NTS not 'working', likely operator error

[Paul Theodoropoulos]

On 4/8/2024 20:05 PM, Hal Murray via users wrote:
>> root@ 64bit A-NTPsec: ~ # tcpdump port 4460
> Thet's just the TCP/TLS connection to get the initial cookies.
>
> I tried nts.anastrophe.com from here.  It works without NTS and doesn't work
> with NTS.

Ah, thanks Hal. I had it in my head that the time service for NTS flowed 
over the TCP channel as well,  but two minutes of reading from the RFC 
cleared up that misconception quickly...

> My best guess is tha Comcast is not totally blocking port 123, but doing
> something like filtering out anything over 48 bytes long.
>
> How is your contact with their support?  If you can find the right person they
> can probably confirm that.
Comcast is horrendously difficult to work with on anything more complex 
than 'muh internets is down'.  I have just a standard residential 
connection. I've fought with them endlessly about their misapplication of 
their own rules having to do with email transport, in my capacity as 
running the mailserver in AWS.

What I'm wondering now is if there is some fubar in the way I have things 
set up wrt the certificate(s). I make the NTP service available as 
ntpsec.anastrophe.com, but the NTS service tied to nts.anastrophe.com for 
the cert. Perhaps this is creating a mismatch of sorts, though since the 
source host/IP is the same either way, I would think not. I'll take a 
quick poke at that avenue.

> We/you could do some experiments.  Setup a UDP echo server on port 123.  Write
> a client that tests various lengths.  [You will have to turn off ntpd to free
> up port 123.]
>
> I'll send you some crufty code if you don't want to write it.

Thanks. I've zero coding abilities beyond bash scripts. But I'll take a 
poke at the cert aspect first.

-- 
Paul Theodoropoulos
www.anastrophe.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/users/attachments/20240408/8548316b/attachment-0001.htm>