NTP question

Tom Beecher beecher at beecher.cc
Thu May 2 12:59:19 UTC 2019

Passes the backhoe test, but might have an issue with the Die Hard Elevator
Shaft Fight Scene checks.


On Thu, May 2, 2019 at 07:34 william manning <chinese.apricot at gmail.com>

> for our PCI-DSS audit, the rational for at least -one- local source,
> instead of depending on pool.ntp.org, was "backhoe fade".
> it was worth the $135 for an NTP source using GPS.  the cable run up the
> elevator shaft for the antenna works without needing OSHPD permits.
> We are very happy with the result.
> /Wm
> On Wed, May 1, 2019 at 3:01 PM Andreas Ott <andreas at naund.org> wrote:
>> On Wed, May 01, 2019 at 02:35:58PM -0700, Harlan Stenn wrote:
>> > - Why do folks want to have one or more NTP server masters that have at
>> > least 1 refclock on them in a data center, instead of having their data
>> > center NTP server masters that only get time over the internet?
>> I had that discussion before with the QSA for a compliance audit, pointing
>> to requirement "10.4.3 Time settings are received from industry-accepted
>> time sources" and "verify that the time server(s) accept time updates from
>> specific, industry-accepted external sources (to prevent a malicious
>> individual from changing the clock)" in the PCI-DSS document. He
>> non-jokingly suggested "why don't you use pool.ntp.org?", not really
>> realizing how many servers are in fact just someone's PC behind a cable
>> modem in their home, which negated the "do I trust the time I am
>> receiving?". My immediate answer was "we could use NIST servers",
>> but the easiest way out of this is "we operate our own NTP appliance
>> with a GPS receiver" and provide that as evidence.
>> Don't get me wrong, I support pool.ntp.org by operating and contributing
>> servers to it, but it is not deemed good enough if you need traceability
>> of your NTP time source(s), even though the pool will only admit members
>> above a certain quality threshold.
>> > - What % of data center operators provide time servers in their data
>> > centers for their tenants (or for the general public)?
>> My $employer does that in our datacenters and points of presence for
>> our customers.
>> -andreas
>> --
>> Andreas Ott   K6OTT   +1.408.431.8727   andreas at naund.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20190502/e63899b2/attachment.html>

More information about the NANOG mailing list