NTPsec on OpenSwitch

Srivatsan, Srinivasan srinivasan.srivatsan at hpe.com
Tue Jan 5 21:26:46 UTC 2016

Thanks Hal and Eric. I was experimenting with ntpq and found it useful as you said it would. 

Progress updates:
* I have created a NTPsec docker image so that anyone can start playing with it. Its available at https://hub.docker.com/r/srinsriv/ntp/. Steps on how to use it available in the website.
* I also have a partially working NTPsec recipe. Here’s the review in process for that. https://review.openswitch.net/#/c/2991/
* I tried playing with ntpq and have a few things like configuration and statistics sorted out but have some doubts which I’ve listed below.

Non-technical points:
* What is the license which you guys have for using and distributing NTPsec ? I saw this page (https://www.ntpsec.org/license.html). Is this the final license list for NTPsec usage and distribution ? 

I am stuck at a few technical points here:
*  I have enabled a control key but was unable to configure a server through a single ntpq command because it keeps on asking for keyid and password for configuration through ntpq. But it would be helpful to add a server with a single ntpq command with all the options on it, including the keyid and password. Have you used it this way ? 
*  I see that the password is set using 'crypto pw’ and its all plain text. Is there a way to save the password differently or configure the password during runtime ?
*  Could you share the configuration and commands which you used for your tests ? 
*  I have not tested authentication scenario, what is the server configuration which you used for testing authentication. 
* One major issue I see when enabling the NTPsec recipe with my build process is when doing the “waf configure” step it fails. I see it internally calls a configuration script to check the compiler. For checking the compiler it generates a C file, compiles it and tries to execute to find get a specific value from the executable. Currently I see it fail at the last step, because it fails to execute the generated executable with “No such file or directory”. I’ve posted the build/config.log file and ldd,readelf,objdump for the testbuild/testprog which is created in this process. Could you please provide pointers on how to fix this. Link to paste bin: http://pastebin.com/raw/AJBMpqsb 


On 12/23/15, 10:15 PM, "Hal Murray" <hmurray at megapathdsl.net> wrote:

>srinivasan.srivatsan at hpe.com said:
>> For the initial release we are planning to support only NTP client.
>You get a server for "free", without asking for it.  You might be able to 
>hide it with the restrict stuff.
>>      *   Daemon is up and we need to print the current ntp status info,
>>      *   Daemon is up and we need to print the NTP associations info, 
>Poke around with ntpq.  It can read most of the interesting status including 
>the associations.
>There are several different versions of the peers command that squeeze 
>slightly different info into an 80 character line.  (Let us know if you find 
>that something is missing.)
>>      *   Daemon is up, but we need to allow runtime configuration for
>> different NTP servers, along with “prefer” and “version” setting for that
>> NTP server. Can we update the Daemon to pick up this new configuration or do
>> we have to write to the .conf file and then restart the daemon ? 
>ntpq has a :config command which feeds the rest of the line to the config 
>file parser.  I haven't used it.  I expect some parts will work fine and some 
>won't work because it's too late to change the baud rate on a refclock that 
>has already been opened and things like that.  (If you find interesting 
>examples that don't work, we may be able to fix them.)
>I think there is an unpeer command (in the config file, not ntpq) so you can 
>remove servers and add them again to change things.  Again, I haven't tried 
>>      *   Daemon is up, the user would provide the key-number and md5
>> clientpassword. We want to use this configuration for the specific server
>> instead of using autokey. Can a restart of the Daemon be avoided when
>> setting authentication with the ntp client. 
>I haven't tried Autokey.  Shared keys (MD5 and SHA1) work.  I don't know if 
>you can reload the keys file from ntpq.
>>      *   Does the Daemon support configuring of Broadcast, Multicast or
>> Manycasting clients.
>I've tried most of those options, but I might have missed one.  Everything I 
>have tried worked, but sometimes it took me a while to set it up correctly.
>>      *   Does the Daemon support Ipv6 Configuration ? If so does Daemon
>> support mixed Ipv4 and Ipv6 NTP server configuration ? 
>Yes.  Yes.
>These are my opinions.  I hate spam.

More information about the devel mailing list