Re: Who is security-research.org ?

[Ask Bjørn Hansen via NANOG]

It’s not me and I don’t know about the specific project, but I think I can 
introduce you off-list (I know them as helpful-to-the-internet people).


Ask

> On Mar 24, 2024, at 11:34, John Levine  wrote:
> 
> I noticed them in my DNS logs, trying to do AXFRs of random zones I host.  
> The probes
> are coming from Hetzner, a low-cost German hosting provider with a history of 
> tolerating
> dodgy customer behavior.
> 
> Their website, which is hosted at Vultr, airly assures us it's nothing 
> personal, they
> scan everyone to make the Internet better, just filter us, but if you insist, 
> you can
> send objections to n...@m-d.net.
> 
> Any idea who they are?  I expect it's more likely that they're self-important 
> than
> evil. but still, sigh.
> 
> R's,
> John

Re: TFTP over anycast

[Ask Bjørn Hansen]

> On Feb 23, 2024, at 20:32, William Herrin  wrote:
> 
>> The relay server `dhcplb` could, maybe, help in that scenario
>> (dhcplb runs on the anycast IP, the “real” DHCP servers on
>> unicast IPs behind dhcplb).
> 
> Although they used the word "anycast", they're just load balancing.

The idea is to run the relays on an anycasted IP (so the load balancer / relay 
IP is anycasted).

> [….] Relying on ECMP for anycasted DHCP would be a disaster
> during any sort of failure. Add or remove a single route from an ECMP
> set and the hashed path selection changes for most of the connections.


Consistent hashing (which I thought was widely supported now in ECMP 
implementations) and a bit of automation in how announcements are added can 
greatly mitigate this.



Ask

Re: TFTP over anycast

[Ask Bjørn Hansen]

> On Feb 22, 2024, at 12:52, Thomas Mieslinger  wrote:
> 
> It becomes tricky for DHCP if a location has the same cost to more than
> one anycast Node. For this case we have setup a DHCP nodes in two
> datacenters using different local-preferences to simulate a failover
> active/passive setup.

The relay server `dhcplb` could, maybe, help in that scenario (dhcplb runs on 
the anycast IP, the “real” DHCP servers on unicast IPs behind dhcplb).

https://github.com/facebookincubator/dhcplb



Ask

Re: Google Speed Test

[Ask Bjørn Hansen]

> On Jan 3, 2023, at 08:24, Mike Hammett  wrote:
> 
> I think this is why Netflix came out with fast.com , but 
> AFAIK, they're the only ones that have their own tool using their own 
> infrastructure.

macOS have a built-in “networkQuality” command line tool (`man networkQuality` 
or https://support.apple.com/kb/HT212313 ). (iOS and iPadOS have a similar tool 
if a “WiFi Performance Diagnostics” profile has been installed).

See also https://datatracker.ietf.org/doc/draft-ietf-ippm-responsiveness/

$ networkQuality
 SUMMARY 
Uplink capacity: 1.029 Gbps
Downlink capacity: 2.132 Gbps
Uplink Responsiveness: High (7199 RPM)
Downlink Responsiveness: Medium (450 RPM)
Idle Latency: 12.042 milliseconds


Ask

Re: "Permanent" DST

[Ask Bjørn Hansen]

This is a weirdly long thread, mostly unrelated to NANOG, it seems.

The work for how this will be implemented in most of our computers happens on 
the TZ list by thoughtful people with lots and lots of experience on the 
subject: https://mm.icann.org/pipermail/tz/

I believe the last change in the US was more than a decade ago, but time zone 
data changes somewhere in the world on a very very regular basis.


Ask

Re: New minimum speed for US broadband connections

[Ask Bjørn Hansen]

> On May 28, 2021, at 15:41, Mike Lyon  wrote:
> 
> So, we up the minimum to 100 Mbps just because some areas are lucky enough to 
> have fiber?


Fiber gets deployed to certain geographic areas because they’re lucky? This is 
definitely news to me! Next the telecom industry will be regulated as a game of 
chance?

If only society had mechanisms to push societally beneficially developments so 
it wouldn’t all just be a matter of luck!


Ask

Re: Half Fibre Pair

[Ask Bjørn Hansen]

> On Jan 26, 2021, at 12:51, Rod Beck  wrote:
> 
> Can someone explain to me what is a half fibre pair? I took it literally to 
> mean a single fibre strand but someone insisted it was a large quantity of 
> spectrum. Please illuminate. On or off list as you please. 

Depending on the context it could be a single fibre strand for use with 
bi-directional transceivers.

I am guessing it’s not commonly used though, just based on nobody suggesting 
this.


Ask

Re: NDAA passed: Internet and Online Streaming Services Emergency Alert Study

[Ask Bjørn Hansen]

>> On Jan 3, 2021, at 13:57, Michael Thomas  wrote:
>> 
>>> I just sent some mail to the myshakes folks at UCB asking if they have an 
>>> achitecture/network document. In their case for earthquakes it need to be 
>>> less than ~10 seconds so they are really pushing the limit. If they get 
>>> back to me, I'll share it here.
>> The two platforms they support have APIs and infrastructure to make it work 
>> at large scale.
> 
> Do you know where to find docs on it? I'd be curious because clearly this is 
> a hard problem.

For iOS: 
https://developer.apple.com/documentation/usernotifications/setting_up_a_remote_notification_server
For Android, I think this is the similar system: 
https://firebase.google.com/docs/cloud-messaging/


Ask

Re: NDAA passed: Internet and Online Streaming Services Emergency Alert Study

[Ask Bjørn Hansen]

On Jan 3, 2021, at 13:57, Michael Thomas  wrote:

> I just sent some mail to the myshakes folks at UCB asking if they have an 
> achitecture/network document. In their case for earthquakes it need to be 
> less than ~10 seconds so they are really pushing the limit. If they get back 
> to me, I'll share it here.

The two platforms they support have APIs and infrastructure to make it work at 
large scale.

Piggybacking this sort of thing on another connection is trading some 
connection overhead for a whole lot of application complexity. This being nanog 
it’s unsurprising that the discussion is focusing on the connection and 
protocol bits, but those are a tiny part of the overall complexity (for the 
client, too). 


Ask

Internet services in Antarctica

[Ask Bjørn Hansen]

Hi,

I have a hobby project running DNS service to people looking for NTP public 
servers. I noticed that the DNS servers apparently get ~5 thousand queries per 
day from IPs that the GeoIP database we use claim are in in Antarctica. It’s 
less than 0.0001% of the overall DNS queries, but it made me curious what it’d 
take to make the service work better there.

I imagine the internet service is fragmented between the various stations with 
each being best connected to a particular country? Does anyone have contacts 
there that I could talk to?  I imagine (some of?) the stations would have a 
local NTP service as part of their compute facilities.


Ask

Re: NTP question

[Ask Bjørn Hansen]

> On May 1, 2019, at 16:53, Mel Beckman  wrote:
> 
> It’s hard to consider messing with signal converters and pricey 
> remotely-powered active antennas when you can solve the problem for $300. :)

As I said, it really depends on your requirements and expectations. :-)

For my “normal” use cases there hasn’t been room for a lot of stuff between 
“well run NTP server with networked time source” and “server with fancy clocks 
and frequency input”.

Though, on the topic of unusual requirements there are a bunch of contributors 
to the NTP Pool using this curious device that can do line rate NTP responses 
(100Mbps, but still):

https://store.uputronics.com/index.php?route=product/product_id=92


Ask

Re: NTP question

[Ask Bjørn Hansen]

> On May 1, 2019, at 12:22, Mehmet Akcin  wrote:
> 
> I am trying to buy a GPS based NTP server like this one 
> 
> https://timemachinescorp.com/product/gps-time-server-tm1000a/
> 
> but I will be placing this inside a data center, do these need an actual view 
> of a sky to be able to get signal or will they work fine inside a data center 
> building? if you have any other hardware requirements to be able to provide 
> stable time service for hundreds of customers, please let me know.

[ with my hobby-hat on … ]

tl;dr: if any of the below is too much work, just run reasonably well monitored 
NTP server syncing from other NTP servers. If you want more than that, you need 
to see the sky. Don’t do the CDMA thing.

Depending on your requirements having the antenna in the window may or may not 
be satisfactory. If it’s fine you probably could just have done a regular NTP 
server in the first place.  For long swaths of the day you might not see too 
many satellites which will add to the uncertainty of the signal.

Meinberg’s GPS antenna has a bit more smarts which helps it work on up to 300 
meters on RG58 or 700 meters on RG213.  (They also have products that use 
regular L1 antennas with the limitations Bryan mentioned).

https://www.meinbergglobal.com/english/products/gps-antenna-converter.htm

They also have a multi-mode fiber box to have the antenna be up to 2km from the 
box or 20km with their single mode fiber box, if you have fiber to somewhere 
else where you can see the sky and place an antenna.

It will be more than the one you linked to, but their systems are very 
reasonably priced, too. For “hundreds of customers” whatever is the 
smallest/cheapest box they have will work fine. Even their smallest models have 
decent oscillators (for keeping the ticks accurate between GPS signals).

The Meinberg time server products (I am guessing all of them, but I’m not sure) 
also have a mode where they poll an upstream NTP server aggressively and then 
steer the oscillator after it. I haven’t used it in production, but it worked a 
lot better than it sounded like it would.  (In other words, even without GPS 
it’s a better time server than most systems).


Ask

Re: A Deep Dive on the Recent Widespread DNS Hijacking

[Ask Bjørn Hansen]

> On Feb 24, 2019, at 22:03, Hank Nussbacher  wrote:
> 
> Did you have a CAA record defined and if not, why not?

If the attacker got a CA to issue the cert because they changed the DNS server 
to be their own, a CAA record wouldn’t have helped (or at least been even 
easier to thwart than DNSSEC).


Ask

Re: Recent NTP pool traffic increase

[Ask Bjørn Hansen]

> On Dec 20, 2016, at 8:02 PM, Harlan Stenn  wrote:
> 
>> On 12/20/16 7:27 PM, Laurent Dumont wrote:
>> To be honest, the fact that NTP is still something managed by volunteers
>> and not a regulated entity (a bit like DNS) is mind boggling.
> 
> Time *is* managed by regulated entities - the National Time Labs.

That was pretty clearly not what Laurent was talking about.

> And Network Time Foundation's NTP Project (the reference implementation
> for NTP) could do lots more if we had a useful budget.
> 
> Folks pay money for DNS registrations.  There's no revenue stream around
> "time".
> 
> Help us get enough support to NTF, and we'll have the staff and
> infrastructure to do more for folks.

What does the NTF have to do with the NTP Pool (or the “recent NTP pool traffic 
increase”)?

The NTP Pool is run by volunteers, as you very well know. Both the management 
and DNS system and the thousands of people who contribute their NTP service to 
the system. (And we manage on a pretty scarce budget).


Ask

-- 
http://www.askask.com

Re: Recent NTP pool traffic increase (update)

[Ask Bjørn Hansen]

Hello,

Those servers aren’t (and have never been) part of the NTP Pool - 
https://www.ntppool.org/en/

If they were you could remove them from the system and over the next hours, 
days and months the traffic would go away. We also have features to change the 
relative amount of clients you get (to just get less queries instead of 
withdrawing from the pool altogether).

Anyway, it looks like your IPs are listed on support.ntp.org as “public 
servers”, so removing them from there would be step 1. However there’s no 
working mechanism for you to tell the clients that they should go away after 
they’ve hard coded your IP in their configuration. (That’s the point of the NTP 
Pool system really, to let you offer a public service and have a avenue to stop 
doing it, too).

support.ntp.org appears to be down, but your IPs are listed on the site 
according to a Google search:
https://www.google.com/search?q=133.100.9.2+ntp


Ask

> On Dec 21, 2016, at 7:13 PM, FUJIMURA Sho  wrote:
> 
> Hello.
> 
> I operate the public NTP Service as 133.100.9.2
> and 133.100.11.8 at Fukuoka University, Japan.
> I have a lot of trouble with too much NTP traffic from
> many routers which 133.100.9.2 as default setting of NTP
> has been set like Tenda or LB-Link etc.
> So, although I'd like to contact Firmware developpers of these company
> and would like them to change the default settins,
> is there the person knowing the contact information?
> 
> -- 
> Sho FUJIMURA
> Information Technology Center, Fukuoka University.
> 8-19-1, Nanakuma, Jyonan-ku, Fukuoka, 8140180, Japan

Re: Recent NTP pool traffic increase

[Ask Bjørn Hansen]

> On Dec 15, 2016, at 14:45, Jose Gerardo Perales Soto 
>  wrote:
> 
> We've recently experienced a traffic increase on the NTP queries to NTP pool 
> project (pool.ntp.org) servers. One theory is that some service provider NTP 
> infraestructure failed approximately 2 days ago and traffic is now being 
> redirected to servers belonging to the NTP pool project.

Hi Jose,

It’s more widespread than a particular service provider, so it seems more 
likely it’s a software update for some “IoT” device or similar.

The increase in DNS queries was on the “non-vendor” names, so it’s difficult to 
know who it is without being on a local network with one of the bad device 

The increase in DNS queries is much smaller than the increase in NTP queries 
that are being seen, so it’s not just more clients, but badly behaving ones. :-(

https://status.ntppool.org/incidents/vps6y4mm0m69

If you have NTP servers that can be added to the pool. it’d be greatly 
appreciated.

http://www.pool.ntp.org/join.html


Ask

Re: DNS Services for a registrar

[Ask Bjørn Hansen]

> On Aug 11, 2016, at 22:56, Ryan Finnesey  wrote:
> 
> We need to provide DNS services for domains we offer as a registrar.
> We were discussing internally the different options for the deployment.  Does 
> anyone see a down side to using IaaS on AWS and Azure?

No anycast.

> We were also kicking around the idea of a PaaS offering and using Azure DNS 
> or AWS Route 53.

https://www.pch.net/services/dns_anycast


Ask

Re: Why are there no GeoDNS solutions anywhere in sight?

[Ask Bjørn Hansen]

On Mar 20, 2013, at 20:28, Constantine A. Murenin muren...@gmail.com wrote:

 [...] but what other alternatives could be configured in 5 or 15 minutes?

You got a lot of answers telling you to not even try, and I don't know that you 
can configure any of them in 5 minutes.

That being said there are lots of options that might be good enough:

 - PowerDNS has a Geo backend - http://doc.powerdns.com/html/geo.html
 - There are various patches for Bind
 - Gdnsd - https://github.com/blblack/gdnsd
 - GeoDNS - https://github.com/abh/geodns

I use the latter for the www.pool.ntp.org service where it sends users to one 
of about 4000 local servers (pops) in about 100 countries about 15 billion 
times a month.



Ask

Re: NTP Issues Today

[Ask Bjørn Hansen]

On Nov 20, 2012, at 13:00, Darius Jahandarie djahanda...@gmail.com wrote:

Hi everyone,

I run the NTP Pool system - http://www.pool.ntp.org/ - so I have some opinions 
on some of this. :-)

 But beyond that, I'm honestly rather curious what server selections
 are a good idea. A first thought would be an adjacent country, but
 maybe there is a benefit to picking things outside of the pool.ntp.org
 selection entirely?

First of all: None of the ~3800 servers in the NTP Pool system were affected by 
this as far as I can tell from the (copious) monitoring data.

The big benefit to adding some non-pool servers is that you wouldn't be 
depending basically on a bunch of volunteers (and to a large extent me) for 
your time keeping. Though likely you'd just be depending on another group of 
volunteers.

In addition to depending on the server operators who run the ntpd servers you 
also depend on:

1) The monitoring system keeping accurate time.
2) The monitoring system does its job catching bad servers.
3) The process updating and distributing the DNS data working.
4) The DNS servers working (and not being under a DoS attack or similar).
5) Anything I haven't thought of!

Empirically I believe we've done a better job than just about anyone with a 
similar scale, but past performance is no promise of the future.

 I see that Jared used *.fedora.pool.ntp.org -- I wonder if there was a
 specific reason for that or if my questions are even worth thinking
 about at all :-).


The servers for x.fedora.pool.ntp.org are in the same group as 
x.pool.ntp.org.  If you are in a country with many servers in the pool then 
you'll very likely get different IPs for the two. If you are in a country with 
few servers your odds for that aren't so good and it'd be a bit pointless.

Anyone using the NTP Pool in a default configuration (like Fedora does) must 
get a vendor zone setup - http://www.pool.ntp.org/en/vendors.html - so we 
have at least a little bit of a chance to monitor and mitigate problems.

It also allows us to change what servers are selected, how many IPs are 
returned etc for a particular vendor.  For example if Fedora in the future 
changes to use 'pool' instead of 'server' in the configuration we could 
optimize for that.


Ask

-- 
http://askask.com/

Re: SSL Certificates

[Ask Bjørn Hansen]

On Jan 6, 2012, at 6:15, Michael Carey wrote:

 Looking for a recommendation on who to buy affordable and reputable SSL
 certificates from?  Symantec, Thawte, and Comodo are the names that come to
 mind, just wondering if there are others folks use.

Almost everyone are basically just selling an activation with one of the SSL 
certificate authorities.

I usually buy a RapidSSL (Verisign) certificate from 
https://www.sslmatrix.com/ -- they seem to have some of the best prices and the 
rapidssl enrollment process is very efficient (at least for the cheap 
automatically validated products).


Ask

-- 
http://askask.com/

Re: vyatta for bgp

[Ask Bjørn Hansen]

On Sep 12, 2011, at 11:42, Ben Albee wrote:

 Does anybody currently use vyatta as a bgp router for their company? If
 so have you ran into any problems with using that instead of a cisco or
 juniper router?

We're using Vyatta for a handful of fast ethernet links to the internet, with I 
think about three dozen BGP peers.  (Mix of IPv4 and IPv6; about four full 
feeds on each protocol, the rest is peering).  It's not as mature or polished 
as I understand some of the Cisco or Juniper platforms are; but on our small 
scale it's fine.

We have a decent amount of of Linux expertise in the office (and virtually zero 
for Juniper/Cisco/...), so having more familiar tools on the routers is nice.

As a small shop it's also convenient that the boxes are cheap (so we can have 
two hot ones with VRRP etc and cheaply a third cold spare) and that the spare 
parts etc are the same or similar to the rest of the boxes in the rack.


 - ask

-- 
http://askask.com/

Re: Cogent IPv6

[Ask Bjørn Hansen]

On Jun 8, 2011, at 6:51, Nick Olsen wrote:

 I'm sure someone here is doing IPv6 peering with cogent. We've got a Gig 
 with them, So they don't do that dual peering thing with us. (They do it on 
 another 100Mb/s circuit we have... I despise it.)
 Just kind of curious how they go about it.
 Do they issue you a small IPv6 block for your interface, just like they do 
 for IPv4? Is it a separate session?

Like Mark described, for us too they dropped the goofy dual-session thing for 
IPv4 so we just have an IPv4 and an IPv6 session now.

 Any things to be aware of before  pulling the trigger on it? (Other then them 
 not having connectivity to HE's  IPv6 side of things, Wish they would fix 
 that already...)

Yeah, there's that ...  (We have a couple other providers, too, so we don't 
really care but it's goofy).

Worse, for us, is that their router doesn't respond to neighbor discovery 
requests, so I had to make a static neighbor entry on our router for the 
session to come up.  Not very pretty.  I spent more than an hour on the phone 
with them and they didn't have any ideas (we have plenty other IPv6 sessions 
for transit and peering on the same router that are working fine).

Somewhere on the internets someone anecdotally told they had a Cisco router 
that did the same thing until it was rebooted.   Didn't bother calling them to 
tell them to reboot the router we are on.  :-)

Anyway, I guess the lesson is that they (like most providers, I am sure) don't 
have that much IPv6 experience and they didn't care that much that it didn't 
work right.  Hopefully that attitude will change over the next months.


  - ask

Re: Internet Edge Router replacement - IPv6 route tablesizeconsiderations

[Ask Bjørn Hansen]

On Mar 11, 2011, at 11:22, Jeff Wheeler wrote:

 I think there are a lot of people who throw around the SLAAC argument
 like it's actually good for something.  Do these people know what
 SLAAC does?  For core networks, it doesn't do anything.  For
 hosting/datacenter networks and cluster/VPS environments, again, it
 doesn't do anything.  Zero benefit. 

Doesn't SLAAC give you automatic MAC address to IP mapping?  It'll save you 
manually doing that (in an otherwise well controlled environment).

 
  - ask

Re: Internet Edge Router replacement - IPv6 route tablesizeconsiderations

[Ask Bjørn Hansen]

On Mar 14, 2011, at 16:38, Nick Hilliard wrote:

 Doesn't SLAAC give you automatic MAC address to IP mapping?  It'll save 
 you manually doing that (in an otherwise well controlled environment).
 
 No, it doesn't. On some systems, the mac address is used to create the ipv6 
 address, but not on others (e.g. windows 7).

Sorry, I made the mail a bit too short I supposed.  Well controlled 
environment in my case is a bunch of relatively homogeneous linux server 
systems (plain hardware and virtualized), all managed by the same team.



 - ask

-- 
Ask Bjørn Hansen, http://askask.com/

Re: Micro-allocation needed?

[Ask Bjørn Hansen]

On Jun 21, 2010, at 23:34, William Pitcock wrote:

 On Mon, 2010-06-21 at 23:32 +0200, Ask Bjørn Hansen wrote:
 Hi everyone,
 
 We're going to anycast a /24 for some DNS servers (and possibly another UDP 
 based service)[1].
 
 I see that ARIN are listing on https://www.arin.net/knowledge/ip_blocks.html 
 the smallest allocations from each prefix.   Will we have trouble getting a 
 /24 announced if we take it from a regular /20?
 
 No, you can split up allocations as you want, provided you can prove you
 own them.
 
 Some providers however, won't announce anything smaller than a /24.

I guess to rephrase my question:

Are there (a significant number of) providers that will filter a /24 
announcement from an ARIN prefix not in the list of prefixes where they 
allocate /24 blocks.

(I take it from what you wrote that the answer is No).


 - ask

Re: Micro-allocation needed?

[Ask Bjørn Hansen]

On Jun 21, 2010, at 23:55, Joe Abley wrote:

Everyone: Thanks for the replies regarding the /24 announcement from a /20 
allocated block. Yes, obviously the /20 announcement will handle the traffic, 
too.   I'm a regular reader on NANOG and consistently impressed by the 
expertise on display and the speed with which it's generously handed out.  :-)


 I'm interested in the idea of anycasting one of the pool.ntp.org 
 herd-members. Every time I've suggested such a thing I've been told 
 (paraphrasing) that a good (server, client) NTP session exhibits reasonable 
 RTT stability, this constitutes, in effect, a long-lived transaction, and 
 hence anycast is not a good answer unless you have confidence that the 
 potential for oscillations is low, or that the frequency of the oscillations 
 is very low (i.e. in a private network this might be a good answer, but 
 across the public Internet it's a poor answer).
 
 Has the thinking changed, or did I just misunderstand?

I think the thinking on NTP [ see below ] is the same; but indeed when I wrote 
possibly other UDP based services experimenting with that was my idea, too.

I believe some of the CDNs are anycast based (Cachefly?) and they did some 
extensive tests with very long http transactions.  (And I guess do a big test 
daily in running the service...).

However -- Much of the pool.ntp.org traffic is from SNTP clients where the NTP 
considerations don't apply.  (In summary: SNTP = dumb client that just asks for 
the time now; NTP = clever server that keeps track of the time.  The protocol 
is the same, but the usage quite different).


  - ask

IPv6 client adoption slowly going 3% (?)

[Ask Bjørn Hansen]

Hi everyone,

I read the IPv4 address space thread and thought this might be of interest to 
the group:

Some months ago I setup a small test to test if users browsing 
http://www.pool.ntp.org/ supported IPv6:

http://www.v6test.develooper.com/statistics
http://www.v6test.develooper.com/

It's slowly been creeping up to 2.8% this month (from ~2.2% in November).   At 
this rate we'll have critical mass (say 25%?) already in 2022!

Kidding aside, although most of the test data is from NTP Pool website 
currently I've been testing a few different sites and the numbers are all 
pretty close.

Anyway - if you want to test your user base, then you can make an account at 
http://www.v6test.develooper.com/account and get a bit of javascript to put on 
your website/weblog/...

The code for the system is at 
http://git.develooper.com/?p=v6test.git;a=summary and 
http://github.com/abh/v6test

Specifically the javascript doing the test at:
http://github.com/abh/v6test/blob/master/public/devel/v6test.js

I've also been testing how many fails to handle A+ records and it seems to 
be about 2-3%[1] -- which sounds like more than plenty for Google, Amazon etc 
not to enable IPv6 on their regular hostnames where it matters.



 - ask

[1] The number on the global statistics page is artificially low because many 
of the tests have been via a host with both A and  records and I forgot to 
take that into account when calculating the numbers. Oops.  I'll get it fixed.

-- 
http://develooper.com/ - http://askask.com/

Re: Leap second tonight

[Ask Bjørn Hansen]

On Dec 31, 2008, at 15:28, Kevin Oberman wrote:


We use CDMA clocks and last leap second it took weeks for all of the
cell sites to adjust the last one. As a result, I have set all of our
clocks for manual leap second and set them to adjust tonight at  
midnight

(UTC).I'll take a look in about 35 minutes and see how it worked.


Chiming in a little late here ...

Over at the NTP Pool we had about 9% of the servers not handle the  
leap second accurately; starting at midnight UTC.  After an hour (so  
between 01:00 and 02:00) it was down to about 3%; a couple hours later  
down to about 1% of our servers (a few dozen)[1].  Most of those got  
in order within 24-48 hours.Interestingly the few who didn't get  
corrected within a few days were, tada: CDMA clocks.


To stay vaguely NANOG on-topic: I believe at least some of our ~1700  
NTP servers are routers; so I'm guessing they handled the leap second  
alright.


Sounds like a RISKS lesson: Don't use side-effects of a tool for  
something critical.  (If I understand it right then CDMA uses accurate  
time because it needs accurate frequency; not because it cares what  
time it is).


Also: Who came up with having the leap second on New Year!?  Clearly  
not someone with any operational experience.



 - ask

[1] http://fortytwo.ch/mailman/pipermail/timekeepers/2009/004619.html  
and http://fortytwo.ch/mailman/pipermail/timekeepers/2009/004623.html


--
http://develooper.com/ - http://askask.com/