nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: NIST NTP servers

From: "Majdi S. Abbas" <msa () latt net>
Date: Wed, 11 May 2016 13:42:54 -0400
On Wed, May 11, 2016 at 03:24:43PM +0000, Jay R. Ashworth wrote:

We're all aware this project is underway, right?

  https://www.ntpsec.org/


        Despite the name, I'm not aware of any significant protocol
changes.  It's just a recent fork of the reference implementation
minus the refclocks, which isn't particularly helpful if you /don't/
trust network time sources.

        Long term, be looking at NTS:

        https://datatracker.ietf.org/doc/draft-ietf-ntp-network-time-security/

        In the meanwhile, I'd recommend something along the following
lines:

        - Several nearby upstream servers configured per time server, per site
        (As diversely as possible.)

        - Diverse reference clocks (I run everything from WWV to GPS
          here.) providing authenticated time to your servers.

        - That all your time servers in all sites be configured in an
        authenticated full mesh of symmetric peers, allowing the other
        sites to provide time to a site that has lost its upstream
        servers or for whatever reason does not trust them at the moment.

        And of course, ensure any hosts whose clocks you care about are
talking to at least a few of these, and preferably several.  I know the
common case configuration is either default/ntp-pool, or "we have two
time servers in this site and everything just chimes from them," but
neither is that great of a configuration.

        --msa
Previous By Date Next
Previous By Thread Next

Current thread: