Heads up: incompatible NTS change, Monday midnight, UTC

Richard Laager rlaager at wiktel.com
Mon Apr 20 16:28:58 UTC 2020

On 4/20/20 3:22 AM, Hal Murray via devel wrote:
> One of the last changes to the draft NTS RFC was to change the string constant 
> used to make the keys that are used to encrypt and authenticate the NTP+NTS 
> traffic.
> There isn't any easy way to make a backwards compatible update.
> The symptoms of incompatible versions are that the NTS-KE step will appear to 
> work but the client and server will be using different keys so the NTP+NTS 
> traffic won't work.  The client will use up all 8 cookies then start over with 
> another NTS-KE step.
> Old cookies will continue to work until you restart the client and it gets new 
> cookies.  I expect to be able to restart the server with nothing worse than 
> dropping a packet or two.
> The Cloudflare servers were updated a while ago.  (This is why they aren't 
> working if you are using NTS.)
> Miroslav Lichvar (chrony) and I are planning to ship updated code and restart 
> servers roughly Monday midnight, UTC.  (Late afternoon, Pacific time.)  I'll 
> send another message when I've pushed the button.

By Monday, do you mean today (in which case midnight UTC has passed but
maybe you mean what is technically Tuesday 00:00) or a week from now?

Is the patch available now? If so, can you share it?

Is there a particular reason that the code push (as opposed to
operational deployment) needs to be super tightly coordinated? If not,
can you just push it now?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20200420/9661b218/attachment.bin>

More information about the devel mailing list