I brought up my first relay over the weekend and I am waiting for traffic to ramp up. In a few places I've read the suggestion to use NTP to keep the relay's clock in sync. Fair enough, but now there is a problem... I've been reading up on NTP a bit and using ntpdate to occasionally update the system time is now deprecated. We're supposed to run ntpd. Ntpd docs make it sound like ntpd needs to run a listener to function at all. I'd rather not add additional attack surface to my relay. Those of you who run relays, how are you keeping your system clock in sync? My relay is on FreeBSD 11. Thanks, ---mkb
Michael Brodhead:
I've been reading up on NTP a bit and using ntpdate to occasionally update the system time is now deprecated. We're supposed to run ntpd. Ntpd docs make it sound like ntpd needs to run a listener to function at all.
I'd rather not add additional attack surface to my relay.
I agree. The daemon would give you better precision and less "jumps", but running ntpdate via cron regularly should do it as well (tor does not need super sub-second exact time) -- https://twitter.com/nusenu_ https://mastodon.social/@nusenu
ntpd runs fine without listener or with it blocked https://www.ntpsec.org/ http://openntpd.org/ https://wikipedia.org/wiki/Ntpd https://github.com/ioerror/tlsdate/ You can get serviceable time from many sources besides just ntp. Be creative.
Which of these do you use on your relays? --mkb
On Jul 30, 2018, at 3:49 PM, grarpamp <grarpamp@gmail.com> wrote:
ntpd runs fine without listener or with it blocked
https://www.ntpsec.org/ http://openntpd.org/ https://wikipedia.org/wiki/Ntpd
https://github.com/ioerror/tlsdate/
You can get serviceable time from many sources besides just ntp. Be creative. _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On Jul 30, 2018, at 3:49 PM, grarpamp <grarpamp@gmail.com> wrote:
ntpd runs fine without listener or with it blocked
https://www.ntpsec.org/ http://openntpd.org/ https://wikipedia.org/wiki/Ntpd
On 1 Aug 2018, at 08:25, Michael Brodhead <mkb_cbr@mac.com> wrote:
Which of these do you use on your relays?
I ran ntpdate at @restart and daily. tlsdate is less useful than it used to be, because many TLS headers no longer include the date for privacy reasons. T
Which of these do you use on your relays?
Some people may or may not consider relays (in general, overlay network nodes) to be a separate class of unix box subject to whatever various concerns, differential administration, etc. Let's call it a unix box. It's FreeBSD 11. If you use FreeBSD's packages, ntpsec... while having forked the former ntp.org client in a fine direction (see ntpsec's website)... is not yet available in pkg form, the rest are. It compiles and works fine. Among the rest, if you want to interface with GPS, PPS, radio, old random HW, use exotic timing schemes, graph logs, kitchen sink... that's more like ntp.org, which has a historically large community, and is still the one shipped with the FreeBSD base system. OpenNTPD is very lean and from the security family of OpenBSD. In the bump style of ntpdate, tlsdate is more of a comparator / last ditch anti-censorship tool. For basic network sync, try openntpd. New to FreeBSD and want their help, go with their base ntp.org. Old school time-nut, ntp.org, or if... Looking for other new perspectives, ntpsec. Stuck in a hole and can't tell noon from midnight, tlsdate. There's no single answer. I've used them all.
2018-08-01 1:19 GMT+00:00 grarpamp <grarpamp@gmail.com>:
Which of these do you use on your relays?
Some people may or may not consider relays (in general, overlay network nodes) to be a separate class of unix box subject to whatever various concerns, differential administration, etc.
Let's call it a unix box. It's FreeBSD 11.
If you use FreeBSD's packages, ntpsec... while having forked the former ntp.org client in a fine direction (see ntpsec's website)... is not yet available in pkg form, the rest are. It compiles and works fine. Among the rest, if you want to interface with GPS, PPS, radio, old random
HW,
use exotic timing schemes, graph logs, kitchen sink... that's more like ntp.org, which has a historically large community, and is still the one shipped with the FreeBSD base system. OpenNTPD is very lean and from the security family of OpenBSD. In the bump style of ntpdate, tlsdate is more of a comparator / last ditch anti-censorship tool.
For basic network sync, try openntpd. New to FreeBSD and want their help, go with their base ntp.org. Old school time-nut, ntp.org, or if... Looking for other new perspectives, ntpsec. Stuck in a hole and can't tell noon from midnight, tlsdate.
There's no single answer. I've used them all.
if you can, setup a stratum 1, but... regarding openntpd@freebsd; https://www.digitalocean.com/community/tutorials/how-to-install-and-configur... -- Vinícius Zavam keybase.io/egypcio/key.asc
if you can, setup a stratum 1, but... regarding openntpd@freebsd; https://www.digitalocean.com/community/tutorials/how-to-install-and-configur...
The stratum isn't much relavant to tor relay nodes since they're tolerant by design of more offset than any sane sync would produce, and OP wanted to remain closed so won't be serving up time to others who might care. More interesting would be putting in opposing pools and security protocols for discrimination and anti fuckery. But at that point you've probably got other threats beyond if you can sync consensus or not. There is the bit about tor getting time from the tor network itself, don't know if that has been released yet. It would be randomized and not many layers, so likely also moot therein.
participants (5)
-
grarpamp -
Michael Brodhead -
nusenu -
teor -
Vinícius Zavam