NIST NTP servers

Majdi S. Abbas msa at latt.net
Wed May 11 17:42:54 UTC 2016


On Wed, May 11, 2016 at 03:24:43PM +0000, Jay R. Ashworth wrote:
> We're all aware this project is underway, right?
> 
>   https://www.ntpsec.org/

	Despite the name, I'm not aware of any significant protocol
changes.  It's just a recent fork of the reference implementation
minus the refclocks, which isn't particularly helpful if you /don't/
trust network time sources.

	Long term, be looking at NTS:

	https://datatracker.ietf.org/doc/draft-ietf-ntp-network-time-security/

	In the meanwhile, I'd recommend something along the following
lines:

	- Several nearby upstream servers configured per time server, per site
	(As diversely as possible.)

	- Diverse reference clocks (I run everything from WWV to GPS
	  here.) providing authenticated time to your servers.

	- That all your time servers in all sites be configured in an
	authenticated full mesh of symmetric peers, allowing the other
	sites to provide time to a site that has lost its upstream
	servers or for whatever reason does not trust them at the moment.

	And of course, ensure any hosts whose clocks you care about are
talking to at least a few of these, and preferably several.  I know the
common case configuration is either default/ntp-pool, or "we have two
time servers in this site and everything just chimes from them," but
neither is that great of a configuration.

	--msa


More information about the NANOG mailing list