Home page logo
/

educause logo Educause Security Discussion mailing list archives

Re: NTP servers and sources
From: John Kristoff <jtk () DEPAUL EDU>
Date: Wed, 1 Oct 2008 07:45:28 -0500

On Tue, 30 Sep 2008 13:17:34 -0400
Gary Flynn <flynngn () JMU EDU> wrote:

What I was really wondering about was whether there was any
consensus or commonalities in high level design decisions
and current practices.

Our network and systems folks are telling me our routers
are not reliable time servers and I'm looking at alternatives.

Well you could point them at that post and indicate that at least two
institutions, as far as I know, are still doing essentially this and
have been for years with success.

So I was wondering about things like:

- How common are internal reference clocks and stratum 1 servers
   at universities? Should they be encouraged?

They are not uncommon, but I'd bet more institutions don't have them
than do.  Encouraged?  Its not necessarily bad idea, but it depends on
goals, requirements, ability to maintain, proper design, funding, etc.
I don't think every institution needs to have their own.  On the list
of priorities I suspect its probably not that high up there for most.

- What practices are in place regarding the minimum number
   of peering with internal and external sources and MD5
   security?

See the post and reference to the NTP FAQ in particular.  I haven't
checked recently, but almost no one offers MD5 to the public in my
experience. Purdue was one of the two I found that did.

- What method of client distribution is most often used
   ( e.g. broadcast, multicast, unicast )

I like unicast personally.  I don't like multicast, because of the
inherent trust issue and uncertainty of who you might end up
getting time from.  This is particularly acute if you're connected to
the multicast-enabled Internet and 224.0.1.1 is unfiltered.

- What is being used to configure clients ( e.g. DHCP, group
   policy )

Will Windows clients understand NTP servers passed via DHCP?  I've
always just made it a manual process for general client population who
wanted to use it, since by default most OSes will use something like
time.microsoft.com or something from pool.ntp.org and that's usually
good enough for those that don't otherwise care. Most important for me
were that network devices and server-type systems getting time from
our own local and highly available sources.

- If and how you allow outside access to your NTP servers

Usually yes, but wasn't widely advertised.  Perhaps the reason not to
do this is for fear of something like that which happened to uwisc:

  <http://pages.cs.wisc.edu/~plonka/netgear-sntp/>

Unless you have a mobile clients that really want to use your servers
from outside or you want to provide the public service, its probably
not necessary for reasons mentioned above.

Keep in mind, not unlike caching in DNS, NTP as a system is relatively
resilient to minor disruptions or changes.  Clients shouldn't
completely lose time if they can't sync every minute, at worst they
might skew a bit, but for most applications this shouldn't pose a
problem you need to worry much about.

John

  By Date           By Thread  

Current thread:
  • Re: NTP servers and sources John Kristoff (Oct 01)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]