[168922] in North American Network Operators' Group
Re: Need trusted NTP Sources
daemon@ATHENA.MIT.EDU (Chris Keladis)
Thu Feb 6 14:21:52 2014
In-Reply-To: <CACK8u8JroK3aXP3Pq=PcRvnEwzjT=jiQtJifmoKyk6D5WuRhDg@mail.gmail.com>
Date: Fri, 7 Feb 2014 06:21:35 +1100
From: Chris Keladis <ckeladis@gmail.com>
To: Notify Me <notify.sina@gmail.com>
Cc: "nanog@nanog.org list" <nanog@nanog.org>, afnog@afnog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Thu, Feb 6, 2014 at 9:03 PM, Notify Me <notify.sina@gmail.com> wrote:
I'm trying to help a company I work for to pass an audit, and we've
> been told we need trusted NTP sources (RedHat doesn't cut it). Being
> located in Nigeria, Africa, I'm not very knowledgeable about trusted
> sources therein.
>
Obviously "trusted" time sources are important, but at the end of the day
you have to trust someone who ultimately has the least risk (there is never
no risk) you are able to achieve.
I appreciate "least level of risk" is subjective to your auditors opinion
(in this case) :-)
Just wanted to mention, having a good number of servers (not blindly
trusting <= 3 unique sources) adds some additional protection against
'false-tickers'.
Even "trusted" time-sources have their off-days due to a myriad of
technical reasons.
Configure multiple, relatively high stratum (taking into account how many
stratum's you intend to serve downstream), low-jitter/rtt, good-quality,
time-sources.
Also, risk changes over time, so vigilant monitoring is important too!
Regards,
Chris.
