[131456] in North American Network Operators' Group
Re: NTP Server
daemon@ATHENA.MIT.EDU (Dobbins, Roland)
Sun Oct 24 22:12:17 2010
From: "Dobbins, Roland" <rdobbins@arbor.net>
To: NANOG list <nanog@nanog.org>
Date: Mon, 25 Oct 2010 02:09:59 +0000
In-Reply-To: <AANLkTimo848abt7W06EAcCuSgVUHZ4dCqCH3oDV5L4dU@mail.gmail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Oct 25, 2010, at 3:48 AM, Matthew Petach wrote:
> NTP can potentially be used as a DoS vector by your upstream clocks, if y=
ou're not running your own.
+1
Also, if you experience a network partition event for any reason (DDoS atta=
ck, backhoe attack, et. al.) which disrupts communications between your net=
work and the one(s) on the Internet where the public ntp servers you're usi=
ng live, the accuracy of your time-hack becomes a concern just at the momen=
t when you need it the most for combinatorial analysis of multiple forms of=
telemetry.
And of course, time services for your infrastructure/services/apps ought to=
run across your DCN, anyways, which should be kept isolated from your prod=
uction network (you don't want to rely upon proxies to enable something as =
critical as time service, IMHO).
As Sean pointed out, all your routers from modern vendors are ntp-capable, =
and getting a couple of radio cards for servers to sync with WWVB isn't ver=
y expensive, assuming you can plug into an aerial which gets good reception=
:
<http://www.nist.gov/pml/div688/grp40/wwvb.cfm>
-----------------------------------------------------------------------
Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
Sell your computer and buy a guitar.
