4 years ago
chrony-4.0 also supports Network Time Security (NTS), as of 7 Oct 2020: https://chrony.tuxfamily.org/news.html
OPNsense 20.7.3 now has chrony available as a package: https://opnsense.org/opnsense-20-7-3-released/ - do not know which version.
My understanding is that adding chrony as a package was last discussed in 2016? https://forum.netgate.com/topic/106105/chrony
Instead of doing a host override pointing time/time-ios/euro/asia .apple.com etc. to my NTS enabled NTP server(s), it would be beneficial just pointing to pfSense, which would get time with NTS.
Interesting read from 2017: https://lwn.net/Articles/735211/
Updated by Jim Pingle over 4 years ago
We stated in the linked Reddit thread that if we were to change, the option we would consider is ntimed, not ntpsec.
https://www.reddit.com/r/PFSENSE/comments/86hlvo/any_plans_to_migrate_ntp_ntpsec/dw79m69/
We have looked into Chrony as well and decided to stay with ntpd for the time being.
Updated by Wilhelm Johansen over 4 years ago
Last commit was 6 years ago .. https://github.com/bsdphk/Ntimed
Allright, thank you for your feedback anyways!
Updated by Sergei Shablovsky 16 days ago
Richard Yao wrote:
Would pfSense integrate NTPsec client/sever support to help protect OpenVPN against MITM attacks? Denial of service can happen if the clocks fall of out synchronization.
Let me add some links here which may be useful.
Some basic info here https://blog.ntpsec.org/2019/01/02/starting-nts.html, https://blog.ntpsec.org/2019/01/02/starting-nts.html
GitLab https://gitlab.com/NTPsec/ntpsec/
Start point https://blog.cloudflare.com/secure-time/
Updated by Sergei Shablovsky 16 days ago
Jim Pingle wrote in #note-4:
We stated in the linked Reddit thread that if we were to change, the option we would consider is ntimed, not ntpsec.
https://www.reddit.com/r/PFSENSE/comments/86hlvo/any_plans_to_migrate_ntp_ntpsec/dw79m69/
We have looked into Chrony as well and decided to stay with ntpd for the time being.
Around 5 years (!) ago the request for going away from ntpd started. What is the point of view on this inside pfSense DevTeam?
Thank You!