RE: Windows Time Synchronization - Best Practices

["Gary E. Miller" <gem () rellim com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Yo David!

On Thu, 21 Oct 2004, Cushing, David wrote:

> > In my experience NTP will work a lot better for
> > you than Windows Time server.
>
> Windows time service uses SNTP.

SNTP is RFC 2030, It says:

   "SNTP can be used when the ultimate performance of the full
   NTP implementation described in RFC-1305 is not needed or justified."

So right off the bat you know you are sacrificing something.  Why settle
for less than the best when the best is free?

RFC 2030 Continues:

   "It is strongly recommended that SNTP be used only at the extremities
   of the synchronization subnet. SNTP clients should operate only at
   the leaves (highest stratum) of the subnet and ..."

   "The full degree of reliability ordinarily expected of primary servers
   is possible only using the redundant sources, diverse subnet paths
   and crafted algorithms of a full NTP implementation. "

Seems to me that rules out using it to connect to the stratum 1 in
Seattle, WA from Brazil.

> > The protocol is robust and you are not dependent on the
> > single point of failure called: time.microsoft.com.
>
> Never heard of time.microsoft.com being down or incorrect.

Me neither, but it has been unreachable.  Since the original requestor
was from Brazil I would think that reachability would be an issue
for him.  Last time I was monitoring reachability to Brazil there
were often outages and bottlenecks to there from the US.

> You can use 'net time' or regedit to change it.
>
> http://www.microsoft.com/windows2000/docs/wintimeserv.doc

Yeah, but you are still stuck with only ONE server, you are stuck with
SNTP and you have almost no way to tell if the time daemon is doing the
right thing.

With NTP you can designate a local master that gets it's time from a
diverse set of sources.  It is easy to verify and monitor it's proper
functioning.  Then you can redistribute it to your local hosts.

Contrary to what some may believe, accurate time is very important to
security.

One time keys, like S/Key, depend on accurate time for their functioning.

Any stronge encryption scheme, like IPSec, needs a good clock at both
ends to default antireplay attacks

When debugging a major system crash, involving many routers, switches,
hosts, etc. it is important to have well synced clocks to determine
first failure.

Stick exchanges require members to use accurate clocks to help prevent
fraud.

Etc...

RGDS
GARY
- ---------------------------------------------------------------------------
Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701
        gem () rellim com  Tel:+1(541)382-8588 Fax: +1(541)382-8676

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFBeC5w8KZibdeR3qURAjDhAJ9kue1cKLMrcVykpL4P03XyCnuB+ACbBL4b
mNs+1jkUA470nRGx6ZXPGGA=
=9SAK
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html