[169022] in North American Network Operators' Group
Re: Need trusted NTP Sources
daemon@ATHENA.MIT.EDU (James R Cutler)
Sun Feb 9 19:43:17 2014
From: James R Cutler <james.cutler@consultant.com>
Date: Sun, 9 Feb 2014 19:42:31 -0500
To: North American Network Operators' Group <nanog@nanog.org>
In-Reply-To: <52F7EA22.5080805@cox.net>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--Apple-Mail=_A09F402B-0EE7-45A8-B6D6-43282B1137C9
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=windows-1252
On Feb 9, 2014, at 3:50 PM, Larry Sheldon <LarrySheldon@cox.net> wrote:
> On 2/9/2014 2:45 PM, Jay Ashworth wrote:
>=20
>> Or do I understand NTP less well than I think?
>=20
> I am of the private opinion that if your name is not "David Mill" (and =
MAYBE if it IS) the answer is either "42" or "yes".
> =97 ...
=46rom =
http://www.eecis.udel.edu/~mills/database/brief/overview/overview.pdf
> Intersection and clustering algorithms pick best true chimers and =
discard false tickers.
You should look at this presentation and see why Larry Sheldon=92s =
private opinion is spot on.
I won=92t begin to try explaining in technical detail how this works. =
The bottom line is that, within a peer group of NTP servers looking at a =
reasonably large set of NTP source servers, all kinds of variations in =
input data are reduced to a coherent local time truth.
My template for NTP service deployment for any organization is very =
simple:
1. Select four or more local systems and configure them as peer NTP =
servers. In many instances one can leverage local DNS server machines =
running almost any OS =97 the NTP daemon runs on at least Windows, OS X, =
UNIX, Linux. Don=92t forget appropriate restrict commands.
2. Configure ntpd on the local servers to also select as servers a list =
of 8-10 open access servers like pool.ntp.org, usno.navy.mil, =
nist-????-ustiming.org. If you can arrange authenticated access to =
other servers, that is possibly better.
3. As desired, configure ntpd on selected local servers for local =
clocks or GPS clocks. This has little effect on accuracy, but may =
enhance reliability. In many cases, it also requires building =
penetrations for antennas. (Not easy for network guys.)=20
4. Configure all local time consumers to select from the list of local =
NTP servers. Authenticate or not as you see fit. You can even use DHCP =
to inform end systems of NTP server addresses. The router folks will =
have to include NTP server addresses as part of each configuration =
package.
Over the years I have successfully applied this template for NTP service =
deployments to several large networks. It just works.
--Apple-Mail=_A09F402B-0EE7-45A8-B6D6-43282B1137C9
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename=signature.asc
Content-Type: application/pgp-signature;
name=signature.asc
Content-Description: Message signed with OpenPGP using GPGMail
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
iEYEARECAAYFAlL4IHcACgkQHzETiNcaVPk3fQCfdwVkEeMr9MxF55wS4t1c4iJh
SQoAoPBcVPj6tOQUstXjcXRmaId6NEhH
=ykpG
-----END PGP SIGNATURE-----
--Apple-Mail=_A09F402B-0EE7-45A8-B6D6-43282B1137C9--
