<div><div dir="auto">Passes the backhoe test, but might have an issue with the Die Hard Elevator Shaft Fight Scene checks. </div></div><div dir="auto"><br></div><div dir="auto">:)</div><div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, May 2, 2019 at 07:34 william manning <<a href="mailto:chinese.apricot@gmail.com">chinese.apricot@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">for our PCI-DSS audit, the rational for at least -one- local source, instead of depending on <a href="http://pool.ntp.org" target="_blank">pool.ntp.org</a>, was "backhoe fade".<div>it was worth the $135 for an NTP source using GPS. the cable run up the elevator shaft for the antenna works without needing OSHPD permits.</div><div><br></div><div>We are very happy with the result.</div></div><div dir="ltr"><div><br></div><div>/Wm</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, May 1, 2019 at 3:01 PM Andreas Ott <<a href="mailto:andreas@naund.org" target="_blank">andreas@naund.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Wed, May 01, 2019 at 02:35:58PM -0700, Harlan Stenn wrote:<br>
> - Why do folks want to have one or more NTP server masters that have at<br>
> least 1 refclock on them in a data center, instead of having their data<br>
> center NTP server masters that only get time over the internet?<br>
<br>
I had that discussion before with the QSA for a compliance audit, pointing<br>
to requirement "10.4.3 Time settings are received from industry-accepted<br>
time sources" and "verify that the time server(s) accept time updates from<br>
specific, industry-accepted external sources (to prevent a malicious<br>
individual from changing the clock)" in the PCI-DSS document. He<br>
non-jokingly suggested "why don't you use <a href="http://pool.ntp.org" rel="noreferrer" target="_blank">pool.ntp.org</a>?", not really<br>
realizing how many servers are in fact just someone's PC behind a cable<br>
modem in their home, which negated the "do I trust the time I am <br>
receiving?". My immediate answer was "we could use NIST servers", <br>
but the easiest way out of this is "we operate our own NTP appliance <br>
with a GPS receiver" and provide that as evidence.<br>
<br>
Don't get me wrong, I support <a href="http://pool.ntp.org" rel="noreferrer" target="_blank">pool.ntp.org</a> by operating and contributing <br>
servers to it, but it is not deemed good enough if you need traceability<br>
of your NTP time source(s), even though the pool will only admit members<br>
above a certain quality threshold.<br>
<br>
<br>
> - What % of data center operators provide time servers in their data<br>
> centers for their tenants (or for the general public)?<br>
<br>
My $employer does that in our datacenters and points of presence for<br>
our customers.<br>
<br>
-andreas<br>
-- <br>
Andreas Ott K6OTT +1.408.431.8727 <a href="mailto:andreas@naund.org" target="_blank">andreas@naund.org</a><br>
</blockquote></div>
</blockquote></div></div>