How to use NTS

Netnod provides a Network Time Security (NTS) service. This page explains how you can start using NTS. It explains how to set up an NTS client and how to connect to Netnod’s NTS servers.

1. Introduction

Network Time Protocol (NTP) services are vulnerable to a range of attacks. With many of today’s most important security processes dependent on accurate time, the consequences of receiving time from a malicious source are serious. By using Network Time Security (NTS), you can be sure your devices are receiving accurate time from a reliable source.

Netnod have been running public NTS servers since late 2019. This page explains how you can start using NTS by setting up an NTS client and connecting to Netnod’s NTS servers.

Since NTS was accepted as RFC8915 in October 2020, many Linux distributions allow you to run either Chrony or NTPsec, both of which support NTS in the following versions: 

  • Chrony version 4.0 and higher support NTS
  • NTPsec version 1.2.0 and higher support NTS (NTS Quick Start Guide)
  • Both Chrony and NTPsec of the above versions are available in:
    • Debian 11 (bullseye) and newer
    • Ubuntu 21.10 (impish) and Ubuntu 22.04 LTS (jammy)
    • Fedora 35 and newer

 

It is also possible to install a docker container with either NTPsec or Chrony. It may even be possible to run an NTS client on Windows that way. Using docker or Windows is not covered in this document.

Which software to use, NTPsec or Chrony, is mostly a matter of taste.  Both have support for NTS on most modern Linux distributions.  NTPsec is a fork of the NTP reference implementation and supports just about every possible mode of NTP, even some esoteric use cases that are not in common use any more. Chrony is an independent implementation of the NTP protocol and only contains support for the most commonly used modes which makes it a bit easier to understand.  On Fedora it is easier to get started with Chrony since it's the default software on that distribution.  

If you run Debian or Ubuntu, follow instructions in section 2.

If you run Fedora, follow instructions in section 3.

2. Debian or Ubuntu

If you are using Debian, make sure you are running Debian 11 (bullseye) or later.

If you are using Ubuntu, make sure you are running Ubuntu 21.10 (impish) or later. 

All commands below should be run as the root user or with "sudo".

If you want to use NTPsec, continue with section 2.1

If you want to use Chrony, jump to section 2.2.

2.1 NTPsec

2.1.1 Installing NTPsec

By default NTPsec is not installed. Install it using the package manager or by running the following command:

apt install ntpsec

Note that if Chrony was previously installed it will automatically be uninstalled. Installing this package will automatically start the service and also enable the service so that it starts when the computer is restarted.

2.1.2 Verify NTPsec works as an NTP client

Start by verifying that the NTP software is working properly and able to act as an NTP client. 

Run the "ntpq" command to verify that NTPsec is running:

ntpq -p

The output should look like this:

     remote           refid      st t when poll reach   delay   offset   jitter
===============================================================================
+mmo2.ntp.netnod .PPS.            1 u   26   64   17   9.2106  -3.7291   1.7848
 svl2.ntp.netnod .INIT.          16 u    -   64    0   0.0000   0.0000   0.0001
 ntp1.sptime.se  .INIT.          16 u    -   64    0   0.0000   0.0000   0.0001
 sth2.ntp.netnod .INIT.          16 u    -   64    0   0.0000   0.0000   0.0001
*sth3.ntp.netnod .PPS.            1 u   25   64   17   1.0714  -3.8592   2.4286

NOTE: In the "refid" field above, ".PPS." indicates that the NTP server has a pulse per second input as its time source;  ".INIT." indicates that NTPsec was recently restarted, is still initialising and has not communicated with the NTP server yet.

2.1.3 Configure NTS

Netnod currently runs two NTS servers. 

  • sth1.nts.netnod.se
  • sth2.nts.netnod.se

There are other NTS servers out there, but we recommend you start by using Netnod's servers only. Find the configuration file for the NTP client: /etc/ntpsec/ntp.conf

Edit the configuration file and replace the existing NTP servers with Netnod's NTS servers.   First comment out any lines starting with one of the words "pool", "server", "source" or "sourcedir" by adding a hash sign "#" at the beginning of the line.

# pool pool.ntp.org iburst
# server time.google.com iburst

You can enable these sources later, but comment them out for the moment since it will make it easier to see if the NTS servers are working. Then add Netnod's NTS servers. Note that the configuration line should contain "nts" which says that it uses the NTS protocol.

server sth1.nts.netnod.se nts iburst
server sth2.nts.netnod.se nts iburst

Save the file and restart NTPsec service by running this command:

systemctl restart ntpsec

2.1.4.Verify that NTS is working

Continue with section 4.1

2.2. Chrony  

2.2.1  Installing Chrony

By default Chrony is not installed on Debian or Ubuntu. Install it using the package manager or by running the following command:

apt install chrony

Note that if NTPsec was previously installed it will automatically be uninstalled. Installing this package will automatically start the service and also enable the service so that it is started when the computer is restarted.

2.2.2 Verify Chrony works as an NTP client

Start by verifying that the NTP software is working properly and able to act as an NTP client. 

Run the "chronyc" command to verify that Chrony is running:

chronyc sources

The output should look like this:

MS Name/IP address         Stratum Poll Reach LastRx Last sample
===============================================================================
^+ gbg2.ntp.netnod.se            1   6    17    22   -131us[ -115us] +/- 6088us
^* svl1.ntp.netnod.se            1   6    17    22    -74us[  -58us] +/- 6643us

2.2.3 Configure NTS

Netnod currently runs two NTS servers. 

  • sth1.nts.netnod.se
  • sth2.nts.netnod.se

There are other NTS servers out there, but we recommend you start by using Netnod's servers only. Find the configuration file for the NTP client: /etc/chrony/chrony.conf

Edit the configuration file and replace the existing NTP servers with Netnod's NTS servers.   First comment out any lines starting with one of the words "pool", "server", "source" or "sourcedir" by adding a hash sign "#" at the beginning of the line.

# pool pool.ntp.org iburst
# sourcedir /run/chrony-dhcp
# sourcedir /etc/chrony/sources.d

You can enable these sources later, but comment them out for the moment since it will make it easier to see if the NTS servers are working. Then add Netnod's NTS servers. Note that the configuration line should contain "nts" which says that it uses the NTS protocol.

server sth1.nts.netnod.se nts iburst
server sth2.nts.netnod.se nts iburst

Save the file and restart the Chrony service by running this command:

systemctl restart chronyd

2.2.4 Verify that NTS is working

Continue with section 4.2

3. Fedora

Make sure you are running Fedora 35 or later. All commands below should be run as the root user or with "sudo".

If you want to use NTPsec, jump to section 3.1.

If you want to use Chrony, go to section 3.2.

3.1 NTPsec on Fedora

3.1.1 Installing NTPsec on Fedora

NTPsec is not installed by default on Fedora. Note that it is possible to have both Chrony and NTPsec installed on Fedora at the same time and this will cause conflicts if both are running at the same time. To install NTPsec on Fedora, use the package manager to first uninstall Chrony and then install NTPsec or run the following commands:

yum remove chrony
yum install ntpsec

The default SELinux rules on Fedora will stop NTS from working properly with NTPsec so set the SELinux policy for NTPsec to "permissive" by running the following command:

semanage permissive -a ntpd_t

Start and enable NTPsec:

systemctl start ntpd
systemctl enable ntpd

3.1.2 Verify NTPsec works as an NTP client 

Run the "ntpq" command to verify that NTPsec is running:

ntpq -p

The output should look like this:

     remote           refid      st t when poll reach   delay   offset   jitter
===============================================================================
+mmo2.ntp.netnod .PPS.            1 u   26   64   17   9.2106  -3.7291   1.7848
 svl2.ntp.netnod .INIT.          16 u    -   64    0   0.0000   0.0000   0.0001
 ntp1.sptime.se  .INIT.          16 u    -   64    0   0.0000   0.0000   0.0001
 sth2.ntp.netnod .INIT.          16 u    -   64    0   0.0000   0.0000   0.0001
*sth3.ntp.netnod .PPS.            1 u   25   64   17   1.0714  -3.8592   2.4286

NOTE: In the "refid" field above, ".PPS." indicates that the NTP server has a pulse per second input as its time source;  ".INIT." indicates that NTPsec was recently restarted, is still initialising and has not communicated with the NTP server yet.

3.1.3 Configure NTS

Netnod currently runs two NTS servers. 

  • sth1.nts.netnod.se
  • sth2.nts.netnod.se

There are other NTS servers out there, but we recommend you start by using Netnod's servers only. Find the configuration file for the NTP client: /etc/ntp.conf 

Edit the configuration file and replace the existing NTP servers with Netnod's NTS servers.   First comment out any lines starting with one of the words "pool", "server", "source" or "sourcedir" by adding a hash sign "#" at the beginning of the line.

# pool pool.ntp.org iburst
# server time.google.com iburst

You can enable these sources later, but comment them out for the moment since it will make it easier to see if the NTS servers are working. Then add Netnod's NTS servers. Note that the configuration line should contain "nts" which says that it uses the NTS protocol.

server sth1.nts.netnod.se nts iburst
server sth2.nts.netnod.se nts iburst

Save the file and restart the NTPsec service by running the command:

systemctl restart ntpd

3.1.4 Verify that NTS is working

Continue with section 4.1.

3.2 Chrony on Fedora

3.2.1 Installing Chrony on Fedora

Chrony is installed and enabled by default on a Fedora system. If you have a newly installed Fedora distribution you do not have to do anything.

Note that it is possible to have both Chrony and NTPsec installed on Fedora at the same time and this will cause conflicts if both are running at the same time. If you want to reinstall Chrony, use the package manager to first uninstall NTPsec and then install Chrony, or run the following commands:

yum remove ntpsec
yum install chrony

Then start and enable the Chrony service:

systemctl enable chronyd
systemctl start chronyd

3.2.2 Verify Chrony works as an NTP client 

Run the "chronyc" command to verify that Chrony is running:

chronyc sources

The output should look like this:

MS Name/IP address         Stratum Poll Reach LastRx Last sample
===============================================================================
^+ gbg2.ntp.netnod.se            1   6    17    22   -131us[ -115us] +/- 6088us
^* svl1.ntp.netnod.se            1   6    17    22    -74us[  -58us] +/- 6643us

3.2.3 Configure NTS

Netnod currently runs two NTS servers. 

  • sth1.nts.netnod.se
  • sth2.nts.netnod.se

There are other NTS servers out there, but we recommend you start by using Netnod's servers only. Find the configuration file for the NTP client: /etc/chrony.conf

Edit the configuration file and replace the existing NTP servers with Netnod's NTS servers.   First comment out any lines starting with one of the words "pool", "server", "source" or "sourcedir" by adding a hash sign "#" at the beginning of the line.

# pool pool.ntp.org iburst
# sourcedir /run/chrony-dhcp
# sourcedir /etc/chrony/sources.d

You can enable these sources later, but comment them out for the moment since it will make it easier to see if the NTS servers are working. Then add Netnod's NTS servers. Note that the configuration line should contain "nts" which says that it uses the NTS protocol.

server sth1.nts.netnod.se nts iburst
server sth2.nts.netnod.se nts iburst

Save the file and restart the NTPsec service by running the following command:

systemctl restart chronyd

3.2.4 Verify that NTS is working

Continue with section 4.2.

4. Verify that NTS is working

4.1 Verify that NTS is working on NTPsec

Check the output from "ntpq":

ntpq -p
     remote           refid      st t when poll reach   delay   offset   jitter
===============================================================================
 sth1-ts.nts.net .PPS.            1 8  201  256    1   1.0279   1.1612   0.0000
 sth2-ts.nts.net .PPS.            1 8  200  256    1   0.9522   1.1305   0.0000

“remote” is the name of the NTS server. Note that the name is “sth1-ts.nts.netnod.se”, not “sth1.nts.netnod.se” as specified in the configuration file. This is because the NTS protocol is split into two parts: first an encrypted TLS connection over TCP to an “NTS key establishment server”. When the client has received a set of keys, it will use the UDP based NTP protocol with NTS extensions for the actual timestamping. Netnod runs the key establishment server and the timestamping server on different addresses. 

The characters at the beginning of the server name says what NTPsec thinks about the server. An asterix (*) means that NTPsec has decided to use this server as its primary reference. A plus sign (+) means that NTPsec uses this server in its algorithm to estimate the current time. “refid” is the reference ID for the server, that is, where the NTP server gets its time from. If you look up these IP addresses you will see that they are for Netnod’s NTP servers: sth1.ntp.se and sth2.ntp.se. “st” means “stratum”, which is how far away from a primary clock source, such as an atomic clock, the NTP server is. sth1.ntp.se and sth2.ntp.se are stratum 1 servers; Netnod’s NTS servers talk to them and are stratum 2 servers. The rest of the line shows statistics about NTPsec’s current time estimate relative to the servers time estimate. To read a more detailed description of the output see the NTPsec manual page for the ntpq command.

If you are really quick at running ntpq after you started ntpd it will show “nts.netnod.se” as the remote and  “.NTS.” as the refid. That means that NTPsec is in the process of connecting to the NTS key establishment server and has not yet been able to talk to the timestamping server. 

If your computer has IPv6 connectivity, NTPsec might be talking to Netnod's NTS servers over IPv6. In that case, NTPsec will usually show the IP address in the "remote" field instead of a host name. That is quite normal.

4.2 Verify that NTS is working on Chrony 

Check the output from "chronyc":

chronyc sources
MS Name/IP address         Stratum Poll Reach LastRx Last sample
===============================================================================
^* sth1-ts.nts.netnod.se         1   6   377     3    +18us[  +22us] +/-  538us
^? sth1.nts.netnod.se            0   8     0     -     +0ns[   +0ns] +/-    0ns
^? sth2.nts.netnod.se            0   8     0     -     +0ns[   +0ns] +/-    0ns
^+ sth2-ts.nts.netnod.se         1   6   377     3    -43us[  -43us] +/-  524us

This looks a bit funny. The reason for that is rather technical. NTS is split into two phases: the NTS-KE phase where KE stands for "Key Establishment''. After that, the timestamping is performed using the normal NTP protocol with some extensions for NTS. Netnod's NTS servers run on physically different machines for the NTS-KE and NTS timestamping phases, and both of those machines will show up in the list of sources. The timestamping is performed on the sth1-ts/sth2-ts machines and those show up as reachable. The KE machines are not used after the initial key establishment and show as not being reachable. That is as it should be even though it might look a bit confusing.

5. Connecting to NTS / NTP servers

To ensure you are receiving the most accurate and secure time, we recommend you connect to Netnod’s NTS servers as described above. If you would prefer to connect to an NTP server, you can find the list of Netnod’s NTP servers here and some best practices for connecting to NTP servers here
 

Blog
Best practices for connecting to NTP servers
Christer Weinigel2021.09.09
Using the Network Time Protocol (NTP) is a simple and effective way to set your local time. But how can you ensure that the time you are getting is correct, what can you do to improve time accuracy, and how do you decide which NTP servers are best for you? In this blogpost, we will take you through everything you need to know about getting the most accurate time over NTP.
Blog
PTP
Patrik "paf" Fältström2019.05.21
Providing traceable time to the highest levels of accuracy is essential for industries ranging from telecommunications and the energy sector to financial and trading services. Precision Time Protocol (PTP) services provide traceable time over a dedicated fibre which enables organisations to time stamp to the highest degree of accuracy. 

PTP
Netnod’s PTP service is delivered over a dedicated fibre and offers a robust, reliable and highly accurate source for time and frequency. If you are working in a sector where every nanosecond counts, you can trust Netnod to keep you on time.