[168879] in North American Network Operators' Group
Re: Need trusted NTP Sources
daemon@ATHENA.MIT.EDU (Nick Hilliard)
Thu Feb 6 07:09:46 2014
X-Envelope-To: nanog@nanog.org
Date: Thu, 06 Feb 2014 12:09:24 +0000
From: Nick Hilliard <nick@foobar.org>
To: Notify Me <notify.sina@gmail.com>
In-Reply-To: <CACK8u8JZFq9Gkg7T-MF2yyWPeY8CeWKTATfacvBHyFrnw9DTiw@mail.gmail.com>
Cc: "nanog@nanog.org list" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 06/02/2014 11:46, Notify Me wrote:
> We're a redhat shop, and we use redhat auth which by default uses redhat
> NTP sources. Sounds odd to me too. They claim this is what PCI DSS demands.
PCI DSS states:
> 10.4.3 Time settings are received from industry-accepted time sources.
The default RHEL time servers are defined as X.rhel.ntp.org. Many people
would consider ntp.org as industry-accepted, and there are several PCI-DSS
auditing companies out there who explicitly recommend using pool.ntp.org
for this purpose.
If that's not good enough, the PCI DSS standards explicitly state in the
NTP interpretation section:
> More information on NTP can be found at www.ntp.org, including
> information about time, time standards, and servers.
So, if PCI themselves view ntp.org as being authoritative about NTP I can't
see any reason why the time servers they publish wouldn't pass an audit.
Nick
