NTS: What next?

Richard Laager rlaager at wiktel.com
Thu Apr 11 22:55:42 UTC 2019

For what they're worth, my random thoughts are below...

On 4/11/19 4:31 AM, Hal Murray via devel wrote:
> There is a potential item: We may need the NTP server to listen on some port 
> in addition to 123 in order to get around various filtering rules leftover 
> from NTP DDoS amplification attacks.  Need more data which a release would 
> help.

My inclination is that tcp 123 is the obvious choice unless/until IANA
allocates a port or some other wider-community consensus develops.

> I think we need a couple of scripts for monitoring certificates.   Details 
> TBD, but I'm thinking of things like when does my certificate expire and tell 
> me ??? about the certificates on the servers I'm using.  This will get more 
> interesting when we figure out what to do about additional certificate 
> checking.  It would be half just a convenient reminder of how to do things and 
> maybe a cron job to warn you that your certificates are timing out or some 
> server's certs are busted.

This problem is not specific to NTPsec, so I would suggest it's out of
scope for here.

Personally, for other TLS certificates, I mainly use certbot. If it
fails to renew the certificate, it exits with a failure status, which
causes the systemd service unit to be in a failed status. I monitor that
(failed units) generally.

If you want to do some verification script, here is a starting point
that I've used:

openssl verify -CAfile chain.pem -purpose sslserver cert.pem

Another idea might be for ntpd (in server mode) to verify the
certificate on startup and log an error (and/or refuse to serve NTS
and/or die) if the server certificate fails verification. If you want to
take that further, you could track the earliest NotAfter in the chain
and do something when the certificate expires.

> We need a good writeup on getting started when the system time may not be 
> known.  That means we have to understand the issues.

Whether it's "good" or not, I don't know, but I already provided one of
these, expanding on the NTS draft's suggestions. See "Certificate
Verification" in devel/nts.adoc, starting at "It is desirable to include
a middle-ground option". Note that all mentions of OCSP are only
applicable if/when you do OSCP; they're not requirements for
implementing the bootstrapping mode.


More information about the devel mailing list