andreas at naund.org
Wed May 1 21:59:39 UTC 2019
On Wed, May 01, 2019 at 02:35:58PM -0700, Harlan Stenn wrote:
> - Why do folks want to have one or more NTP server masters that have at
> least 1 refclock on them in a data center, instead of having their data
> center NTP server masters that only get time over the internet?
I had that discussion before with the QSA for a compliance audit, pointing
to requirement "10.4.3 Time settings are received from industry-accepted
time sources" and "verify that the time server(s) accept time updates from
specific, industry-accepted external sources (to prevent a malicious
individual from changing the clock)" in the PCI-DSS document. He
non-jokingly suggested "why don't you use pool.ntp.org?", not really
realizing how many servers are in fact just someone's PC behind a cable
modem in their home, which negated the "do I trust the time I am
receiving?". My immediate answer was "we could use NIST servers",
but the easiest way out of this is "we operate our own NTP appliance
with a GPS receiver" and provide that as evidence.
Don't get me wrong, I support pool.ntp.org by operating and contributing
servers to it, but it is not deemed good enough if you need traceability
of your NTP time source(s), even though the pool will only admit members
above a certain quality threshold.
> - What % of data center operators provide time servers in their data
> centers for their tenants (or for the general public)?
My $employer does that in our datacenters and points of presence for
Andreas Ott K6OTT +1.408.431.8727 andreas at naund.org
More information about the NANOG