NTP question

Harlan Stenn stenn at nwtime.org
Wed May 1 22:35:54 UTC 2019

On 5/1/19 2:59 PM, Andreas Ott wrote:
> On Wed, May 01, 2019 at 02:35:58PM -0700, Harlan Stenn wrote:
>> - Why do folks want to have one or more NTP server masters that have at
>> least 1 refclock on them in a data center, instead of having their data
>> center NTP server masters that only get time over the internet?
> I had that discussion before with the QSA for a compliance audit, pointing
> to requirement "10.4.3 Time settings are received from industry-accepted
> time sources" and "verify that the time server(s) accept time updates from
> specific, industry-accepted external sources (to prevent a malicious
> individual from changing the clock)" in the PCI-DSS document. He
> non-jokingly suggested "why don't you use pool.ntp.org?", not really
> realizing how many servers are in fact just someone's PC behind a cable
> modem in their home, which negated the "do I trust the time I am 
> receiving?". My immediate answer was "we could use NIST servers", 
> but the easiest way out of this is "we operate our own NTP appliance 
> with a GPS receiver" and provide that as evidence.
> Don't get me wrong, I support pool.ntp.org by operating and contributing 
> servers to it, but it is not deemed good enough if you need traceability
> of your NTP time source(s), even though the pool will only admit members
> above a certain quality threshold.

I have no immediate agenda here.  My sole purpose is to get information
about this, as I mostly work with people who a) believe accurate time is
important, and b) at least have an appreciation for how unexpectedly
difficult it is to synchronize time in a predictable and stable way
across a large population of systems in a diverse set of environments.

In my experience, people who don't fall in to either of those categories
are pretty well invested in their opinions.

>> - What % of data center operators provide time servers in their data
>> centers for their tenants (or for the general public)?
> My $employer does that in our datacenters and points of presence for
> our customers.

Glad to hear it!

> -andreas

Harlan Stenn <stenn at nwtime.org>
http://networktimefoundation.org - be a member!

More information about the NANOG mailing list