diff options
Diffstat (limited to 'mds/NTP.txt')
-rw-r--r-- | mds/NTP.txt | 184 |
1 files changed, 184 insertions, 0 deletions
diff --git a/mds/NTP.txt b/mds/NTP.txt new file mode 100644 index 0000000..8060191 --- /dev/null +++ b/mds/NTP.txt @@ -0,0 +1,184 @@ +== After NTP Comes NTS + +Well for this one I will be talking a bit about NTP and NTS. Unlike the +DNS post there isnt much going on here. + +NTP is plain-text, NTS uses TLS so if our requests are tampered with, we +can know. There is the ``oooh, you cant see what I’m sending now'' but +in this case its NTP so the content being secret is not necessarily more +important than making sure the content has not been modified(guarantee +of integrity). + +So far so good. But before we go any further, lets talk about what we +are trying to achieve here, in other works, what requirements are we +trying to satisfy here: + +* REQ-001: The NTP(NTS) requests shall be anonymous +* REQ-002: It shall be evient when an NTP(NTS) requests has been +tampered with +* REQ-003: It should not be known which time servers are being used +upstream by the client + +Now talk about the problem. The protocol is fine. We are sending TCP +with TLS here. That’s brilliant. We get all this: + +.... +* Identity: Through the use of a X.509 public key infrastructure, implementations can cryptographically establish the identity of the parties they are communicating with. +* Authentication: Implementations can cryptographically verify that any time synchronization packets are authentic, i.e., that they were produced by an identified party and have not been modified in transit. +* Confidentiality: Although basic time synchronization data is considered nonconfidential and sent in the clear, NTS includes support for encrypting NTP extension fields. +* Replay prevention: Client implementations can detect when a received time synchronization packet is a replay of a previous packet. +* Request-response consistency: Client implementations can verify that a time synchronization packet received from a server was sent in response to a particular request from the client. +* Unlinkability: For mobile clients, NTS will not leak any information additional to NTP which would permit a passive adversary to determine that two packets sent over different networks came from the same client. +* Non-amplification: Implementations (especially server implementations) can avoid acting as distributed denial-of-service (DDoS) amplifiers by never responding to a request with a packet larger than the request packet. +* Scalability: Server implementations can serve large numbers of clients without having to retain any client-specific state. +* Performance: NTS must not significantly degrade the quality of the time transfer. The encryption and authentication used when actually transferring time should be lightweight. +.... + +exerpt from https://www.rfc-editor.org/rfc/rfc8915[RFC 8915] + +If we find a client that lets us use a SOCKS5 proxy, then we can send +our NTS requests over Tor and then call it a day. REQ-002 and REQ-003 +are being satisfied by using TLS. The missing piece is REQ-001, +anonymizing the requests. + +This is not something for the protocol to handle so then we have to look +for a client that support a SOCKS5 proxy. + +Unfortunately https://gitlab.com/chrony/chrony[chrony] and +https://github.com/pendulum-project/ntpd-rs[ntpd-rs] do not support +SOCKS5 proxies. + +* for ntpd-rs look +https://github.com/pendulum-project/ntpd-rs/discussions/1365[here] + +Which menas our setup is not complete. + +=== Implementation + +We will be using ntpd-rs as the client. We will also setup one NTS +server using https://gitlab.com/NTPsec/ntpsec[ntpsec]. + +[source,toml] +---- +[observability] +log-level = "info" +observation-path = "/var/run/ntpd-rs/observe" + +[[source]] +mode = "nts" +address = "virginia.time.system76.com" + +[[source]] +mode = "nts" +address = "mmo1.nts.netnod.se" + +[[source]] +mode = "nts" +address = "ntppool1.time.nl" + +[[source]] +mode = "nts" +address = "ntp1.glypnod.com" + +[[source]] +mode = "nts" +address = "ntp3.fau.de" + +[synchronization] +single-step-panic-threshold = 1800 +startup-step-panic-threshold = { forward="inf", backward = 1800 } +minimum-agreeing-sources = 3 +accumulated-step-panic-threshold = 1800 + +[[server]] +listen = "127.0.0.1:123" + +[[server]] +listen = "172.17.0.1:123" + +[[server]] +listen = "192.168.121.1:123" + +[[server]] +listen = "10.167.131.1:123" + +[[server]] +listen = "[::1]:123" +---- + +[source,config] +---- +nts enable +nts key /etc/letsencrypt/live/nts.dehein.org/privkey.pem +nts cert /etc/letsencrypt/live/nts.dehein.org/fullchain.pem mintls TLS1.3 +nts cookie /var/lib/ntp/nts-keys +nts-listen-on 4460 +server 0.0.0.0 prefer + +server ntpmon.dcs1.biz nts # Singapore +server ntp1.glypnod.com nts # San Francisco +server ntp2.glypnod.com nts # London + +tos maxclock 5 + +restrict default kod limited nomodify noquery +restrict -6 default kod limited nomodify noquery + +driftfile /var/lib/ntp/ntp.drift + +statsdir /var/log/ntpstats/ +---- + +[source,yaml] +---- +version: "3.9" +services: + filebrowser: + image: ntpsec + build: + context: . + deploy: + resources: + limits: + memory: 128M + logging: + driver: "json-file" + options: + max-size: "50m" + networks: + - ntsnet + ports: + - "4460:4460/tcp" + restart: unless-stopped + entrypoint: ["ntpd"] + command: ["-n", "-I", "0.0.0.0", "-d", "5"] + volumes: + - ./ntp.conf:/etc/ntp.conf:ro + - /etc/letsencrypt/live/nts.dehein.org/fullchain.pem:/etc/letsencrypt/live/nts.dehein.org/fullchain.pem:ro + - /etc/letsencrypt/live/nts.dehein.org/privkey.pem:/etc/letsencrypt/live/nts.dehein.org/privkey.pem:ro + - vault:/var/lib/ntp + cap_drop: + - ALL + cap_add: + - SYS_NICE + - SYS_RESOURCE + - SYS_TIME +networks: + ntsnet: +volumes: + vault: +---- + +=== Links + +* https://www.rfc-editor.org/rfc/rfc8915[RFC 8915] +* https://github.com/jauderho/nts-servers[Here] you can find a list of +publicly available servers that support NTS + +timestamp:1709418680 + +version:1.0.0 + +https://blog.terminaldweller.com/rss/feed + +https://raw.githubusercontent.com/terminaldweller/blog/main/mds/NTP.md |