added a new script to conevrt all md to asciidoc, rss feed now sends the entire asciidoc for the teaser

1 files changed, 184 insertions, 0 deletions

diff --git a/mds/NTP.txt b/mds/NTP.txt
new file mode 100644
index 0000000..8060191
--- /dev/null
+++ b/mds/NTP.txt
@@ -0,0 +1,184 @@
+== After NTP Comes NTS
+
+Well for this one I will be talking a bit about NTP and NTS. Unlike the
+DNS post there isnt much going on here.
+
+NTP is plain-text, NTS uses TLS so if our requests are tampered with, we
+can know. There is the ``oooh, you cant see what I’m sending now'' but
+in this case its NTP so the content being secret is not necessarily more
+important than making sure the content has not been modified(guarantee
+of integrity).
+
+So far so good. But before we go any further, lets talk about what we
+are trying to achieve here, in other works, what requirements are we
+trying to satisfy here:
+
+* REQ-001: The NTP(NTS) requests shall be anonymous
+* REQ-002: It shall be evient when an NTP(NTS) requests has been
+tampered with
+* REQ-003: It should not be known which time servers are being used
+upstream by the client
+
+Now talk about the problem. The protocol is fine. We are sending TCP
+with TLS here. That’s brilliant. We get all this:
+
+....
+* Identity: Through the use of a X.509 public key infrastructure, implementations can cryptographically establish the identity of the parties they are communicating with.
+* Authentication: Implementations can cryptographically verify that any time synchronization packets are authentic, i.e., that they were produced by an identified party and have not been modified in transit.
+* Confidentiality: Although basic time synchronization data is considered nonconfidential and sent in the clear, NTS includes support for encrypting NTP extension fields.
+* Replay prevention: Client implementations can detect when a received time synchronization packet is a replay of a previous packet.
+* Request-response consistency: Client implementations can verify that a time synchronization packet received from a server was sent in response to a particular request from the client.
+* Unlinkability: For mobile clients, NTS will not leak any information additional to NTP which would permit a passive adversary to determine that two packets sent over different networks came from the same client.
+* Non-amplification: Implementations (especially server implementations) can avoid acting as distributed denial-of-service (DDoS) amplifiers by never responding to a request with a packet larger than the request packet.
+* Scalability: Server implementations can serve large numbers of clients without having to retain any client-specific state.
+* Performance: NTS must not significantly degrade the quality of the time transfer. The encryption and authentication used when actually transferring time should be lightweight.
+....
+
+exerpt from https://www.rfc-editor.org/rfc/rfc8915[RFC 8915]
+
+If we find a client that lets us use a SOCKS5 proxy, then we can send
+our NTS requests over Tor and then call it a day. REQ-002 and REQ-003
+are being satisfied by using TLS. The missing piece is REQ-001,
+anonymizing the requests.
+
+This is not something for the protocol to handle so then we have to look
+for a client that support a SOCKS5 proxy.
+
+Unfortunately https://gitlab.com/chrony/chrony[chrony] and
+https://github.com/pendulum-project/ntpd-rs[ntpd-rs] do not support
+SOCKS5 proxies.
+
+* for ntpd-rs look
+https://github.com/pendulum-project/ntpd-rs/discussions/1365[here]
+
+Which menas our setup is not complete.
+
+=== Implementation
+
+We will be using ntpd-rs as the client. We will also setup one NTS
+server using https://gitlab.com/NTPsec/ntpsec[ntpsec].
+
+[source,toml]
+----
+[observability]
+log-level = "info"
+observation-path = "/var/run/ntpd-rs/observe"
+
+[[source]]
+mode = "nts"
+address = "virginia.time.system76.com"
+
+[[source]]
+mode = "nts"
+address = "mmo1.nts.netnod.se"
+
+[[source]]
+mode = "nts"
+address = "ntppool1.time.nl"
+
+[[source]]
+mode = "nts"
+address = "ntp1.glypnod.com"
+
+[[source]]
+mode = "nts"
+address = "ntp3.fau.de"
+
+[synchronization]
+single-step-panic-threshold = 1800
+startup-step-panic-threshold = { forward="inf", backward = 1800 }
+minimum-agreeing-sources = 3
+accumulated-step-panic-threshold = 1800
+
+[[server]]
+listen = "127.0.0.1:123"
+
+[[server]]
+listen = "172.17.0.1:123"
+
+[[server]]
+listen = "192.168.121.1:123"
+
+[[server]]
+listen = "10.167.131.1:123"
+
+[[server]]
+listen = "[::1]:123"
+----
+
+[source,config]
+----
+nts enable
+nts key /etc/letsencrypt/live/nts.dehein.org/privkey.pem
+nts cert /etc/letsencrypt/live/nts.dehein.org/fullchain.pem mintls TLS1.3
+nts cookie /var/lib/ntp/nts-keys
+nts-listen-on 4460
+server 0.0.0.0 prefer
+
+server ntpmon.dcs1.biz nts  # Singapore
+server ntp1.glypnod.com nts # San Francisco
+server ntp2.glypnod.com nts # London
+
+tos maxclock 5
+
+restrict default kod limited nomodify noquery
+restrict -6 default kod limited nomodify noquery
+
+driftfile /var/lib/ntp/ntp.drift
+
+statsdir /var/log/ntpstats/
+----
+
+[source,yaml]
+----
+version: "3.9"
+services:
+  filebrowser:
+    image: ntpsec
+    build:
+      context: .
+    deploy:
+      resources:
+        limits:
+          memory: 128M
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "50m"
+    networks:
+      - ntsnet
+    ports:
+      - "4460:4460/tcp"
+    restart: unless-stopped
+    entrypoint: ["ntpd"]
+    command: ["-n", "-I", "0.0.0.0", "-d", "5"]
+    volumes:
+      - ./ntp.conf:/etc/ntp.conf:ro
+      - /etc/letsencrypt/live/nts.dehein.org/fullchain.pem:/etc/letsencrypt/live/nts.dehein.org/fullchain.pem:ro
+      - /etc/letsencrypt/live/nts.dehein.org/privkey.pem:/etc/letsencrypt/live/nts.dehein.org/privkey.pem:ro
+      - vault:/var/lib/ntp
+    cap_drop:
+      - ALL
+    cap_add:
+      - SYS_NICE
+      - SYS_RESOURCE
+      - SYS_TIME
+networks:
+  ntsnet:
+volumes:
+  vault:
+----
+
+=== Links
+
+* https://www.rfc-editor.org/rfc/rfc8915[RFC 8915]
+* https://github.com/jauderho/nts-servers[Here] you can find a list of
+publicly available servers that support NTS
+
+timestamp:1709418680
+
+version:1.0.0
+
+https://blog.terminaldweller.com/rss/feed
+
+https://raw.githubusercontent.com/terminaldweller/blog/main/mds/NTP.md