Project

General

Profile

Actions

Feature #8149

open

NTPsec

Added by Richard Yao over 7 years ago. Updated 16 days ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
NTPD
Target version:
-
Start date:
11/30/2017
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:

Description

Would pfSense integrate NTPsec client/sever support to help protect OpenVPN against MITM attacks? Denial of service can happen if the clocks fall of out synchronization.

Actions #1

Updated by Jim Pingle almost 6 years ago

  • Category set to NTPD
Actions #3

Updated by Wilhelm Johansen over 4 years ago

chrony-4.0 also supports Network Time Security (NTS), as of 7 Oct 2020: https://chrony.tuxfamily.org/news.html

OPNsense 20.7.3 now has chrony available as a package: https://opnsense.org/opnsense-20-7-3-released/ - do not know which version.

My understanding is that adding chrony as a package was last discussed in 2016? https://forum.netgate.com/topic/106105/chrony

Instead of doing a host override pointing time/time-ios/euro/asia .apple.com etc. to my NTS enabled NTP server(s), it would be beneficial just pointing to pfSense, which would get time with NTS.

Interesting read from 2017: https://lwn.net/Articles/735211/

https://www.freshports.org/net/chrony/

Actions #4

Updated by Jim Pingle over 4 years ago

We stated in the linked Reddit thread that if we were to change, the option we would consider is ntimed, not ntpsec.

https://www.reddit.com/r/PFSENSE/comments/86hlvo/any_plans_to_migrate_ntp_ntpsec/dw79m69/

We have looked into Chrony as well and decided to stay with ntpd for the time being.

Actions #5

Updated by Wilhelm Johansen over 4 years ago

Last commit was 6 years ago .. https://github.com/bsdphk/Ntimed

Allright, thank you for your feedback anyways!

Actions #6

Updated by Sergei Shablovsky 16 days ago

Richard Yao wrote:

Would pfSense integrate NTPsec client/sever support to help protect OpenVPN against MITM attacks? Denial of service can happen if the clocks fall of out synchronization.

Let me add some links here which may be useful.

Some basic info here https://blog.ntpsec.org/2019/01/02/starting-nts.html, https://blog.ntpsec.org/2019/01/02/starting-nts.html

GitLab https://gitlab.com/NTPsec/ntpsec/

Start point https://blog.cloudflare.com/secure-time/

Actions #7

Updated by Sergei Shablovsky 16 days ago

Jim Pingle wrote in #note-4:

We stated in the linked Reddit thread that if we were to change, the option we would consider is ntimed, not ntpsec.

https://www.reddit.com/r/PFSENSE/comments/86hlvo/any_plans_to_migrate_ntp_ntpsec/dw79m69/

We have looked into Chrony as well and decided to stay with ntpd for the time being.

Around 5 years (!) ago the request for going away from ntpd started. What is the point of view on this inside pfSense DevTeam?

Thank You!

Actions

Also available in: Atom PDF