Feature #8149
open
NTPsec
0%
Description
Would pfSense integrate NTPsec client/sever support to help protect OpenVPN against MITM attacks? Denial of service can happen if the clocks fall of out synchronization.
Updated by Wilhelm Johansen about 4 years ago
Clouflare is supporting this- https://blog.cloudflare.com/secure-time/ (time.cloudflare.com:1234).
https://www.reddit.com/r/PFSENSE/comments/86hlvo/any_plans_to_migrate_ntp_ntpsec/
Updated by Wilhelm Johansen about 4 years ago
chrony-4.0 also supports Network Time Security (NTS), as of 7 Oct 2020: https://chrony.tuxfamily.org/news.html
OPNsense 20.7.3 now has chrony available as a package: https://opnsense.org/opnsense-20-7-3-released/ - do not know which version.
My understanding is that adding chrony as a package was last discussed in 2016? https://forum.netgate.com/topic/106105/chrony
Instead of doing a host override pointing time/time-ios/euro/asia .apple.com etc. to my NTS enabled NTP server(s), it would be beneficial just pointing to pfSense, which would get time with NTS.
Interesting read from 2017: https://lwn.net/Articles/735211/
Updated by Jim Pingle about 4 years ago
We stated in the linked Reddit thread that if we were to change, the option we would consider is ntimed, not ntpsec.
https://www.reddit.com/r/PFSENSE/comments/86hlvo/any_plans_to_migrate_ntp_ntpsec/dw79m69/
We have looked into Chrony as well and decided to stay with ntpd for the time being.
Updated by Wilhelm Johansen about 4 years ago
Last commit was 6 years ago .. https://github.com/bsdphk/Ntimed
Allright, thank you for your feedback anyways!