NTP question

william manning chinese.apricot at gmail.com
Thu May 2 11:32:36 UTC 2019

for our PCI-DSS audit, the rational for at least -one- local source,
instead of depending on pool.ntp.org, was "backhoe fade".
it was worth the $135 for an NTP source using GPS.  the cable run up the
elevator shaft for the antenna works without needing OSHPD permits.

We are very happy with the result.


On Wed, May 1, 2019 at 3:01 PM Andreas Ott <andreas at naund.org> wrote:

> On Wed, May 01, 2019 at 02:35:58PM -0700, Harlan Stenn wrote:
> > - Why do folks want to have one or more NTP server masters that have at
> > least 1 refclock on them in a data center, instead of having their data
> > center NTP server masters that only get time over the internet?
> I had that discussion before with the QSA for a compliance audit, pointing
> to requirement "10.4.3 Time settings are received from industry-accepted
> time sources" and "verify that the time server(s) accept time updates from
> specific, industry-accepted external sources (to prevent a malicious
> individual from changing the clock)" in the PCI-DSS document. He
> non-jokingly suggested "why don't you use pool.ntp.org?", not really
> realizing how many servers are in fact just someone's PC behind a cable
> modem in their home, which negated the "do I trust the time I am
> receiving?". My immediate answer was "we could use NIST servers",
> but the easiest way out of this is "we operate our own NTP appliance
> with a GPS receiver" and provide that as evidence.
> Don't get me wrong, I support pool.ntp.org by operating and contributing
> servers to it, but it is not deemed good enough if you need traceability
> of your NTP time source(s), even though the pool will only admit members
> above a certain quality threshold.
> > - What % of data center operators provide time servers in their data
> > centers for their tenants (or for the general public)?
> My $employer does that in our datacenters and points of presence for
> our customers.
> -andreas
> --
> Andreas Ott   K6OTT   +1.408.431.8727   andreas at naund.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20190502/5a4cc16b/attachment.html>

More information about the NANOG mailing list