Home page logo
/

nanog logo nanog mailing list archives

Re: Need trusted NTP Sources
From: Larry Sheldon <LarrySheldon () cox net>
Date: Sun, 09 Feb 2014 19:04:39 -0600

On 2/9/2014 6:42 PM, James R Cutler wrote:
On Feb 9, 2014, at 3:50 PM, Larry Sheldon <LarrySheldon () cox net>
wrote:

On 2/9/2014 2:45 PM, Jay Ashworth wrote:

Or do I understand NTP less well than I think?

I am of the private opinion that if your name is not "David Mill"
(and MAYBE if it IS) the answer is either "42" or "yes". — ...

From
http://www.eecis.udel.edu/~mills/database/brief/overview/overview.pdf


Intersection and clustering algorithms pick best true chimers and discard false tickers.
You should look at this presentation and see why Larry Sheldon’s
private opinion is spot on.

I won’t begin to try explaining in technical detail how this works.
The bottom line is that, within a peer group of NTP servers looking
at a reasonably large set of NTP source servers, all kinds of
variations in input data are reduced to a coherent local time truth.

In the 1990s I found myself administering a campus network for a University--the only people less prepared than I as everybody else.

A need arose to have a uniform notion of time across the campus (my recollection had to do with resolving who did it first squabbles as well as trying to solve some problems having to do with the date and time in emails regarding assignments due.

I stumbled across NTP somewhere and decided that was the answer, I didn't know about "42" then.

Nobody I was in contact with knew any more about it that I did, so I spent a lot of time on eecis learning how to make it play, and how not to be a rude participant.

My template for NTP service deployment for any organization is very
simple:

1. Select four or more local systems and configure them as peer NTP
servers.  In many instances one can leverage local DNS server
machines running almost any OS — the NTP daemon runs on at least
Windows, OS X, UNIX, Linux.  Don’t forget appropriate restrict
commands.

I don't remember now how many boxes I had in my NTP backbone but it was lots--every cisco router I knew the password for (there were a lot of them, supporting frame-relay links to off-campus points), every HP9000 box I had root on, maybe the two Wellfleets -- I don't remember.

They all were peers and I connected to a couple of off-network public stratum 1s and 2s not as peers (I had no budget for a stratum 0).

2. Configure ntpd on the local servers to also select as servers a
list of 8-10 open access servers like pool.ntp.org, usno.navy.mil,
nist-????-ustiming.org.  If you can arrange authenticated access to
other servers, that is possibly better.

I tried, using "ping", to pick sturdy-sounding servers that were "close" to Omaha.

3.  As desired, configure ntpd on selected local servers for local
clocks or GPS clocks.  This has little effect on accuracy, but may
enhance reliability.  In many cases, it also requires building
penetrations for antennas.  (Not easy for network guys.)

4.  Configure all local time consumers to select from the list of
local NTP servers.  Authenticate or not as you see fit. You can even
use DHCP to inform end systems of NTP server addresses.  The router
folks will have to include NTP server addresses as part of each
configuration package.

Did that. Told machines and people to use their default gateway address as their NTP (or SNTP) server.

Over the years I have successfully applied this template for NTP
service deployments to several large networks. It just works.

It does.  It does.
--
Requiescas in pace o email           Two identifying characteristics
                                        of System Administrators:
Ex turpi causa non oritur actio      Infallibility, and the ability to
                                        learn from their mistakes.
                                          (Adapted from Stephen Pinker)


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]