NTPsec on OpenSwitch
Srivatsan, Srinivasan
srinivasan.srivatsan at hpe.com
Tue Jan 5 21:26:46 UTC 2016
Thanks Hal and Eric. I was experimenting with ntpq and found it useful as you said it would.
Progress updates:
* I have created a NTPsec docker image so that anyone can start playing with it. Its available at https://hub.docker.com/r/srinsriv/ntp/. Steps on how to use it available in the website.
* I also have a partially working NTPsec recipe. Here’s the review in process for that. https://review.openswitch.net/#/c/2991/
* I tried playing with ntpq and have a few things like configuration and statistics sorted out but have some doubts which I’ve listed below.
Non-technical points:
* What is the license which you guys have for using and distributing NTPsec ? I saw this page (https://www.ntpsec.org/license.html). Is this the final license list for NTPsec usage and distribution ?
I am stuck at a few technical points here:
* I have enabled a control key but was unable to configure a server through a single ntpq command because it keeps on asking for keyid and password for configuration through ntpq. But it would be helpful to add a server with a single ntpq command with all the options on it, including the keyid and password. Have you used it this way ?
* I see that the password is set using 'crypto pw’ and its all plain text. Is there a way to save the password differently or configure the password during runtime ?
* Could you share the configuration and commands which you used for your tests ?
* I have not tested authentication scenario, what is the server configuration which you used for testing authentication.
* One major issue I see when enabling the NTPsec recipe with my build process is when doing the “waf configure” step it fails. I see it internally calls a configuration script to check the compiler. For checking the compiler it generates a C file, compiles it and tries to execute to find get a specific value from the executable. Currently I see it fail at the last step, because it fails to execute the generated executable with “No such file or directory”. I’ve posted the build/config.log file and ldd,readelf,objdump for the testbuild/testprog which is created in this process. Could you please provide pointers on how to fix this. Link to paste bin: http://pastebin.com/raw/AJBMpqsb
Thanks
Srinivasan
On 12/23/15, 10:15 PM, "Hal Murray" <hmurray at megapathdsl.net> wrote:
>
>srinivasan.srivatsan at hpe.com said:
>> For the initial release we are planning to support only NTP client.
>
>You get a server for "free", without asking for it. You might be able to
>hide it with the restrict stuff.
>
>
>> * Daemon is up and we need to print the current ntp status info,
>> * Daemon is up and we need to print the NTP associations info,
>
>Poke around with ntpq. It can read most of the interesting status including
>the associations.
>
>There are several different versions of the peers command that squeeze
>slightly different info into an 80 character line. (Let us know if you find
>that something is missing.)
>
>
>> * Daemon is up, but we need to allow runtime configuration for
>> different NTP servers, along with “prefer” and “version” setting for that
>> NTP server. Can we update the Daemon to pick up this new configuration or do
>> we have to write to the .conf file and then restart the daemon ?
>
>ntpq has a :config command which feeds the rest of the line to the config
>file parser. I haven't used it. I expect some parts will work fine and some
>won't work because it's too late to change the baud rate on a refclock that
>has already been opened and things like that. (If you find interesting
>examples that don't work, we may be able to fix them.)
>
>I think there is an unpeer command (in the config file, not ntpq) so you can
>remove servers and add them again to change things. Again, I haven't tried
>it.
>
>> * Daemon is up, the user would provide the key-number and md5
>> clientpassword. We want to use this configuration for the specific server
>> instead of using autokey. Can a restart of the Daemon be avoided when
>> setting authentication with the ntp client.
>
>I haven't tried Autokey. Shared keys (MD5 and SHA1) work. I don't know if
>you can reload the keys file from ntpq.
>
>
>> * Does the Daemon support configuring of Broadcast, Multicast or
>> Manycasting clients.
>
>I've tried most of those options, but I might have missed one. Everything I
>have tried worked, but sometimes it took me a while to set it up correctly.
>
>> * Does the Daemon support Ipv6 Configuration ? If so does Daemon
>> support mixed Ipv4 and Ipv6 NTP server configuration ?
>
>Yes. Yes.
>
>
>
>--
>These are my opinions. I hate spam.
>
>
>
More information about the devel
mailing list