Please help to set up NTP.
I would like to use NTP as explained here https://roughtime.googlesource.com/roughtime
and here https://developers.cloudflare.com/time-services/roughtime/
using port 2002 and seems like tokens or certificates are used
Suppose some portforwarding is needed but that’s why I m asking for help. don’t know 
Regards
G70P
To begin, the software should be ported as an add-on for IPFire. The team responsible for IPFire is currently occupied with maintaining the 2.0 version and working on the development of the 3.0 branch. Consequently, if you wish to have this feature, you will need to handle the software porting on your own. The wiki provides all the necessary information for developers to create an add-on.
4 Likes
That won’t be possible as ntp is integrated as a core part of IPFire already, so changing it requires an update of IPFire as a whole.
At the minimum the following files from the IPFire 2.x git repo would need to be adjusted in some way. NTP might be referenced elsewhere in IPFire 2.x. These are the obvious files that need to be looked at.
ntp lfs file
ntp rootfile file
WUI time.cgi file
timectrl.c file to control startup
ntp initscript file
The link from @cfusco is the place to go to learn how to do this. I suspect you would have to make your own build because I think the IPFire devs would be more focussed on making such a large change on IPFire 3.x and not keen to accept such a large significant change that could end up breaking IPFire. The time performance is critically used in many stages, especially with regard to package downloads with pakfire.
3 Likes
Completely beyond my skills
thks for pointing a way.
I just checked and I cannot find roughtime package in Ubuntu or Debian repositories; it means this is really new protocol, probably experimental… No roughtime in OpenBSD (security is important for them, they developed secure OpenNTPD server). No article at Wikipedia…
I assume it is possible to build a local roughtime server in local network, add NTP server (for compatibility with NTP clients) and connect NTP server of IPfire to it, as NTP source…
3 Likes
Cloudflare has good article about NTP security and their time.cloudflare.com service. They support NTP, roughtime and NTS, details here.
NTS is “secure” version of NTP. NTS is supported in Chrony and NTPsec, these are in Ubuntu repository. These services are replacement for ntpd…
Article about NTS & Chrony in Fedoramagazine
How to use NTS - NTPsec & Chrony
ArchLinux page about NTPsec has link to public servers with NTS support
Public NTP servers from pool.ntp.org do not support NTS protocol…
Important note. When time at computer is seriously wrong, NTS fails to synchronize time (because certificates are not valid). In such case, initial time synchronization has to be done with NTP or validation of certificates in NTS has to be temporary disabled… For example, RPI without RTC module has to get correct time during boot process from network and because time could be in the past, initial time synchronization cannot be done with NTS.
I have been thinking of running my own time server, PTP, NTPS …
What made you choose roughtime ? I think it is defined within 10 seconds of precision,
I am personally looking for a precision of <0.1 sec
The current NTP system will get you less than 0.1 seconds.
This is my NTP at +0.002656 sec:
[root@ipfire ~] # ntpdate -q -t 10 0.us.pool.ntp.org
server 162.159.200.1, stratum 3, offset +0.004928, delay 0.03615
server 5.161.111.190, stratum 4, offset +0.005525, delay 0.05272
server 72.30.35.89, stratum 2, offset +0.002656, delay 0.07011
server 51.81.226.229, stratum 2, offset +0.004983, delay 0.08533
9 Aug 13:07:32 ntpdate[1477]: adjust time server 72.30.35.89 offset +0.002656 sec
[root@ipfire ~] #
Please pick an ntp server in your area.
EDIT:
with the ipfire.pool.ntp.org the offset +0.004341 sec:
[root@ipfire ~] # ntpdate -q -t 10 0.ipfire.pool.ntp.org
server 159.203.82.102, stratum 3, offset +0.006011, delay 0.05656
server 72.46.61.205, stratum 2, offset +0.001221, delay 0.06346
server 64.79.100.196, stratum 2, offset +0.004341, delay 0.03577
server 66.228.58.20, stratum 3, offset +0.007762, delay 0.05869
9 Aug 13:16:43 ntpdate[1915]: adjust time server 64.79.100.196 offset +0.004341 sec
[root@ipfire ~] #
5 Likes
my internal time servers do ns timing,
However, due to delays in my network (yes, there are switches), it really amounts to micro-sec timing. Looking at the output of ntpq -p, the IPFire firewall reports time to 0.3 milliseconds. (by the way, I hate a program that does not report units, think mars explorer is it pounds or kg if you are wrong it burns up in the martian atmosphere. which it did).
I chose to build my own servers for a couple of reasons, the first was to reduce any potential attack surface. If my devices are not getting time from some unknown time source, then they are better protected. Accuracy, I like accuracy, it is an engineering thing.
PZ
1 Like
Yes, I was curious why roughtime of <10 sec would be a target for G70P.
You got great numbers but are you confident 
that your offset at +0.002656 sec is relevant? It looks like your IPFire is getting time from 3-4 hops away 
Obviously this is just vain and valueless to IPfire and firewalls but there are some industries where PTP is needed for compliance.
@jaegers49 could you share what kind of Time servers did you build?
Roughtime looks interesting.
But it is not super new and after reading their webpage
There is a secure version of NTPv4 AutoKey. Never heard of either.
And that has not caught on!
This would really be cool if it was a decentralized time server.
Sort of Torrent like for time. that would be cool.
Peppe Tech
It was late and a misread the output from ntpq -p, the delay runs about .1 to .3 milliseconds, but the actual offset is about 10 to 30 microseconds. If the device is running chrony, and the xleave option is specified, this offset drops to about 1 to 10 microseconds.
I posted the type of time servers on CU169 NTP Polling Question - #9 by jaegers49, so hopefully that answers your question.
PZ
1 Like