Need trusted NTP Sources

James R Cutler james.cutler at consultant.com
Mon Feb 10 00:42:31 UTC 2014


On Feb 9, 2014, at 3:50 PM, Larry Sheldon <LarrySheldon at cox.net> wrote:

> On 2/9/2014 2:45 PM, Jay Ashworth wrote:
> 
>> Or do I understand NTP less well than I think?
> 
> I am of the private opinion that if your name is not "David Mill" (and MAYBE if it IS) the answer is either "42" or "yes".
> — ...

From http://www.eecis.udel.edu/~mills/database/brief/overview/overview.pdf
> Intersection and clustering algorithms pick best true chimers and discard false tickers.
You should look at this presentation and see why Larry Sheldon’s private opinion is spot on.

I won’t begin to try explaining in technical detail how this works.  The bottom line is that, within a peer group of NTP servers looking at a reasonably large set of NTP source servers, all kinds of variations in input data are reduced to a coherent local time truth.

My template for NTP service deployment for any organization is very simple:

1. Select four or more local systems and configure them as peer NTP servers.  In many instances one can leverage local DNS server machines running almost any OS — the NTP daemon runs on at least Windows, OS X, UNIX, Linux.  Don’t forget appropriate restrict commands.

2. Configure ntpd on the local servers to also select as servers a list of 8-10 open access servers like pool.ntp.org, usno.navy.mil, nist-????-ustiming.org.  If you can arrange authenticated access to other servers, that is possibly better.

3.  As desired, configure ntpd on selected local servers for local clocks or GPS clocks.  This has little effect on accuracy, but may enhance reliability.  In many cases, it also requires building penetrations for antennas.  (Not easy for network guys.) 

4.  Configure all local time consumers to select from the list of local NTP servers.  Authenticate or not as you see fit. You can even use DHCP to inform end systems of NTP server addresses.  The router folks will have to include NTP server addresses as part of each configuration package.

Over the years I have successfully applied this template for NTP service deployments to several large networks. It just works.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 243 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20140209/2e2e5ed4/attachment.bin>


More information about the NANOG mailing list