Trying NTP from Cloudflare
I’ve read a really interesting article on Cloudflare blog about NTP – Network Time Protocol – and its current set of security issues. As always, before actual service offering is provided, Cloudflare lists available alternatives and even provides history of the NTP protocol and its implementation – something I really enjoyed reading.
Confirming current NTPd State in Linux
becky, one of the Raspberry Pi systems I have, had the default Debian NTP pools configured and running like this:
greys@becky:~ $ ntpq -p remote refid st t when poll reach delay offset jitter ============================================================================== 0.debian.pool.n .POOL. 16 p - 64 0 0.000 0.000 0.001 1.debian.pool.n .POOL. 16 p - 64 0 0.000 0.000 0.001 2.debian.pool.n .POOL. 16 p - 64 0 0.000 0.000 0.001 3.debian.pool.n .POOL. 16 p - 64 0 0.000 0.000 0.001 -euphoric.ca 213.251.128.249 2 u 156 512 377 111.267 3.890 0.954 -de-user.deepini 195.13.23.5 3 u 149 512 377 43.721 3.085 0.623 *194.80.204.184 .GPS. 1 u 29 64 377 29.516 0.410 0.082 +ntp-ext.cosng.n 146.213.3.181 2 u 230 256 377 51.244 -0.209 0.534 -kabel.akku.expr .DCFa. 1 u 232 256 377 47.555 -2.329 22.182 +bray.walcz.net 140.203.204.77 2 u 11 256 377 10.880 -0.030 0.434
Trying the time.cloudflare.com NTP
I decided to add time.cloudflare.com as a pool to the /etc/ntp.conf file.
I changed section of the /etc/ntp.conf file from this:
pool 0.debian.pool.ntp.org iburst pool 1.debian.pool.ntp.org iburst pool 2.debian.pool.ntp.org iburst pool 3.debian.pool.ntp.org iburst
to this:
pool time.cloudflare.com iburst pool 0.debian.pool.ntp.org iburst pool 1.debian.pool.ntp.org iburst pool 2.debian.pool.ntp.org iburst pool 3.debian.pool.ntp.org iburst
After restarting NTPd:
greys@becky:~ $ sudo systemctl restart ntp
… we can now see new NTP servers in the mix, specifically two new servers from Cloudflare:
greys@becky:~ $ ntpq -p remote refid st t when poll reach delay offset jitter ============================================================================== time.cloudflare .POOL. 16 p - 64 0 0.000 0.000 0.001 0.debian.pool.n .POOL. 16 p - 64 0 0.000 0.000 0.001 1.debian.pool.n .POOL. 16 p - 64 0 0.000 0.000 0.001 2.debian.pool.n .POOL. 16 p - 64 0 0.000 0.000 0.001 3.debian.pool.n .POOL. 16 p - 64 0 0.000 0.000 0.001 +162.159.200.1 10.52.8.83 3 u 13 64 377 10.284 -0.916 0.432 -162.159.200.123 10.52.8.83 3 u 12 64 377 10.464 -0.763 0.498 +ec2-52-17-231-7 193.120.142.71 2 u 11 64 377 10.457 -0.630 0.343 -tbag.heanet.ie 140.203.204.77 2 u 79 128 377 10.354 -1.393 0.589 *ntp4.bit.nl .PPS. 1 u 16 64 377 27.093 -0.242 0.122
No Easy NTS Implementation Yet
I wanted to give NTS (Network Time Security) implementation a try, but seems it’s not possible yet with standard NTPd in Raspbian/Debian. The article described NTS at quite a length, so it should be fascinating when this becomes yet another core service properly secured with TLS or similar approach.
I’m not sure I want to switch another service of mine to Cloudflare on all the servers and systems just yet, but generally it’s an interesting idea. So we’ll see how this works (must really start graphing NTP in my monitoring setup)!