nanog mailing list archives
Re: Need trusted NTP Sources
From: James R Cutler <james.cutler () consultant com>
Date: Sun, 9 Feb 2014 19:42:31 -0500
On Feb 9, 2014, at 3:50 PM, Larry Sheldon <LarrySheldon () cox net> wrote:
On 2/9/2014 2:45 PM, Jay Ashworth wrote:Or do I understand NTP less well than I think?I am of the private opinion that if your name is not "David Mill" (and MAYBE if it IS) the answer is either "42" or "yes". — ...
From http://www.eecis.udel.edu/~mills/database/brief/overview/overview.pdf
Intersection and clustering algorithms pick best true chimers and discard false tickers.
You should look at this presentation and see why Larry Sheldon’s private opinion is spot on. I won’t begin to try explaining in technical detail how this works. The bottom line is that, within a peer group of NTP servers looking at a reasonably large set of NTP source servers, all kinds of variations in input data are reduced to a coherent local time truth. My template for NTP service deployment for any organization is very simple: 1. Select four or more local systems and configure them as peer NTP servers. In many instances one can leverage local DNS server machines running almost any OS — the NTP daemon runs on at least Windows, OS X, UNIX, Linux. Don’t forget appropriate restrict commands. 2. Configure ntpd on the local servers to also select as servers a list of 8-10 open access servers like pool.ntp.org, usno.navy.mil, nist-????-ustiming.org. If you can arrange authenticated access to other servers, that is possibly better. 3. As desired, configure ntpd on selected local servers for local clocks or GPS clocks. This has little effect on accuracy, but may enhance reliability. In many cases, it also requires building penetrations for antennas. (Not easy for network guys.) 4. Configure all local time consumers to select from the list of local NTP servers. Authenticate or not as you see fit. You can even use DHCP to inform end systems of NTP server addresses. The router folks will have to include NTP server addresses as part of each configuration package. Over the years I have successfully applied this template for NTP service deployments to several large networks. It just works.
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail
Current thread:
- RE: Need trusted NTP Sources, (continued)
- RE: Need trusted NTP Sources Frank Bulk (Feb 06)
- RE: Need trusted NTP Sources Martin Hotze (Feb 06)
- Re: Need trusted NTP Sources Aled Morris (Feb 06)
- Re: Need trusted NTP Sources Notify Me (Feb 06)
- Re: Need trusted NTP Sources jamie rishaw (Feb 06)
- Re: Need trusted NTP Sources Jimmy Hess (Feb 06)
- RE: Need trusted NTP Sources Tony Hain (Feb 06)
- Re: Need trusted NTP Sources Aled Morris (Feb 06)
- Re: Need trusted NTP Sources Nick Hilliard (Feb 06)
- Re: Need trusted NTP Sources James R Cutler (Feb 09)
- Message not available
- Re: Need trusted NTP Sources Larry Sheldon (Feb 09)
- Message not available
- Re: Need trusted NTP Sources Larry Sheldon (Feb 09)