Educause Security Discussion mailing list archives
Re: NTP servers and sources
From: Michael Sinatra <michael () RANCID BERKELEY EDU>
Date: Tue, 30 Sep 2008 11:17:25 -0700
On 9/30/08 10:17 AM, Gary Flynn wrote:
John Kristoff wrote:On Mon, 29 Sep 2008 17:32:31 -0400 Gary Flynn <flynngn () JMU EDU> wrote:Is there any consensus about best practices for university time sources?Perhaps this would be helpful? <https://puck.nether.net/pipermail/ednog/2005-June/000048.html>What I was really wondering about was whether there was any consensus or commonalities in high level design decisions and current practices. Our network and systems folks are telling me our routers are not reliable time servers and I'm looking at alternatives.
They may be concerned about aiming thousands of hosts at a router and generating lots of interrupts. Depending on your routing platform, that may be a valid concern.
Given the price of reference clocks and pizza box servers these days, it seems like it would be *relatively* simple and cheap to implement our own time sources and stratum 1 servers. So I was wondering about things like: - How common are internal reference clocks and stratum 1 servers at universities? Should they be encouraged?
I vote yes. Accurate time is important not just for log synchronization, but also for network latency measurement, which is important for many of today's research applications. (For the latter, having a local reference clock is quite useful.) UC Berkeley has a 25-year-old (no kidding) Spectracom 8170 WWVB clock that is still in operation. We also have an EndRun CDMA clock, and a GPS clock left over from the Surveyor project that I use to feed some stratum-2 servers over a jury-rigged private net. We also have a Trimble Palisade GPS clock that died in a storm a few years ago, which I haven't replaced yet. The WWVB clock is not very accurate by today's standards (2-3 milliseconds drift). That's not good enough for things like network measurement, but it's fine for synchronizing workstations and logs. Both the Trimble Palisade (now called the Accutime 2000) and the EndRun Praecis Ct CDMA clocks were around $1000 several years ago. They were both a complete cinch to set up. Basically, what I am saying is that startup and support costs are not huge factors. However, a GPS clock will be more difficult to set up, since it must be placed outdoors (ideally on a roof). The EndRun Praecis Ct only needs to be placed where CDMA cell phone coverage is available. The unit is about the size of a pack of cards and connects to the computer by existing RS-232 connections. (It uses pulse-per-second over one of the RS-232 leads so as to provide more accurate time that plain RS-232 could.) The downside of a CDMA clock is that you are reliant on your local CDMA network (which, in turn, uses GPS) to get accurate time. In the 3-4 years, I have been running the CDMA clock, accuracy and drift hasn't been a problem. None of these are dedicated appliances, BTW, but there are a lot of good dedicated appliances out there that aren't much more expensive. It was, however, easier for us to to use an old server attached to the reference clock. (Note that newer computers with ACPI enabled can actually be less accurate as NTP servers than older hardware.)
- How many people are using their routers as the primary NTP distribution source?
We're not. That doesn't preclude one from doing what John suggested and using old cisco gear for NTP services (without doing actual routing on the gear). For example, an old 7200 router can be a very accurate NTP server.
- What practices are in place regarding the minimum number of peering with internal and external sources and MD5 security?
That depends on the application. Workstations and less-important servers can synch to one or two stratum-2s. Important servers should synch to a mix of local and remote (but not too far remote) stratum-1s and -2s. Keep in mind that NTP WILL NOT be accurate when the client and server are reachable over a path of asymmetric latency. Local servers are therefore much more likely to be accurate than remote. We don't use any type of authentication. I keep looking at autokey stuff, but I haven't done anything with it.
- What method of client distribution is most often used ( e.g. broadcast, multicast, unicast )
We don't use much broadcast. We do provide multicast as a best-effort, and people do use it. We also use manycast (a multicast client/server discovery mechanism that uses unicast for the actual time synch) on some of our (central IT networking group) servers.
- What is being used to configure clients ( e.g. DHCP, group policy )
A webpage listing the approved servers. :)
- If and how you allow outside access to your NTP servers
Some stratum-2s are unrestricted, but our stratum-1s are generally restricted to EDUs and local clients. michael
Current thread:
- NTP servers and sources Gary Flynn (Sep 29)
- <Possible follow-ups>
- Re: NTP servers and sources John Kristoff (Sep 30)
- Re: NTP servers and sources Derek Ethier (Sep 30)
- Re: NTP servers and sources Michael Costello (Sep 30)
- Re: NTP servers and sources Gene Spafford (Sep 30)
- Re: NTP servers and sources Gary Flynn (Sep 30)
- Re: NTP servers and sources Gary Dobbins (Sep 30)
- Re: NTP servers and sources Michael Sinatra (Sep 30)