[189170] in North American Network Operators' Group
Re: NIST NTP servers
daemon@ATHENA.MIT.EDU (Leo Bicknell)
Tue May 10 11:22:30 2016
X-Original-To: nanog@nanog.org
Date: Tue, 10 May 2016 08:22:19 -0700
From: Leo Bicknell <bicknell@ufp.org>
To: nanog@nanog.org
Mail-Followup-To: nanog@nanog.org
In-Reply-To: <CAKdv5965qRG_Qe=xL+=7dcZzeaU2y8xcYXfr7EAAEFnRJ7nnyw@mail.gmail.com>
Errors-To: nanog-bounces@nanog.org
--HcAYCG3uE/tztfnV
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
In a message written on Mon, May 09, 2016 at 11:01:23PM -0400, b f wrote:
> In search of stable, disparate stratum 1 NTP sources.
http://wpollock.com/AUnix2/NTPstratum1PublicServers.htm
> We tried using =E2=80=9Ctime.nist.gov=E2=80=9D which returns varying roun=
d-robin addresses
> (as the link says), but Cisco IOS resolved the FQDN and embedded the
> numeric address in the =E2=80=9Cntp server=E2=80=9D config statement.
Depending on your hardware platform your Cisco Router is likely not
a great NTP server. IOS is not designed for hyper-accuracy.
> After letting the new server config go through a few days of update cycle=
s,
> the drift, offset and reachability stats are not anywhere as good as what
> the stats for the Navy time server are - 192.5.41.41 / tock.usno.navy.mil.
The correct answer here is to run multiple NTP servers in your
network. And by servers I mean real servers, with good quality
oscellators on the motherboard. Then configure them to talk to
_many_ sources. You need 4 sources of time minimum to redundantly
detect false tickers. If you're serious about it then find ~10
Stratum 1 sources (ideally authenticated and from trusted entities),
one of which could be GPS as several have suggested. You'll then
have high quality false ticker rejection.
Configure all of your devices to get NTP from the servers you run
using authentication.
--=20
Leo Bicknell - bicknell@ufp.org
PGP keys at http://www.ufp.org/~bicknell/
--HcAYCG3uE/tztfnV
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBVzH8q7N3O8aJIdTMAQIlLBAAqKtbqSIZ61Rf0Mvi7ytL4hoFNW1IAbad
uMG57CIvGp3E4dqmGFhPXlUMBXXzFro9J4yxSYwOiQJsM0rzxwRS4ZX3u7UPglGo
EE5LqWpe6Cu1kn6vgaKmUBtA6+SyE1b2k8yJxaYYUAJuLa52apGUWdXcW1yzGNSi
Gfb+ImRZUM02GE3JXi3Xksk69gDkLwm09yN6/CTcX35z+wD+tw+Mv9uluX3c4n9F
6Ecc9znJEPR2m9dlf1d9BW5yD7t9NXHCnUW5+DWCc8fc/S/5mjzmWT4aRspyWyPa
5a0O0ZosCEpjmbCUVPEw8TuLwMAWfKEdI0m+rcl470Cv8EpaJh5YrzxFKppQoBcY
nLHBaAHV/1qjMIjlxktB89sZMabU/E73LhKeIgGDbU7G03qGJjFhA5ujk8hqg7cO
W6FRbUO2NNCP0ReKrhEAWucoRBvyXq6neM4PNBBwt05AAfzAYNXjRrLmYes4Ndnz
ekRqzuf00pobav1GJSUBondyAg1SeHS1VCFqG1SLQNYSdKuwpPUfbcqS/tTqWTy8
cI3lwbKTLjq9A2kVSk8kchVCyiUx7MqieMkbkmNHV59Ajg4z/n2giI2j4cFaCzd1
bav1H4c11jAI5WJoQ2rH1Z1Fk5LVZNeqdt1NxcygiNfGmrFdJP2/brncqYHnSFFW
/PIByNs/3uM=
=dl+x
-----END PGP SIGNATURE-----
--HcAYCG3uE/tztfnV--
