[168898] in North American Network Operators' Group
Re: Need trusted NTP Sources
daemon@ATHENA.MIT.EDU (Chris Adams)
Thu Feb 6 09:35:18 2014
Date: Thu, 6 Feb 2014 08:35:03 -0600
From: Chris Adams <cma@cmadams.net>
To: nanog@nanog.org
Mail-Followup-To: nanog@nanog.org
In-Reply-To: <52F3675E.9080609@foobar.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Once upon a time, Nick Hilliard <nick@foobar.org> said:
> So presuming that your company is using RH or Fedora or CentOS something,
> the auditors are claiming that Red Hat, Inc is trusted enough to provide a
> precompiled based operating system with no feasible means of proving its
> reliability, but that they're not trustworthy enough to provide a clock
> synchronisation service?
Red Hat does not provide an NTP service themselves. The default NTP
config on a Red Hat Enterprise Linux system uses rhel.pool.ntp.org.
I suppose some auditor could dislike the "openness" of pool.ntp.org
(basically anybody can join). If that is the case, your best bet is to
do some combination of the following:
- As others have suggested, set up your own stratum-1 clock (can be done
for around $100). Ideally you'd set up more than one.
- Set up several servers with a static set of NTP servers rather than
the general pool servers. See the lists on www.pool.ntp.org; look
under the docs for setting up a server to join the pool. You don't
have to actually join the pool, but following those docs is a good way
to set up a stable server.
After that, point the rest of your servers at your "master" servers,
rather than the public pool.
--
Chris Adams <cma@cmadams.net>
