nanog mailing list archives
Re: NTP Server
From: Sean Donelan <sean () donelan com>
Date: Mon, 25 Oct 2010 01:01:24 -0400 (EDT)
On Mon, 25 Oct 2010, Dobbins, Roland wrote:>
On Oct 25, 2010, at 3:48 AM, Matthew Petach wrote:NTP can potentially be used as a DoS vector by your upstream clocks,if you're not running your own. +1Also, if you experience a network partition event for any reason (DDoS attack, backhoe attack, et. al.) which disrupts communications between your network and the one(s) on the Internet where the public ntp servers you're using live, the accuracy of your time-hack becomes a concern just at the moment when you need it the most for combinatorial analysis of multiple forms of telemetry.
Modern versions of NTP have a relatively long polling interval once theclock is stable. Unless you are already using specialized timing hardware, your tolorance of the clock drift on off-the-shelf computers and routers is not going to be an immediate issue during short-term or even medium-term network problems.
Any clock source can have an indeterminate outage. Generally the longer the hold time, the more expensive the clock hardware.
And of course, time services for your infrastructure/services/apps ought to run across your DCN, anyways, which should be kept isolated from your production network (you don't want to rely upon proxies to enable something as critical as time service, IMHO).
NTP started on Fuzzball routers. Its very light-weight on any hardware.There are lots of reasons not to have customers accessing your infrastructure devices. Lots of NTP queries can overload any device. Although your infrastructure devices should still have synchronized clocks with the rest of your infrastructure. If you have an enterprise network dependent on firewalls, another pin-hole through the firewall for NTP port 123 is also an another opportunity for mischief.
There are lots of different ways to measure time. But I've noticed some people seem to create extreme Rube Goldberg contraptions. Figure out what precision and accuracy you really need. Time is always just an estimate.
Current thread:
- Re: NTP Server, (continued)
- Re: NTP Server Joel Jaeggli (Oct 24)
- Re: NTP Server Sean Donelan (Oct 24)
- RE: NTP Server Brandon Kim (Oct 24)
- Re: NTP Server Cutler James R (Oct 24)
- RE: NTP Server Sean Donelan (Oct 24)
- Re: NTP Server John Kristoff (Oct 25)
- RE: NTP Server Brandon Kim (Oct 24)
- Re: NTP Server Matthew Petach (Oct 24)
- Re: NTP Server Marshall Eubanks (Oct 24)
- Re: NTP Server Dobbins, Roland (Oct 24)
- Re: NTP Server Jorge Amodio (Oct 24)
- Re: NTP Server Sean Donelan (Oct 24)
- RE: NTP Server Brandon Kim (Oct 24)
- Re: NTP Server Seth Mattinen (Oct 24)
- Re: NTP Server Marcus Reid (Oct 25)
- Re: NTP Server Seth Mattinen (Oct 24)
- Re: NTP Server Cutler James R (Oct 24)
- Re: NTP Server Sean Donelan (Oct 24)
- Re: NTP Server Martin Hotze (Oct 24)