Re: NTP servers and sources

[Michael Sinatra <michael () RANCID BERKELEY EDU>]

On 9/30/08 10:17 AM, Gary Flynn wrote:
> John Kristoff wrote:
> > On Mon, 29 Sep 2008 17:32:31 -0400
> > Gary Flynn <flynngn () JMU EDU> wrote:
> >
> > > Is there any consensus about best practices for university
> > > time sources?
> >
> > Perhaps this would be helpful?
> >
> >   <https://puck.nether.net/pipermail/ednog/2005-June/000048.html>
>
>
> What I was really wondering about was whether there was any
> consensus or commonalities in high level design decisions
> and current practices.
>
> Our network and systems folks are telling me our routers
> are not reliable time servers and I'm looking at alternatives.

They may be concerned about aiming thousands of hosts at a router and
generating lots of interrupts.  Depending on your routing platform, that
may be a valid concern.

> Given the price of reference clocks and pizza box servers
> these days, it seems like it would be *relatively* simple and
> cheap to implement our own time sources and stratum 1 servers.
>
> So I was wondering about things like:
>
> - How common are internal reference clocks and stratum 1 servers
>   at universities? Should they be encouraged?

I vote yes.  Accurate time is important not just for log
synchronization, but also for network latency measurement, which is
important for many of today's research applications.  (For the latter,
having a local reference clock is quite useful.)

UC Berkeley has a 25-year-old (no kidding) Spectracom 8170 WWVB clock
that is still in operation.  We also have an EndRun CDMA clock, and a
GPS clock left over from the Surveyor project that I use to feed some
stratum-2 servers over a jury-rigged private net.  We also have a
Trimble Palisade GPS clock that died in a storm a few years ago, which I
haven't replaced yet.

The WWVB clock is not very accurate by today's standards (2-3
milliseconds drift).  That's not good enough for things like network
measurement, but it's fine for synchronizing workstations and logs.

Both the Trimble Palisade (now called the Accutime 2000) and the EndRun
Praecis Ct CDMA clocks were around $1000 several years ago.  They were
both a complete cinch to set up.  Basically, what I am saying is that
startup and support costs are not huge factors.  However, a GPS clock
will be more difficult to set up, since it must be placed outdoors
(ideally on a roof).  The EndRun Praecis Ct only needs to be placed
where CDMA cell phone coverage is available.  The unit is about the size
of a pack of cards and connects to the computer by existing RS-232
connections.  (It uses pulse-per-second over one of the RS-232 leads so
as to provide more accurate time that plain RS-232 could.)

The downside of a CDMA clock is that you are reliant on your local CDMA
network (which, in turn, uses GPS) to get accurate time.  In the 3-4
years, I have been running the CDMA clock, accuracy and drift hasn't
been a problem.

None of these are dedicated appliances, BTW, but there are a lot of good
dedicated appliances out there that aren't much more expensive.  It was,
however, easier for us to to use an old server attached to the reference
clock.  (Note that newer computers with ACPI enabled can actually be
less accurate as NTP servers than older hardware.)

> - How many people are using their routers as the primary NTP
>   distribution source?

We're not.  That doesn't preclude one from doing what John suggested and
using old cisco gear for NTP services (without doing actual routing on
the gear).  For example, an old 7200 router can be a very accurate NTP
server.

> - What practices are in place regarding the minimum number
>   of peering with internal and external sources and MD5
>   security?

That depends on the application.  Workstations and less-important
servers can synch to one or two stratum-2s.  Important servers should
synch to a mix of local and remote (but not too far remote) stratum-1s
and -2s.  Keep in mind that NTP WILL NOT be accurate when the client and
server are reachable over a path of asymmetric latency.  Local servers
are therefore much more likely to be accurate than remote.

We don't use any type of authentication.  I keep looking at autokey
stuff, but I haven't done anything with it.

> - What method of client distribution is most often used
>   ( e.g. broadcast, multicast, unicast )

We don't use much broadcast.  We do provide multicast as a best-effort,
and people do use it.  We also use manycast (a multicast client/server
discovery mechanism that uses unicast for the actual time synch) on some
of our (central IT networking group) servers.

> - What is being used to configure clients ( e.g. DHCP, group
>   policy )

A webpage listing the approved servers. :)

> - If and how you allow outside access to your NTP servers

Some stratum-2s are unrestricted, but our stratum-1s are generally
restricted to EDUs and local clients.

michael