[158083] in North American Network Operators' Group
Re: NTP Issues Today
daemon@ATHENA.MIT.EDU (Leo Bicknell)
Tue Nov 20 14:00:39 2012
Date: Tue, 20 Nov 2012 11:00:11 -0800
From: Leo Bicknell <bicknell@ufp.org>
To: nanog@nanog.org
Mail-Followup-To: nanog@nanog.org
In-Reply-To: <20121120163826.GA60716@ussenterprise.ufp.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--TB36FDmn/VVEgNH/
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
After some private replies, I'm going to reply to my own post with
some information here.
It appears many people don't understand how the NTP protocol works.
I suspect many people have configured a "primary" and a "backup"
NTP server on many of their devices. It turns out this is the
_WORST_ possible configuration if you want accurate time:
http://support.ntp.org/bin/view/Support/SelectingOffsiteNTPServers#Section_=
5.3.3.
To protect against two falseticking servers (tick and tock, as we saw on
the 19th) you need _FIVE_ servers minimum configured if they are both in
the list. More importantly, if you want to protect against a source
(GPS, CDMA, IRIG, WWIV, ACTS, etc) false ticking, you need a minimum of
_FOUR_ different source technologies in the list as well.
It's not hard, my box that I posted the logs from peers with 18 servers
using 8 source technologies, all freely available on the Internet...
--=20
Leo Bicknell - bicknell@ufp.org - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/
--TB36FDmn/VVEgNH/
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (FreeBSD)
iQIVAwUBUKvTO7N3O8aJIdTMAQLx4Q/+MJ0yfZrhuroGLeXVGTDtIyGCpnZL1jSr
ndfoglzhdRiEcnU3FAc9vB62/hUJaHC/noBY2jjjlHftVQNR12DQ2ol19GhHoskh
4CuFZUAK+aVb5Sb+EF9BXVFx6V0yEwmR4YIx4BMIJ5VFmPYL/zotPYBvbsRfiv+X
r35v4s9Gt2ye58rL91m65124bu9gbQMO7k0BuGzEddGjHA36EcMTfZ1jfonaJA28
7BPlxvi1QTF5QB48q6HMbvc+KitEmurPvsP4s0pYmGCM63WX+27nxVgJaYk9vpvm
8EiRFtXMhCUBIaiuQNVOLR9SGF1A3IwYocd84aDjBvL5wPHSAKMuTh8ve2/DTLCh
bFytihGRWDitwN/COROVVKrxLii/zKukSaKjxExbB7IIsH8BKbPuusjnPkO+y7uj
80suLYDgDTL+24GdvhdeauCHvqKdiXOrcIuERlKCmxmmKwxxwcAQOOqBHzNwSEno
p90YiwksMSPUNZZBbj6bS2GQ62G22gXFEfetxBHTzQfsdH9tU/RYUmm/z2Pwb0lI
dDhaNkTm+nJeeM3nZemol8bVAhndYgjQAtrya73/22XsS+bGcYJHhYknvccYT7UO
D+Nc2aSL6RMLirnfWRtvlULrQysU8QFiRT2c9tuMX4MGn5LyVp+Klb7cCuwTgBjw
dgdLz4QU3uQ=
=W3GQ
-----END PGP SIGNATURE-----
--TB36FDmn/VVEgNH/--
