On 12/4/2014 12:13 PM, Miroslav Lichvar wrote:
On Thu, Dec 04, 2014 at 10:46:17AM -0500, brian utterback wrote:
I remain unconvinced. I believe that it takes three correct servers to
outvote a single falseticker, meaning that if you want to be safe
against one of your servers becoming a falseticker and still being
accepted as the system server by a client, the client needs at least
four servers.
Four (or any larger number) of servers still doesn't guarantee the
source selection algorithm will mark one bad source as a falseticker.
There was a very similar discussion about this few years ago,
including an example:
http://lists.ntp.org/pipermail/questions/2011-January/028313.html
Now imagine that the falseticker has a similar overlap with T1, but on
the interval T1off-T1disp to T1off. That interval does not include the
real time, so F is indeed a falseticker. So, we have a completely
symmetric situation, with T1 and F "voting" for an interval that does
not include the real time and T1 and T2 "voting" for an interval that
does include the real time. By what mechanism are we to presume that the
client will choose the interval that includes the real time?
The intersection interval determined in the source selection algorithm
will be equal to the interval of T1 and all three servers will pass as
truechimers. Adding a third good server may not be enough to change
the result.
I think we are in violent agreement. The point I am trying to make is
that for a long time we recommended four servers then started saying
that three was enough but four is better. I think that we should stick
with recommending four, at least if you actually care about the time on
your systems.
Brian Utterback
_______________________________________________
questions mailing list
questions@lists.ntp.org
http://lists.ntp.org/listinfo/questions
