Home page logo
/

nanog logo nanog mailing list archives

Re: Need trusted NTP Sources
From: James R Cutler <james.cutler () consultant com>
Date: Sun, 9 Feb 2014 19:42:31 -0500

On Feb 9, 2014, at 3:50 PM, Larry Sheldon <LarrySheldon () cox net> wrote:

On 2/9/2014 2:45 PM, Jay Ashworth wrote:

Or do I understand NTP less well than I think?

I am of the private opinion that if your name is not "David Mill" (and MAYBE if it IS) the answer is either "42" or 
"yes".
— ...

From http://www.eecis.udel.edu/~mills/database/brief/overview/overview.pdf
Intersection and clustering algorithms pick best true chimers and discard false tickers.
You should look at this presentation and see why Larry Sheldon’s private opinion is spot on.

I won’t begin to try explaining in technical detail how this works.  The bottom line is that, within a peer group of 
NTP servers looking at a reasonably large set of NTP source servers, all kinds of variations in input data are reduced 
to a coherent local time truth.

My template for NTP service deployment for any organization is very simple:

1. Select four or more local systems and configure them as peer NTP servers.  In many instances one can leverage local 
DNS server machines running almost any OS — the NTP daemon runs on at least Windows, OS X, UNIX, Linux.  Don’t forget 
appropriate restrict commands.

2. Configure ntpd on the local servers to also select as servers a list of 8-10 open access servers like pool.ntp.org, 
usno.navy.mil, nist-????-ustiming.org.  If you can arrange authenticated access to other servers, that is possibly 
better.

3.  As desired, configure ntpd on selected local servers for local clocks or GPS clocks.  This has little effect on 
accuracy, but may enhance reliability.  In many cases, it also requires building penetrations for antennas.  (Not easy 
for network guys.) 

4.  Configure all local time consumers to select from the list of local NTP servers.  Authenticate or not as you see 
fit. You can even use DHCP to inform end systems of NTP server addresses.  The router folks will have to include NTP 
server addresses as part of each configuration package.

Over the years I have successfully applied this template for NTP service deployments to several large networks. It just 
works.

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]