mailing list archives
Re: Need trusted NTP Sources
From: Larry Sheldon <LarrySheldon () cox net>
Date: Sun, 09 Feb 2014 19:04:39 -0600
On 2/9/2014 6:42 PM, James R Cutler wrote:
Intersection and clustering algorithms pick best true chimers and
discard false tickers.
On Feb 9, 2014, at 3:50 PM, Larry Sheldon <LarrySheldon () cox net>
On 2/9/2014 2:45 PM, Jay Ashworth wrote:
Or do I understand NTP less well than I think?
I am of the private opinion that if your name is not "David Mill"
(and MAYBE if it IS) the answer is either "42" or "yes". — ...
You should look at this presentation and see why Larry Sheldon’s
private opinion is spot on.
I won’t begin to try explaining in technical detail how this works.
The bottom line is that, within a peer group of NTP servers looking
at a reasonably large set of NTP source servers, all kinds of
variations in input data are reduced to a coherent local time truth.
In the 1990s I found myself administering a campus network for a
University--the only people less prepared than I as everybody else.
A need arose to have a uniform notion of time across the campus (my
recollection had to do with resolving who did it first squabbles as well
as trying to solve some problems having to do with the date and time in
emails regarding assignments due.
I stumbled across NTP somewhere and decided that was the answer, I
didn't know about "42" then.
Nobody I was in contact with knew any more about it that I did, so I
spent a lot of time on eecis learning how to make it play, and how not
to be a rude participant.
My template for NTP service deployment for any organization is very
1. Select four or more local systems and configure them as peer NTP
servers. In many instances one can leverage local DNS server
machines running almost any OS — the NTP daemon runs on at least
Windows, OS X, UNIX, Linux. Don’t forget appropriate restrict
I don't remember now how many boxes I had in my NTP backbone but it was
lots--every cisco router I knew the password for (there were a lot of
them, supporting frame-relay links to off-campus points), every HP9000
box I had root on, maybe the two Wellfleets -- I don't remember.
They all were peers and I connected to a couple of off-network public
stratum 1s and 2s not as peers (I had no budget for a stratum 0).
2. Configure ntpd on the local servers to also select as servers a
list of 8-10 open access servers like pool.ntp.org, usno.navy.mil,
nist-????-ustiming.org. If you can arrange authenticated access to
other servers, that is possibly better.
I tried, using "ping", to pick sturdy-sounding servers that were "close"
3. As desired, configure ntpd on selected local servers for local
clocks or GPS clocks. This has little effect on accuracy, but may
enhance reliability. In many cases, it also requires building
penetrations for antennas. (Not easy for network guys.)
4. Configure all local time consumers to select from the list of
local NTP servers. Authenticate or not as you see fit. You can even
use DHCP to inform end systems of NTP server addresses. The router
folks will have to include NTP server addresses as part of each
Did that. Told machines and people to use their default gateway address
as their NTP (or SNTP) server.
Over the years I have successfully applied this template for NTP
service deployments to several large networks. It just works.
It does. It does.
Requiescas in pace o email Two identifying characteristics
of System Administrators:
Ex turpi causa non oritur actio Infallibility, and the ability to
learn from their mistakes.
(Adapted from Stephen Pinker)
Re: Need trusted NTP Sources Larry Sheldon (Feb 07)
Re: Need trusted NTP Sources Larry Sheldon (Feb 09)
- Re: Need trusted NTP Sources James R Cutler (Feb 10)
- Message not available
- Re: Need trusted NTP Sources Larry Sheldon (Feb 10)
- Message not available