Need trusted NTP Sources

Larry Sheldon LarrySheldon at
Mon Feb 10 01:04:39 UTC 2014

On 2/9/2014 6:42 PM, James R Cutler wrote:
> On Feb 9, 2014, at 3:50 PM, Larry Sheldon <LarrySheldon at>
> wrote:
>> On 2/9/2014 2:45 PM, Jay Ashworth wrote:
>>> Or do I understand NTP less well than I think?
>> I am of the private opinion that if your name is not "David Mill"
>> (and MAYBE if it IS) the answer is either "42" or "yes". — ...
> From
Intersection and clustering algorithms pick best true chimers and 
discard false tickers.
> You should look at this presentation and see why Larry Sheldon’s
> private opinion is spot on.
> I won’t begin to try explaining in technical detail how this works.
> The bottom line is that, within a peer group of NTP servers looking
> at a reasonably large set of NTP source servers, all kinds of
> variations in input data are reduced to a coherent local time truth.

In the 1990s I found myself administering a campus network for a 
University--the only people less prepared than I as everybody else.

A need arose to have a uniform notion of time across the campus (my 
recollection had to do with resolving who did it first squabbles as well 
as trying to solve some problems having to do with the date and time in 
emails regarding assignments due.

I stumbled across NTP somewhere and decided that was the answer,  I 
didn't know about "42" then.

Nobody I was in contact with knew any more about it that I did, so I 
spent a lot of time on eecis learning how to make it play, and how not 
to be a rude participant.
> My template for NTP service deployment for any organization is very
> simple:
> 1. Select four or more local systems and configure them as peer NTP
> servers.  In many instances one can leverage local DNS server
> machines running almost any OS — the NTP daemon runs on at least
> Windows, OS X, UNIX, Linux.  Don’t forget appropriate restrict
> commands.

I don't remember now how many boxes I had in my NTP backbone but it was 
lots--every cisco router I knew the password for (there were a lot of 
them, supporting frame-relay links to off-campus points), every HP9000 
box I had root on, maybe the two Wellfleets -- I don't remember.

They all were peers and I connected to a couple of off-network public 
stratum 1s and 2s not as peers (I had no budget for a stratum 0).

> 2. Configure ntpd on the local servers to also select as servers a
> list of 8-10 open access servers like,,
> nist-????  If you can arrange authenticated access to
> other servers, that is possibly better.

I tried, using "ping", to pick sturdy-sounding servers that were "close" 
to Omaha.

> 3.  As desired, configure ntpd on selected local servers for local
> clocks or GPS clocks.  This has little effect on accuracy, but may
> enhance reliability.  In many cases, it also requires building
> penetrations for antennas.  (Not easy for network guys.)
> 4.  Configure all local time consumers to select from the list of
> local NTP servers.  Authenticate or not as you see fit. You can even
> use DHCP to inform end systems of NTP server addresses.  The router
> folks will have to include NTP server addresses as part of each
> configuration package.

Did that.  Told machines and people to use their default gateway address 
as their NTP (or SNTP) server.

> Over the years I have successfully applied this template for NTP
> service deployments to several large networks. It just works.

It does.  It does.
Requiescas in pace o email           Two identifying characteristics
                                         of System Administrators:
Ex turpi causa non oritur actio      Infallibility, and the ability to
                                         learn from their mistakes.
                                           (Adapted from Stephen Pinker)

More information about the NANOG mailing list