Re: NTP Sync Issue Across Tata (Europe)

[Tom Beecher]

v.je @ns1.gov.je
>
> ;; Got answer:
>
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4249
>
> ;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2
>
>
> ;; QUESTION SECTION:
>
> ;gov.je.        IN    NS
>
>
> ;; ANSWER SECTION:
>
> gov.je.3600INNSns2.gov.je.
>
> gov.je.3600INNSns1.gov.je.
>
>
> ;; ADDITIONAL SECTION:
>
> ns2.gov.je.3600INA212.9.21.137
>
> ns1.gov.je.3600INA212.9.21.9
>
>
> --
> Best wishes,
> Matthew
>
> --
>
> From: Mel Beckman 
>
> To: Matthew Richardson 
>
> Cc: Nanog 
>
> Date: Tue, 8 Aug 2023 15:12:29 +
>
> Subject: Re: NTP Sync Issue Across Tata (Europe)
>
>
> Until the Internet NTP network can be made secure, no. Do you have a
> citation for your Jersey event? I doubt GPS caused the problem, but I'd
> like to see the documentation.
>
>
> Using GPS for time sync is simple risk management: the risk of Internet
> NTP with known, well documented vulnerabilities and many security
> incidents, versus the risk of some theoretical GPS-based vulnerability, for
> which mitigations such as geographic diversity are readily available. Sure,
> you could use Internet NTP as a last resort should GPS fail globally
> (perhaps due to a theoretical - but conceivable - meteor storm). But that
> would be a fall-back. I would not mix the systems.
>
>
> -mel
>
>
> On Aug 8, 2023, at 1:36 AM, Matthew Richardson 
> wrote:
>
>
> ?Mel Beckman wrote:-
>
>
> It's a problem that has received a lot of attention in both NTP and
>
> aviation navigation circles. What is hard to defend against is total signal
>
> suppression via high powered jamming. But that you can do with a
>
> geographically diverse GPS NTP network.
>
>
> Whilst looking forward to being corrected, GPS (even across multiple
>
> locations) seems to be a SINGLE source of time.  You seem (have I
>
> misunderstood?) to be a proponent of using GPS exclusively as the external
>
> clock source.
>
>
> Might it be preferable to have a mixture of GPS (perhaps with another GNSS)
>
> together with carefully selected Internet-based NTP servers?
>
>
> I recall an incident over here in Jersey (the one they named New Jersey
>
> after!) where our primary telco had a substantial time shift on one of
>
> their two GPS synced servers.  This managed to adjust the clock on enough
>
> of their routers that the certificate-based OSPF authentication considered
>
> the certificates invalid, and caused a failure of almost their whole
>
> network.
>
>
> This is, of course, not to say that GPS is not a very good clock source,
>
> but rather to wonder whether more diversity would be preferable than using
>
> it as a single source.
>
>
> --
>
> Best wishes,
>
> Matthew
>
>
> --
>
> From: Mel Beckman 
>
> To: "Forrest Christian (List Account)" 
>
> Cc: Nanog 
>
> Date: Mon, 7 Aug 2023 14:03:30 +
>
> Subject: Re: NTP Sync Issue Across Tata (Europe)
>
>
> Forrest,
>
>
> GPS spoofing may work with a primitive Raspberry Pi-based NTP server, but
> commercial industrial NTP servers have specific anti-spoofing mitigations.
> There are also antenna diversity strategies that vendors support to ensure
> the signal being relied upon is coming from the right direction. It's a
> problem that has received a lot of attention in both NTP and aviation
> navigation circles. What is hard to defend against is total signal
> suppression via high powered jamming. But that you can do with a
> geographically diverse GPS NTP network.
>
>
> -mel
>
>
> On Aug 7, 2023, at 1:39 AM, Forrest Christian (List Account) <
> li...@packetflux.com> wrote:
>
>
> ?
>
> The problem with relying exclusively on GPS to do time distribution is the
> ease with which one can spoof the GPS signals.
>
>
> With a budget of around $1K, not including a laptop, anyone with decent
> technical skills could convince a typical GPS receiver it was at any
> position and was at any time in the world.   All it takes is a decent
> directional antenna, some SDR hardware, and depending on the location and
> directivity of your antenna maybe a smallish amplifier.   There is much
> discussion right now in the PNT (Position, Navigation and Timing) community
> as to how best to secure the GNSS network, but right now one should
> consider the data from GPS to be no more trustworthy than some random NTP
> server on the internet.
>
>
> In order to build a resilient NTP server infrastructure you need multiple
>

Re: NTP Sync Issue Across Tata (Europe)

[Mel Beckman]

So, probably not a failure "caused by GPS", rather one caused by poor
design (only two clock sources) combined with unsupported and buggy
devices.

Interesting software bug, but not really germane to this discussion, other than 
as a cautionary tale about time distribution architectures.


 -mel beckman

On Aug 16, 2023, at 3:51 AM, Matthew Richardson  
wrote:

Mel Beckman wrote:-

Do you have a citation for your Jersey event? I doubt GPS caused the problem, 
but I'd like to see the documentation.

The event took place on the evening of Sunday 12 July 2020, and seems NOT
to have been due to an issue caused directly by GPS, but rather to
misbehaviour of a GPS NTP server relating to week numbers.  Our regulator
subsequently issued the following comprehensive document:-

https://www.jcra.je/media/598397/t-027-jt-july-2020-outage-decision-directions.pdf

By way of summary, JT operated two GPS derived NTP servers, with all of
their routers were pointing to both.  On the evening in question, one of
the two reset its clock back to 27 November 2000.

Their interior routing protocol used amongst their mesh of routers was
IS-IS which was using authentication.  The authentication [section 4.19]
was described having a "password validity start date" of 01 July 2012.
Thus, any routers which had picked up the time from the faulty source no
longer had valid IS-IS authentication and were thus isolated.

Whilst only 15% of their routers were affected, this was enough to cause an
almost total failure in their network, affecting telephony (fixed & mobile)
and Internet.  For foreign readers (this is NANOG!) "999" calls refer to
the emergency services in these parts, where any failures attract the
attention of our regulator.

The details of why the clock "failed" start at section 4.23, and seem to
relate a GPS week number rollover.

So, probably not a failure "caused by GPS", rather one caused by poor
design (only two clock sources) combined with unsupported and buggy
devices.

One curious aspect is that some routers followed the "bad" time, which is
alluded to in section 4.31.

Something not discussed in that report is that JT's email failed during the
incident despite its being hosted on Office365.  The reason was that the
two authoritative DNS servers for jtglobal.com were hosted in Jersey inside
their network.  As that network was wholly disconnected, there was no DNS
and hence no email.  Despite my having raised this since with their senior
management, their DNS remains hosted in this way:-

matthew@m88:~$ dig +norec +noedns +nocmd +nostats -t ns jtglobal.com 
@ns1.jtibs.net
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20462
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 4

;; QUESTION SECTION:
;jtglobal.com.INNS

;; ANSWER SECTION:
jtglobal.com.60INNSns2.jtibs.net.
jtglobal.com.60INNSns1.jtibs.net.

;; ADDITIONAL SECTION:
ns1.jtibs.net.60INA212.9.0.135
ns2.jtibs.net.60INA212.9.0.136
ns1.jtibs.net.60IN2a02:c28::d1
ns2.jtibs.net.60IN2a02:c28::d2

Rediculously (and again despite my agitation to their management) our
government domain gov.je has similar DNS fragility:-

matthew@m88:~$ dig +norec +noedns +nocmd +nostats -t ns gov.je @ns1.gov.je
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4249
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2

;; QUESTION SECTION:
;gov.je.INNS

;; ANSWER SECTION:
gov.je.3600INNSns2.gov.je.
gov.je.3600INNSns1.gov.je.

;; ADDITIONAL SECTION:
ns2.gov.je.3600INA212.9.21.137
ns1.gov.je.3600INA212.9.21.9

--
Best wishes,
Matthew

--
From: Mel Beckman 
To: Matthew Richardson 
Cc: Nanog 
Date: Tue, 8 Aug 2023 15:12:29 +
Subject: Re: NTP Sync Issue Across Tata (Europe)

Until the Internet NTP network can be made secure, no. Do you have a citation 
for your Jersey event? I doubt GPS caused the problem, but I'd like to see the 
documentation.

Using GPS for time sync is simple risk management: the risk of Internet NTP 
with known, well documented vulnerabilities and many security incidents, versus 
the risk of some theoretical GPS-based vulnerability, for which mitigations 
such as geographic diversity are readily available. Sure, you could use 
Internet NTP as a last resort should GPS fail globally (perhaps due to a 
theoretical - but conceivable - meteor storm). But that would be a fall-back. I 
would not mix the systems.

-mel

On Aug 8, 2023, at 1:36 AM, Matthew Richardson  
wrote:

?Mel Beckman wrote:-

It's a problem that has received a lot of attention in both NTP and
aviation navigation circles. What is hard to defend against is total signal
suppression via high powered jam

Re: NTP Sync Issue Across Tata (Europe)

[Tom Beecher]

Thanks for that link.

This is jumping out at me though :

Their interior routing protocol used amongst their mesh of routers was
> IS-IS which was using authentication.  The authentication [section 4.19]
> was described having a "password validity start date" of 01 July 2012.
> Thus, any routers which had picked up the time from the faulty source no
> longer had valid IS-IS authentication and were thus isolated.
>

It's been a while, but last time I remember diving into the IS-IS weeds ,
the time of the transmitting system wasn't part of a Hello.  Is this a
Cisco specific option they toss in a TLV?

On Wed, Aug 16, 2023 at 9:04 AM Matthew Richardson via NANOG <
nanog@nanog.org> wrote:

> Mel Beckman wrote:-
>
> >Do you have a citation for your Jersey event? I doubt GPS caused the
> problem, but I’d like to see the documentation.
>
> The event took place on the evening of Sunday 12 July 2020, and seems NOT
> to have been due to an issue caused directly by GPS, but rather to
> misbehaviour of a GPS NTP server relating to week numbers.  Our regulator
> subsequently issued the following comprehensive document:-
>
>
> https://www.jcra.je/media/598397/t-027-jt-july-2020-outage-decision-directions.pdf
>
> By way of summary, JT operated two GPS derived NTP servers, with all of
> their routers were pointing to both.  On the evening in question, one of
> the two reset its clock back to 27 November 2000.
>
> Their interior routing protocol used amongst their mesh of routers was
> IS-IS which was using authentication.  The authentication [section 4.19]
> was described having a "password validity start date" of 01 July 2012.
> Thus, any routers which had picked up the time from the faulty source no
> longer had valid IS-IS authentication and were thus isolated.
>
> Whilst only 15% of their routers were affected, this was enough to cause an
> almost total failure in their network, affecting telephony (fixed & mobile)
> and Internet.  For foreign readers (this is NANOG!) "999" calls refer to
> the emergency services in these parts, where any failures attract the
> attention of our regulator.
>
> The details of why the clock "failed" start at section 4.23, and seem to
> relate a GPS week number rollover.
>
> So, probably not a failure "caused by GPS", rather one caused by poor
> design (only two clock sources) combined with unsupported and buggy
> devices.
>
> One curious aspect is that some routers followed the "bad" time, which is
> alluded to in section 4.31.
>
> Something not discussed in that report is that JT's email failed during the
> incident despite its being hosted on Office365.  The reason was that the
> two authoritative DNS servers for jtglobal.com were hosted in Jersey
> inside
> their network.  As that network was wholly disconnected, there was no DNS
> and hence no email.  Despite my having raised this since with their senior
> management, their DNS remains hosted in this way:-
>
> >matthew@m88:~$ dig +norec +noedns +nocmd +nostats -t ns jtglobal.com @
> ns1.jtibs.net
> >;; Got answer:
> >;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20462
> >;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 4
> >
> >;; QUESTION SECTION:
> >;jtglobal.com. IN  NS
> >
> >;; ANSWER SECTION:
> >jtglobal.com.  60  IN  NS  ns2.jtibs.net.
> >jtglobal.com.  60  IN  NS  ns1.jtibs.net.
> >
> >;; ADDITIONAL SECTION:
> >ns1.jtibs.net. 60  IN  A   212.9.0.135
> >ns2.jtibs.net. 60  IN  A   212.9.0.136
> >ns1.jtibs.net. 60  IN  2a02:c28::d1
> >ns2.jtibs.net. 60  IN  2a02:c28::d2
>
> Rediculously (and again despite my agitation to their management) our
> government domain gov.je has similar DNS fragility:-
>
> >matthew@m88:~$ dig +norec +noedns +nocmd +nostats -t ns gov.je @
> ns1.gov.je
> >;; Got answer:
> >;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4249
> >;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2
> >
> >;; QUESTION SECTION:
> >;gov.je.   IN  NS
> >
> >;; ANSWER SECTION:
> >gov.je.        3600    IN  NS  ns2.gov.je.
> >gov.je.3600IN  NS  ns1.gov.je.
> >
> >;; ADDITIONAL SECTION:
> >ns2.gov.je.3600IN  A   212.9.21.137
> >ns1.gov.je.3600IN  A   212.9.21.9
>
> --
> Best wishes,
> Matthew
>
>  --
> >From: Mel Beckman 
&g

Re: NTP Sync Issue Across Tata (Europe)

[Mel Beckman]

So, probably not a failure "caused by GPS", rather one caused by poor
design (only two clock sources) combined with unsupported and buggy
devices.



 -mel beckman

On Aug 16, 2023, at 3:51 AM, Matthew Richardson  
wrote:

Mel Beckman wrote:-

Do you have a citation for your Jersey event? I doubt GPS caused the problem, 
but I'd like to see the documentation.

The event took place on the evening of Sunday 12 July 2020, and seems NOT
to have been due to an issue caused directly by GPS, but rather to
misbehaviour of a GPS NTP server relating to week numbers.  Our regulator
subsequently issued the following comprehensive document:-

https://www.jcra.je/media/598397/t-027-jt-july-2020-outage-decision-directions.pdf

By way of summary, JT operated two GPS derived NTP servers, with all of
their routers were pointing to both.  On the evening in question, one of
the two reset its clock back to 27 November 2000.

Their interior routing protocol used amongst their mesh of routers was
IS-IS which was using authentication.  The authentication [section 4.19]
was described having a "password validity start date" of 01 July 2012.
Thus, any routers which had picked up the time from the faulty source no
longer had valid IS-IS authentication and were thus isolated.

Whilst only 15% of their routers were affected, this was enough to cause an
almost total failure in their network, affecting telephony (fixed & mobile)
and Internet.  For foreign readers (this is NANOG!) "999" calls refer to
the emergency services in these parts, where any failures attract the
attention of our regulator.

The details of why the clock "failed" start at section 4.23, and seem to
relate a GPS week number rollover.

So, probably not a failure "caused by GPS", rather one caused by poor
design (only two clock sources) combined with unsupported and buggy
devices.

One curious aspect is that some routers followed the "bad" time, which is
alluded to in section 4.31.

Something not discussed in that report is that JT's email failed during the
incident despite its being hosted on Office365.  The reason was that the
two authoritative DNS servers for jtglobal.com were hosted in Jersey inside
their network.  As that network was wholly disconnected, there was no DNS
and hence no email.  Despite my having raised this since with their senior
management, their DNS remains hosted in this way:-

matthew@m88:~$ dig +norec +noedns +nocmd +nostats -t ns jtglobal.com 
@ns1.jtibs.net
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20462
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 4

;; QUESTION SECTION:
;jtglobal.com.INNS

;; ANSWER SECTION:
jtglobal.com.60INNSns2.jtibs.net.
jtglobal.com.60INNSns1.jtibs.net.

;; ADDITIONAL SECTION:
ns1.jtibs.net.60INA212.9.0.135
ns2.jtibs.net.60INA212.9.0.136
ns1.jtibs.net.60IN2a02:c28::d1
ns2.jtibs.net.60IN2a02:c28::d2

Rediculously (and again despite my agitation to their management) our
government domain gov.je has similar DNS fragility:-

matthew@m88:~$ dig +norec +noedns +nocmd +nostats -t ns gov.je @ns1.gov.je
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4249
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2

;; QUESTION SECTION:
;gov.je.INNS

;; ANSWER SECTION:
gov.je.3600INNSns2.gov.je.
gov.je.3600INNSns1.gov.je.

;; ADDITIONAL SECTION:
ns2.gov.je.3600INA212.9.21.137
ns1.gov.je.3600INA212.9.21.9

--
Best wishes,
Matthew

--
From: Mel Beckman 
To: Matthew Richardson 
Cc: Nanog 
Date: Tue, 8 Aug 2023 15:12:29 +
Subject: Re: NTP Sync Issue Across Tata (Europe)

Until the Internet NTP network can be made secure, no. Do you have a citation 
for your Jersey event? I doubt GPS caused the problem, but I'd like to see the 
documentation.

Using GPS for time sync is simple risk management: the risk of Internet NTP 
with known, well documented vulnerabilities and many security incidents, versus 
the risk of some theoretical GPS-based vulnerability, for which mitigations 
such as geographic diversity are readily available. Sure, you could use 
Internet NTP as a last resort should GPS fail globally (perhaps due to a 
theoretical - but conceivable - meteor storm). But that would be a fall-back. I 
would not mix the systems.

-mel

On Aug 8, 2023, at 1:36 AM, Matthew Richardson  
wrote:

?Mel Beckman wrote:-

It's a problem that has received a lot of attention in both NTP and
aviation navigation circles. What is hard to defend against is total signal
suppression via high powered jamming. But that you can do with a
geographically diverse GPS NTP network.

Whilst looking forward to being corrected, GPS (even across 

Re: NTP Sync Issue Across Tata (Europe)

[sronan]

Throw  PTP in the mix for the greater accuracy required for some wireless (5G) configurations, and the situation becomes even more complicated.On Aug 14, 2023, at 6:55 AM, Forrest Christian (List Account)  wrote:We're going to have to somewhat disagree here...I may not have been 100% clear about what I see as the most common risks for GPS.  The reason I suggest that NTP risks and GPS risks are similar is not primarily due to intentional time injection hacks (although that is a risk).   Instead, it's related to GPS failure modes, and the increased commonality of GPS jamming causing those failures.   I will 100% concede that NTP carries far more spoofing or intentional DoS risks.   But GPS is far more likely to suffer a failure in the absence of a bad actor than NTP.The reason for this is that the GPS signal is incredibly weak, and it's incredibly easy to break GPS reception.   Good antenna placement and antennas that try to reject terrestrial signals help but don't always prevent the failures from happening.   Because GPS is used more and more to track objects and people, people who don't want to be tracked are starting to buy and use jammers.  In addition, it's becoming increasingly common for gamers to spoof their GPS location (and, as a result, time) via GPS injection.  So the kid down the street trying to cheat at pokemon go or the truck driver not wanting to get in trouble for speeding may unintentionally cause your time server to quit working correctly.  Not to mention the random piece of electronic gear which malfunctions and spews noise across the GPS band.So, yes, I will 100% agree with you that NTP carries more intentional hacking risk.   But I'm going to argue that GPS carries a significantly higher risk of a jamming-related failure.   Without good statistics, it's hard to tell which is more prevalent.   I see a lot more GPS failures from my viewpoint, but I also have to talk to customers who are having precision timing issues due to GPS failures.   My intuitive feeling is that in the absence of bad actors, NTP is significantly more reliable than GPS.   In the presence of remote bad actors, I'll grant that NTP is 100% the loser here.  When everything is working, GPS will provide better time.  Adding a holdover oscillator to GPS does help in marginal situations, but doesn't resolve all of the GPS issues.In those situations where time is not critical, either NTP or GPS is a good solution, and it largely comes down to which you prefer.   I deal with way too many antennas so I'd rather just harden a NTP server.   You might deal with way too many hackers getting in your systems so you might prefer relying on a GPS antenna.   Either way, most of the time you're going to get decent time service.   We could go into a lot of details about how each system can fail, but for non-time critical applications I'm not sure either would come out a clear winner.  I know you believe GPS does, and I believe that it isn't 100% clear which one is better for those "just want time that works most of the time" applications.   We could argue all day about this and we won't get anywhere beyond us disagreeing about this.Once you get to more time-critical apps where actual budget is going to be expended on ensuring reliable NTP services are available 24x7, then neither a default configuration NTP server nor a single GPS receiver will provide reliable time.   Selecting servers and hardening firewalls to limit the likelihood of time injection can work wonders on NTP robustness.   GPS works too if you provide enough GPS timing sources that multiple locations would have to be jammed at once.   Providing a mix of these is even better.  If I was to go GPS-only I'd probably try to ensure a minimum of 3 different GPS receivers at 3 different locations, with internal NTP servers pulling from each of the GPS-connected NTP servers.   5 would even be better.   An even more robust option would be to go with 5 GPS receivers and 2 or 3 NTP-connected stratum 1 time sources.   In this last case, you could spoof ALL of the NTP servers and the GPS would still be in control.  You could also have signal failures at 3 of the GPS sites and the NTP connections would provide redundant time sources.   Only with GPS failures at multiple sites AND NTP failures or spoofing happening at the same time would one have an issue where the NTP servers could possibly fail to receive correct time.On Mon, Aug 14, 2023 at 2:00 AM Mel Beckman  wrote:




Forrest,


I think you’re gilding the lilly. My original recommendation was to use GPS as primary, for its superior accuracy and resistance
 to attack, and have anti-GPS back up.  If you want automatic fail over, do that in an intermediate server on your site that makes a conscious test and decision to fail over to Internet NTP.


You’re mistaken to say that the vulnerability of GPS is remotely comparable  to the vulnerability of Internet-based NTP.
 To interfere with a GPS-derived clock, an 

Re: NTP Sync Issue Across Tata (Europe)

[Matthew Richardson via NANOG]

Mel Beckman wrote:-

>Do you have a citation for your Jersey event? I doubt GPS caused the problem, 
>but I’d like to see the documentation.

The event took place on the evening of Sunday 12 July 2020, and seems NOT
to have been due to an issue caused directly by GPS, but rather to
misbehaviour of a GPS NTP server relating to week numbers.  Our regulator
subsequently issued the following comprehensive document:-

https://www.jcra.je/media/598397/t-027-jt-july-2020-outage-decision-directions.pdf

By way of summary, JT operated two GPS derived NTP servers, with all of
their routers were pointing to both.  On the evening in question, one of
the two reset its clock back to 27 November 2000.

Their interior routing protocol used amongst their mesh of routers was
IS-IS which was using authentication.  The authentication [section 4.19]
was described having a "password validity start date" of 01 July 2012.
Thus, any routers which had picked up the time from the faulty source no
longer had valid IS-IS authentication and were thus isolated.

Whilst only 15% of their routers were affected, this was enough to cause an
almost total failure in their network, affecting telephony (fixed & mobile)
and Internet.  For foreign readers (this is NANOG!) "999" calls refer to
the emergency services in these parts, where any failures attract the
attention of our regulator.

The details of why the clock "failed" start at section 4.23, and seem to
relate a GPS week number rollover.

So, probably not a failure "caused by GPS", rather one caused by poor
design (only two clock sources) combined with unsupported and buggy
devices.

One curious aspect is that some routers followed the "bad" time, which is
alluded to in section 4.31.

Something not discussed in that report is that JT's email failed during the
incident despite its being hosted on Office365.  The reason was that the
two authoritative DNS servers for jtglobal.com were hosted in Jersey inside
their network.  As that network was wholly disconnected, there was no DNS
and hence no email.  Despite my having raised this since with their senior
management, their DNS remains hosted in this way:-

>matthew@m88:~$ dig +norec +noedns +nocmd +nostats -t ns jtglobal.com 
>@ns1.jtibs.net
>;; Got answer:
>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20462
>;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 4
>
>;; QUESTION SECTION:
>;jtglobal.com. IN  NS
>
>;; ANSWER SECTION:
>jtglobal.com.  60  IN  NS  ns2.jtibs.net.
>jtglobal.com.  60  IN  NS  ns1.jtibs.net.
>
>;; ADDITIONAL SECTION:
>ns1.jtibs.net. 60  IN  A   212.9.0.135
>ns2.jtibs.net. 60  IN  A   212.9.0.136
>ns1.jtibs.net. 60  IN  2a02:c28::d1
>ns2.jtibs.net. 60  IN  2a02:c28::d2

Rediculously (and again despite my agitation to their management) our
government domain gov.je has similar DNS fragility:-

>matthew@m88:~$ dig +norec +noedns +nocmd +nostats -t ns gov.je @ns1.gov.je
>;; Got answer:
>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4249
>;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2
>
>;; QUESTION SECTION:
>;gov.je.   IN  NS
>
>;; ANSWER SECTION:
>gov.je.3600IN  NS  ns2.gov.je.
>gov.je.3600IN  NS  ns1.gov.je.
>
>;; ADDITIONAL SECTION:
>ns2.gov.je.3600IN  A   212.9.21.137
>ns1.gov.je.        3600IN  A   212.9.21.9

--
Best wishes,
Matthew

 --
>From: Mel Beckman 
>To: Matthew Richardson 
>Cc: Nanog 
>Date: Tue, 8 Aug 2023 15:12:29 +
>Subject: Re: NTP Sync Issue Across Tata (Europe)

>Until the Internet NTP network can be made secure, no. Do you have a citation 
>for your Jersey event? I doubt GPS caused the problem, but I’d like to see the 
>documentation.
>
>Using GPS for time sync is simple risk management: the risk of Internet NTP 
>with known, well documented vulnerabilities and many security incidents, 
>versus the risk of some theoretical GPS-based vulnerability, for which 
>mitigations such as geographic diversity are readily available. Sure, you 
>could use Internet NTP as a last resort should GPS fail globally (perhaps due 
>to a theoretical — but conceivable — meteor storm). But that would be a 
>fall-back. I would not mix the systems.
>
> -mel
>
>> On Aug 8, 2023, at 1:36 AM, Matthew Richardson  
>> wrote:
>> 
>> ?Mel Beckman wrote:-
>> 
>>> It's a problem that has received a lot of attention in both NTP and
>>> aviation navigation circles. What is hard to defend against is total signal
>&g

Re: NTP Sync Issue Across Tata (Europe)

[Masataka Ohta]

Forrest Christian (List Account) wrote:


There are lots of ways to improve a GPS-based NTP server.  Better antenna
positioning.  Better GPS chipset.  Paying attention to antenna patterns.
  Adding notch filters to the GPS feed.  And so on.


They are not a very meaningful improvement.


But, in the end, there is nothing better than adding a second
GPS source at a diverse location as far as improving reliability, provided
that's an option based on timing needs.


You keep ignoring DOS attacks.

Though you wrote:

: If I just want to deny you time, it gets cheaper and
: easier.   All I need is a 1.2 GHz oscillator coupled to an
: antenna. There are units like this available for under $10,
: delivered.  These block GPS trackers on trucks and/or private
: automobiles.   Build your own and you can get a watt or two
: to shove into a tiny antenna for not a lot more. Guaranteed
: to Jam anything within a couple of blocks.

you don't understand similar effectiveness by DOS.


I can also attest that there is at least one overlap between time-nuts and
NANOG


See above.

Masataka Ohta

Re: NTP Sync Issue Across Tata (Europe)

[Mike Hammett]

Forrest seems to have posted a good general overview and perspectives about 
"good enough for the use case" while others continue to be pedantic about 
nuances that don't seem to be relevant to most use cases. 




- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 

Midwest-IX 
http://www.midwest-ix.com 

- Original Message -

From: "Forrest Christian (List Account)"  
To: "nanog list"  
Sent: Monday, August 14, 2023 2:07:14 AM 
Subject: Re: NTP Sync Issue Across Tata (Europe) 



I've responded in bits and pieces to this thread and haven't done an excellent 
job expressing my overall opinion. This is probably because my initial goal was 
to point out that GPS-transmitted time is no less subject to being attacked 
than your garden variety NTP-transmitted time. Since this thread has evolved, 
I'd like to describe my overall position to be a bit clearer. 


To start, we need a somewhat simplified version of how UTC is created so I can 
refer to it later: 


Across the globe, approximately 85 research and standards institutions run a 
set of freestanding atomic clocks that contribute to UTC. The number of atomic 
clocks across all these institutions totals around 450. Each institution also 
produces a version of UTC based on its own set of atomic clocks. In the 
international timekeeping world, this is designated as UTC(Laboratory), where 
Laboratory is replaced with the abbreviation for the lab producing that version 
of UTC. So UTC(NIST) is the version that NIST produces at Boulder, Colorado, 
NICT produces UTC(NICT) in Tokyo, and so on. 


Because no clock is perfectly accurate, all of these versions of UTC drift in 
relation to each other, and you could have significant differences in time 
between different labs. As a result, there has to be a way to synchronize them. 
Each month, the standards organization BIPM collects relative time measurements 
and other statistics from each institution described above. This data is then 
used to determine the actual value of UTC. BIPM then produces a report 
detailing each organization's difference from the correct representation of 
UTC. Each institution uses this data to adjust its UTC representation, and the 
cycle repeats the next month. In this way, all of the representations of UTC 
end up being pretty close to each other. The document BIPM produces is titled 
"Circular T." The most recent version indicates that most of the significant 
standards institutions maintain a UTC version that differs by less than 10ns 
from the official version of UTC. 


Note that 10ns is far more accurate than we need for NTP, so most of the UTC 
representations can be considered identical as far as this discussion goes. 
Still, it is essential to realize that UTC(NIST) is generated separately from 
UTC(USNO) or other UTC implementations. For example, a UTC(NIST) failure should 
not cause UTC(USNO) to fail as they utilize separate hardware and systems. 


Each of these versions of UTC is also disseminated in various ways. UTC(NIST) 
goes out via the "WWV" radio stations, NTP, and other esoteric methods. GPS 
primarily distributes UTC(USNO), which is also available directly via NTP. 
UTC(SU) is the timescale for GLONASS. And so on. 


So, back to NTP and the accuracy required: 


Most end users (people running everyday web applications or streaming video or 
similar) don't need precisely synchronized time. The most sensitive application 
I'm aware of in this space is likely TOTP, which often needs time on the server 
and time on the client (or hardware key) within 90 seconds of each other. In 
addition, having NTP time fail usually isn't the end of the world for these 
users. The best way to synchronize their computers (including desktop and 
server systems) to UTC is to point their computer time synchronization service 
(whatever that is) at pool.ntp.org , time.windows.com , their ISP's time 
server, or similar. Or, with modern OS'es, you can leave the time configured to 
whatever server the OS manufacturer preconfigured. As an aside, one should note 
that historically windows ticked at 15ms or so, so trying to synchronize most 
windows closer than 15ms was futile. 


On the other hand, large ISPs or other service providers (including content 
providers) see real benefits to having systems synchronized to fractions of 
seconds of UTC. Comparing logs and traces becomes much easier when you know 
that something logged at 10:02:23.1 on one device came before something logged 
at 10:02:23.5 on another. Various server-to-server protocols and software 
implementations need time to be synchronized to sub-second intervals since they 
rely on timestamps to determine the latest copy of data, and so on. In 
addition, as an ISP, you'll often provide time services to downstream customers 
who demand more accuracy and reliability than is strictly necessary. 


As a result, one wants to ensure that all tim

Re: NTP Sync Issue Across Tata (Europe)

[James R Cutler]

> On Aug 14, 2023, at 3:07 AM, Forrest Christian (List Account) 
>  wrote:
> 
> I've responded in bits and pieces to this thread and haven't done an 
> excellent job expressing my overall opinion.   This is probably because my 
> initial goal was to point out that GPS-transmitted time is no less subject to 
> being attacked than your garden variety NTP-transmitted time. Since this 
> thread has evolved, I'd like to describe my overall position to be a bit 
> clearer.
> 

> 
> And finally, as a sort of a tl;dr; Summary:  Each operator needs to decide 
> how critical time is to their network and pick a solution that works for them 
> and fits the organization's budget.   Some operators might point everything 
> at pool.ntp.org  and not run their own servers.  Others 
> might run their own time lab and use that time to provide NTP time and 
> precision time and frequency via various methods.  Most will be somewhere in 
> between. But regardless of which you choose, please be aware that GPS isn't 
> 100% secure, and neither is NTP. If attack resilience matters to you, you 
> should think about all of the attack vectors and design something that is 
> robust enough to meet your use case.
> 
This has been an interesting thread. I consider Forrest Christian’s note to be 
most cogent. Much of the GPS vs Internet sourcing arguments can probably be 
found in NANOG archives from many years ago. The threat list is longer now, but 
the problem of providing Time Service is still the same.

Twenty-five or so years ago my design process for providing Network Time 
Service to a large company intranet started with the business requirements for 
time service. The Management practice of “Not in my cost center” was 
fundamental to NOT attempting GPS-based deployment. The internal enterprise 
network provided a set of geographically distributed Stratum 2 servers having 
carefully firewalled access to a similar set of Stratum 1 servers with Internet 
access. The Stratum 0 server set list included NIST, USNO, and other similar 
sources distributed globally.

The magic of Dr. Mills algorithm made truechimers of the intranet NTP server 
set which did serve well for the lifetime of the company.

-
James R. Cutler 

Re: NTP Sync Issue Across Tata (Europe)

[Forrest Christian (List Account)]

Replying to two posts at once...

One can definitely get inexpensive and high-quality rubidiums for dirt
cheap on the second-hand market.   I've specifically ignored those when
discussing price as options as one can never be sure about their accuracy
or long-term reliability, and I try to filter my suggestions on NANOG based
on what I'd want to put in my production network (putting on my ISP network
administrator hat for a second).  Many of those rubidiums have lived their
lives in the harsh environment of a cellular tower's equipment enclosure
and were pulled out after many years of service.

A brand-new rubidium oscillator is typically just under $2K  (A common
brand is $1695 as we speak).   This is just the oscillator.  To this you
have to add various support items such as power supplies and signal
conditioning and heatsinks and enclosure to end up with something
which will connect to some sort of NTP server.   Note that this doesn't
provide any way to actually phase-align that rubidium oscillator to UTC.
For that, you'd have to add more hardware.

Professionally, I keep looking for a supplier of lower cost rubidum
oscillators but have not found anything much cheaper than the SRS PRS10's
at the $1695 I mentioned above.

There are lots of ways to improve a GPS-based NTP server.  Better antenna
positioning.  Better GPS chipset.  Paying attention to antenna patterns.
 Adding notch filters to the GPS feed.  And so on.   Once you get the 1PPS
out of the GPS receiver you then can utilize the 1PPS signal to discipline
some sort of clock.  Maybe a TCXO for a day or so of NTP holdover.   Maybe
a rubidium for a year or more of holdover depending on the accuracy you
need.   You can add software to filter the GPS signal to limit the
likelihood of time injection attacks.  And on and on.It really comes
down to how much money you want to put into the "appliance" you're
building.   But, in the end, there is nothing better than adding a second
GPS source at a diverse location as far as improving reliability, provided
that's an option based on timing needs.

I can also attest that there is at least one overlap between time-nuts and
NANOG occupational hazard here.  From my desk I can reach out and touch
two rubidium oscillators, one is GPS synchronized and one is freerunning.
 There are a couple others unpowered in the box of spares in the other
room.   There are also at least 3-4 TCXO-based GPSDOs floating around
(including one I use for my reference source), and don't get me started on
the T equipment I have collected for comparing various time sources.   So
far I've avoided spending the mid-5 figures to get a decent cesium
oscillator.

On Mon, Aug 14, 2023 at 2:55 AM goemon--- via NANOG  wrote:

> On Mon, 14 Aug 2023, Masataka Ohta wrote:
> >  Mike Hammett wrote:
> >>   " As such, the ultimate (a little expensive) solution is to have
> >>   your own Rb clocks locally."
> >
> >>   Yeah, that's a reasonable course of action for most networks.
> >
> >  For most data centers with time sensitive transactions, at least.
> >
> >>   *sigh*
> >
> >https://en.wikipedia.org/wiki/Atomic_clock
> >Modern rubidium standard tubes last more than ten years,
> >and can cost as little as US$50.
> >
> >   https://www.ebay.com/sch/i.html?_nkw=rubidium
>
> From this discussion it seems there is very little overlap between nanog
> membership and time-nuts.
>
> Cheap Rb GPSDO are well known there. Even a bottom barrel OCXO GPSDO would
> provide significant protection against determined GPS attacker.
>
> -Dan
>


-- 
- Forrest

Re: NTP Sync Issue Across Tata (Europe)

[Forrest Christian (List Account)]

We're going to have to somewhat disagree here...

I may not have been 100% clear about what I see as the most common risks
for GPS.  The reason I suggest that NTP risks and GPS risks are similar is
not primarily due to intentional time injection hacks (although that is a
risk).   Instead, it's related to GPS failure modes, and the increased
commonality of GPS jamming causing those failures.   I will 100% concede
that NTP carries far more spoofing or intentional DoS risks.   But GPS is
far more likely to suffer a failure in the absence of a bad actor than NTP.

The reason for this is that the GPS signal is incredibly weak, and it's
incredibly easy to break GPS reception.   Good antenna placement and
antennas that try to reject terrestrial signals help but don't always
prevent the failures from happening.

Because GPS is used more and more to track objects and people, people who
don't want to be tracked are starting to buy and use jammers.  In addition,
it's becoming increasingly common for gamers to spoof their GPS location
(and, as a result, time) via GPS injection.  So the kid down the street
trying to cheat at pokemon go or the truck driver not wanting to get in
trouble for speeding may unintentionally cause your time server to quit
working correctly.  Not to mention the random piece of electronic gear
which malfunctions and spews noise across the GPS band.

So, yes, I will 100% agree with you that NTP carries more intentional
hacking risk.   But I'm going to argue that GPS carries a significantly
higher risk of a jamming-related failure.   Without good statistics, it's
hard to tell which is more prevalent.   I see a lot more GPS failures from
my viewpoint, but I also have to talk to customers who are having precision
timing issues due to GPS failures.

My intuitive feeling is that in the absence of bad actors, NTP is
significantly more reliable than GPS.   In the presence of remote bad
actors, I'll grant that NTP is 100% the loser here.  When everything is
working, GPS will provide better time.  Adding a holdover oscillator to GPS
does help in marginal situations, but doesn't resolve all of the GPS issues.

In those situations where time is not critical, either NTP or GPS is a good
solution, and it largely comes down to which you prefer.   I deal with way
too many antennas so I'd rather just harden a NTP server.   You might deal
with way too many hackers getting in your systems so you might prefer
relying on a GPS antenna.   Either way, most of the time you're going to
get decent time service.   We could go into a lot of details about how each
system can fail, but for non-time critical applications I'm not sure either
would come out a clear winner.  I know you believe GPS does, and I believe
that it isn't 100% clear which one is better for those "just want time that
works most of the time" applications.   We could argue all day about this
and we won't get anywhere beyond us disagreeing about this.

Once you get to more time-critical apps where actual budget is going to be
expended on ensuring reliable NTP services are available 24x7, then neither
a default configuration NTP server nor a single GPS receiver will provide
reliable time.   Selecting servers and hardening firewalls to limit the
likelihood of time injection can work wonders on NTP robustness.   GPS
works too if you provide enough GPS timing sources that multiple locations
would have to be jammed at once.   Providing a mix of these is even
better.  If I was to go GPS-only I'd probably try to ensure a minimum of 3
different GPS receivers at 3 different locations, with internal NTP servers
pulling from each of the GPS-connected NTP servers.   5 would even be
better.   An even more robust option would be to go with 5 GPS receivers
and 2 or 3 NTP-connected stratum 1 time sources.   In this last case, you
could spoof ALL of the NTP servers and the GPS would still be in control.
You could also have signal failures at 3 of the GPS sites and the NTP
connections would provide redundant time sources.   Only with GPS failures
at multiple sites AND NTP failures or spoofing happening at the same time
would one have an issue where the NTP servers could possibly fail to
receive correct time.


On Mon, Aug 14, 2023 at 2:00 AM Mel Beckman  wrote:

> Forrest,
>
> I think you’re gilding the lilly. My original recommendation was to use
> GPS as primary, for its superior accuracy and resistance to attack, and
> have anti-GPS back up.  If you want automatic fail over, do that in an
> intermediate server on your site that makes a conscious test and decision
> to fail over to Internet NTP.
>
> You’re mistaken to say that the vulnerability of GPS is remotely
> comparable  to the vulnerability of Internet-based NTP. To interfere with a
> GPS-derived clock, an attacker has to physically be present. That’s a huge
> expense — and risk — that hackers are really not interested in undertaking.
> They would much rather sit in Russia or China and attack NTP servers
> remotely 

Re: NTP Sync Issue Across Tata (Europe)

[goemon--- via NANOG]

On Mon, 14 Aug 2023, Masataka Ohta wrote:

 Mike Hammett wrote:

  " As such, the ultimate (a little expensive) solution is to have
  your own Rb clocks locally."



  Yeah, that's a reasonable course of action for most networks.


 For most data centers with time sensitive transactions, at least.


  *sigh*


   https://en.wikipedia.org/wiki/Atomic_clock
   Modern rubidium standard tubes last more than ten years,
   and can cost as little as US$50.

  https://www.ebay.com/sch/i.html?_nkw=rubidium


From this discussion it seems there is very little overlap between nanog 

membership and time-nuts.

Cheap Rb GPSDO are well known there. Even a bottom barrel OCXO GPSDO would 
provide significant protection against determined GPS attacker.


-Dan

Re: NTP Sync Issue Across Tata (Europe)

[Mel Beckman]

Forrest,

I think you’re gilding the lilly. My original recommendation was to use GPS as 
primary, for its superior accuracy and resistance to attack, and have anti-GPS 
back up.  If you want automatic fail over, do that in an intermediate server on 
your site that makes a conscious test and decision to fail over to Internet NTP.

You’re mistaken to say that the vulnerability of GPS is remotely comparable  to 
the vulnerability of Internet-based NTP. To interfere with a GPS-derived clock, 
an attacker has to physically be present. That’s a huge expense — and risk — 
that hackers are really not interested in undertaking. They would much rather 
sit in Russia or China and attack NTP servers remotely using any of the several 
attack methodologies I’ve cited previously.

So curate Internet NTP or not (personally, that seems like just another thing 
to monitor and maintain), but make GPS your primary time standard.  You’re much 
better off staying air-gapped from Internet NTP until you detect a GPS failure. 
 All the other machinations are pointless while GPS is working, because GPS 
gives you by far the best accuracy and security for the buck.  Like I said, 
spend $400 on a commercial GPS time server and timing problems are solved. Or 
use facility-provided GPS if you can’t get an antenna up.

 -mel

On Aug 14, 2023, at 12:10 AM, Forrest Christian (List Account) 
 wrote:


I've responded in bits and pieces to this thread and haven't done an excellent 
job expressing my overall opinion.   This is probably because my initial goal 
was to point out that GPS-transmitted time is no less subject to being attacked 
than your garden variety NTP-transmitted time. Since this thread has evolved, 
I'd like to describe my overall position to be a bit clearer.

To start, we need a somewhat simplified version of how UTC is created so I can 
refer to it later:

Across the globe, approximately 85 research and standards institutions run a 
set of freestanding atomic clocks that contribute to UTC.   The number of 
atomic clocks across all these institutions totals around 450.   Each 
institution also produces a version of UTC based on its own set of atomic 
clocks.  In the international timekeeping world, this is designated as 
UTC(Laboratory), where Laboratory is replaced with the abbreviation for the lab 
producing that version of UTC.   So UTC(NIST) is the version that NIST produces 
at Boulder, Colorado, NICT produces UTC(NICT) in Tokyo, and so on.

Because no clock is perfectly accurate, all of these versions of UTC drift in 
relation to each other, and you could have significant differences in time 
between different labs.   As a result, there has to be a way to synchronize 
them.  Each month, the standards organization BIPM collects relative time 
measurements and other statistics from each institution described above.  This 
data is then used to determine the actual value of UTC. BIPM then produces a 
report detailing each organization's difference from the correct representation 
of UTC.   Each institution uses this data to adjust its UTC representation, and 
the cycle repeats the next month. In this way, all of the representations of 
UTC end up being pretty close to each other.   The document BIPM produces is 
titled "Circular T."  The most recent version indicates that most of the 
significant standards institutions maintain a UTC version that differs by less 
than 10ns from the official version of UTC.

Note that 10ns is far more accurate than we need for NTP, so most of the UTC 
representations can be considered identical as far as this discussion goes. 
Still, it is essential to realize that UTC(NIST) is generated separately from 
UTC(USNO) or other UTC implementations.  For example, a UTC(NIST) failure 
should not cause UTC(USNO) to fail as they utilize separate hardware and 
systems.

Each of these versions of UTC is also disseminated in various ways.  UTC(NIST) 
goes out via the "WWV" radio stations, NTP, and other esoteric methods.   GPS 
primarily distributes UTC(USNO), which is also available directly via NTP.  
UTC(SU) is the timescale for GLONASS.  And so on.

So, back to NTP and the accuracy required:

Most end users (people running everyday web applications or streaming video or 
similar) don't need precisely synchronized time.   The most sensitive 
application I'm aware of in this space is likely TOTP, which often needs time 
on the server and time on the client (or hardware key) within 90 seconds of 
each other.   In addition, having NTP time fail usually isn't the end of the 
world for these users.  The best way to synchronize their computers (including 
desktop and server systems) to UTC is to point their computer time 
synchronization service (whatever that is) at 
pool.ntp.org, time.windows.com, 
their ISP's time server, or similar.  Or, with modern OS'es, you can leave the 
time configured to whatever server the OS manufacturer preconfigured.   As an 

Re: NTP Sync Issue Across Tata (Europe)

[Masataka Ohta]

Mike Hammett wrote:


" As such, the ultimate (a little expensive) solution is to have
your own Rb clocks locally."



Yeah, that's a reasonable course of action for most networks.


For most data centers with time sensitive transactions, at least.


*sigh*


https://en.wikipedia.org/wiki/Atomic_clock
Modern rubidium standard tubes last more than ten years,
and can cost as little as US$50.

https://www.ebay.com/sch/i.html?_nkw=rubidium

Masataka Ohta

Re: NTP Sync Issue Across Tata (Europe)

[Forrest Christian (List Account)]

I've responded in bits and pieces to this thread and haven't done an
excellent job expressing my overall opinion.   This is probably because my
initial goal was to point out that GPS-transmitted time is no less subject
to being attacked than your garden variety NTP-transmitted time. Since this
thread has evolved, I'd like to describe my overall position to be a bit
clearer.

To start, we need a somewhat simplified version of how UTC is created so I
can refer to it later:

Across the globe, approximately 85 research and standards institutions run
a set of freestanding atomic clocks that contribute to UTC.   The number of
atomic clocks across all these institutions totals around 450.   Each
institution also produces a version of UTC based on its own set of
atomic clocks.  In the international timekeeping world, this is designated
as UTC(Laboratory), where Laboratory is replaced with the abbreviation for
the lab producing that version of UTC.   So UTC(NIST) is the version that
NIST produces at Boulder, Colorado, NICT produces UTC(NICT) in Tokyo, and
so on.

Because no clock is perfectly accurate, all of these versions of UTC drift
in relation to each other, and you could have significant differences in
time between different labs.   As a result, there has to be a way to
synchronize them.  Each month, the standards organization BIPM collects
relative time measurements and other statistics from each
institution described above.  This data is then used to determine the
actual value of UTC. BIPM then produces a report detailing each
organization's difference from the correct representation of UTC.   Each
institution uses this data to adjust its UTC representation, and the cycle
repeats the next month. In this way, all of the representations of UTC end
up being pretty close to each other.   The document BIPM produces is titled
"Circular T."  The most recent version indicates that most of the
significant standards institutions maintain a UTC version that differs by
less than 10ns from the official version of UTC.

Note that 10ns is far more accurate than we need for NTP, so most of the
UTC representations can be considered identical as far as this discussion
goes. Still, it is essential to realize that UTC(NIST) is generated
separately from UTC(USNO) or other UTC implementations.  For example, a
UTC(NIST) failure should not cause UTC(USNO) to fail as they utilize
separate hardware and systems.

Each of these versions of UTC is also disseminated in various ways.
UTC(NIST) goes out via the "WWV" radio stations, NTP, and other esoteric
methods.   GPS primarily distributes UTC(USNO), which is also available
directly via NTP.  UTC(SU) is the timescale for GLONASS.  And so on.

So, back to NTP and the accuracy required:

Most end users (people running everyday web applications or streaming video
or similar) don't need precisely synchronized time.   The most sensitive
application I'm aware of in this space is likely TOTP, which often needs
time on the server and time on the client (or hardware key) within 90
seconds of each other.   In addition, having NTP time fail usually isn't
the end of the world for these users.  The best way to synchronize their
computers (including desktop and server systems) to UTC is to point their
computer time synchronization service (whatever that is) at pool.ntp.org,
time.windows.com, their ISP's time server, or similar.  Or, with
modern OS'es, you can leave the time configured to whatever server the OS
manufacturer preconfigured.   As an aside, one should note that
historically windows ticked at 15ms or so, so trying to synchronize most
windows closer than 15ms was futile.

On the other hand, large ISPs or other service providers (including content
providers) see real benefits to having systems synchronized to fractions of
seconds of UTC.   Comparing logs and traces becomes much easier when you
know that something logged at 10:02:23.1 on one device came before
something logged at 10:02:23.5 on another.   Various server-to-server
protocols and software implementations need time to be synchronized to
sub-second intervals since they rely on timestamps to determine the latest
copy of data, and so on.   In addition, as an ISP, you'll often provide
time services to downstream customers who demand more accuracy and
reliability than is strictly necessary.

As a result, one wants to ensure that all time servers are synchronized
within some reasonable standard of accuracy.   Within 100ms is acceptable
for most applications but a goal of under 50ms is better.   If you have
local GPS receivers, times down to around 1ms is achievable with careful
design.  Beyond that, you're chasing unnecessary accuracy.  Note that loss
of precision is somewhat cumulative here - running a time server
synchronized to within 100ms will ensure that no client can be synchronized
to better than within 100ms from that server.   Generally, you'll want your
time server to be synchronized much better than needed to avoid the 

Re: NTP Sync Issue Across Tata (Europe)

[Mike Hammett]

" As such, the ultimate (a little expensive) solution is to have 
your own Rb clocks locally." 


Yeah, that's a reasonable course of action for most networks. *sigh* 



- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 

Midwest-IX 
http://www.midwest-ix.com 

- Original Message -

From: "Masataka Ohta"  
To: nanog@nanog.org 
Sent: Friday, August 11, 2023 4:33:20 AM 
Subject: Re: NTP Sync Issue Across Tata (Europe) 

Forrest Christian (List Account) wrote: 

> The recommendation tends to be the following: 
> 
> 1) Run your GPS-derived NTP appliances, but DO NOT point end-user 
> clients at it. 2) Run a set of internal NTPd servers, and configure 
> them to pull time from all of your GPS-derived NTP servers, AND 
> trusted public NTP servers 3) Point your clients at the internal NTPd 
> servers. 

That is not a very good recommendation. See below. 

> At some point, using publicly available NTP sources is redundant 
> unless one wants to mitigate away the risks behind failure of the GPS 
> system itself. 

Your assumption that public NTP servers were not GPS-derived NTP 
servers is just wrong. 

> What I'm advocating against is the seemingly common practice to go 
> buy an off-the-shelf lower-cost GPS-NTP appliance (under $1K or so), 
> stick an antenna in a window or maybe on the rooftop, and point all 
> your devices at that device. 

Relying on a local expensive GPS appliance does not improve 
security so much and is the worst thing to do. 

But, additionally relying on remote servers (including those 
provided by NIST) is subject to DOS attacks. 

As such, the ultimate (a little expensive) solution is to have 
your own Rb clocks locally. 

Masataka Ohta 

Re: NTP Sync Issue Across Tata (Europe)

[Jay R. Ashworth]

Gotcha.  The Bad Guys are smarter than me.  :-)

Cheers,
-- jra

- Original Message -
> From: "Forrest Christian (List Account)" 
> To: "jra" 
> Cc: "nanog list" 
> Sent: Sunday, August 13, 2023 8:06:30 PM
> Subject: Re: NTP Sync Issue Across Tata (Europe)

> If I'm spoofing time, I'm going to produce an entire constellation of
> satellites.   That is, I'm going to provide a signal which looks like all
> of the satellites in view providing their timing signals on whatever time I
> want your GPS receiver to think it is.   All I have to do is ensure that
> your receiver receives my signal loud enough that it thinks the real
> satellites are noise, and my signal is the real one.
> 
> This isn't that hard to accomplish, especially since there are youtube
> videos showing you how.
> 
> On Sun, Aug 13, 2023 at 6:03 PM Jay R. Ashworth  wrote:
> 
>> - Original Message -
>> > From: "Forrest Christian (List Account)" 
>>
>> > Let me address your points:
>> [ ... ]
>> > Let's assume you have a typical GPS-derived NTP server using a typical
>> > commercially available timing GNSS module.  To convince that receiver
>> that
>> > it was a different time, I'd need to have an SDR that would operate in
>> the
>> > GPS band.  These are widely available for under $500.  You'd also need a
>> > laptop and a download of a GPS simulator from GitLab.   With a total
>> > investment of $500 (assuming I already have a laptop), I now have a
>> system
>> > that can generate a GPS signal to convince your GPS receiver that it's
>> any
>> > time at all.  If you're a tech neophyte, there are youtube videos on how
>> to
>> > do this.
>> >
>> > All I need to do now is add appropriate antennas and/or amplifiers to
>> > overcome the official GNSS signals.   As you pointed out, depending on
>> the
>> > location and directivity of your antenna, this is either trivial or
>> becomes
>> > slightly more difficult.   If I can see your antenna, it becomes a lot
>> > cheaper as I just need a relatively low-powered amplifier and a highly
>> > directional antenna.   If I can't see your antenna, I would opt for a
>> > higher-power amplifier and a less directional transmit antenna to
>> blanket a
>> > wide area with the spoofed signal.
>>
>> If I'm trying to get time out of a NAVSTAR (yes, I know, shut up) receiver,
>> it can see like 8-20 birds, right?  Is there not some voting and such
>> inside
>> such a receiver?  Just letting it see one 'bird' with spoofed time doesn't
>> seem like it ought to work, to me; what don't I know?
>>
>> Cheers,
>> -- jra
>> --
>> Jay R. Ashworth  Baylink
>> j...@baylink.com
>> Designer The Things I Think   RFC
>> 2100
>> Ashworth & Associates   http://www.bcp38.info  2000 Land
>> Rover DII
>> St Petersburg FL USA  BCP38: Ask For It By Name!   +1 727 647
>> 1274
>>
> 
> 
> --
> - Forrest

-- 
Jay R. Ashworth  Baylink   j...@baylink.com
Designer The Things I Think   RFC 2100
Ashworth & Associates   http://www.bcp38.info  2000 Land Rover DII
St Petersburg FL USA  BCP38: Ask For It By Name!   +1 727 647 1274

Re: NTP Sync Issue Across Tata (Europe)

[Forrest Christian (List Account)]

If I'm spoofing time, I'm going to produce an entire constellation of
satellites.   That is, I'm going to provide a signal which looks like all
of the satellites in view providing their timing signals on whatever time I
want your GPS receiver to think it is.   All I have to do is ensure that
your receiver receives my signal loud enough that it thinks the real
satellites are noise, and my signal is the real one.

This isn't that hard to accomplish, especially since there are youtube
videos showing you how.

On Sun, Aug 13, 2023 at 6:03 PM Jay R. Ashworth  wrote:

> - Original Message -
> > From: "Forrest Christian (List Account)" 
>
> > Let me address your points:
> [ ... ]
> > Let's assume you have a typical GPS-derived NTP server using a typical
> > commercially available timing GNSS module.  To convince that receiver
> that
> > it was a different time, I'd need to have an SDR that would operate in
> the
> > GPS band.  These are widely available for under $500.  You'd also need a
> > laptop and a download of a GPS simulator from GitLab.   With a total
> > investment of $500 (assuming I already have a laptop), I now have a
> system
> > that can generate a GPS signal to convince your GPS receiver that it's
> any
> > time at all.  If you're a tech neophyte, there are youtube videos on how
> to
> > do this.
> >
> > All I need to do now is add appropriate antennas and/or amplifiers to
> > overcome the official GNSS signals.   As you pointed out, depending on
> the
> > location and directivity of your antenna, this is either trivial or
> becomes
> > slightly more difficult.   If I can see your antenna, it becomes a lot
> > cheaper as I just need a relatively low-powered amplifier and a highly
> > directional antenna.   If I can't see your antenna, I would opt for a
> > higher-power amplifier and a less directional transmit antenna to
> blanket a
> > wide area with the spoofed signal.
>
> If I'm trying to get time out of a NAVSTAR (yes, I know, shut up) receiver,
> it can see like 8-20 birds, right?  Is there not some voting and such
> inside
> such a receiver?  Just letting it see one 'bird' with spoofed time doesn't
> seem like it ought to work, to me; what don't I know?
>
> Cheers,
> -- jra
> --
> Jay R. Ashworth  Baylink
> j...@baylink.com
> Designer The Things I Think   RFC
> 2100
> Ashworth & Associates   http://www.bcp38.info  2000 Land
> Rover DII
> St Petersburg FL USA  BCP38: Ask For It By Name!   +1 727 647
> 1274
>


-- 
- Forrest

Re: NTP Sync Issue Across Tata (Europe)

[Jay R. Ashworth]

- Original Message -
> From: "Forrest Christian (List Account)" 

> Let me address your points:
[ ... ] 
> Let's assume you have a typical GPS-derived NTP server using a typical
> commercially available timing GNSS module.  To convince that receiver that
> it was a different time, I'd need to have an SDR that would operate in the
> GPS band.  These are widely available for under $500.  You'd also need a
> laptop and a download of a GPS simulator from GitLab.   With a total
> investment of $500 (assuming I already have a laptop), I now have a system
> that can generate a GPS signal to convince your GPS receiver that it's any
> time at all.  If you're a tech neophyte, there are youtube videos on how to
> do this.
> 
> All I need to do now is add appropriate antennas and/or amplifiers to
> overcome the official GNSS signals.   As you pointed out, depending on the
> location and directivity of your antenna, this is either trivial or becomes
> slightly more difficult.   If I can see your antenna, it becomes a lot
> cheaper as I just need a relatively low-powered amplifier and a highly
> directional antenna.   If I can't see your antenna, I would opt for a
> higher-power amplifier and a less directional transmit antenna to blanket a
> wide area with the spoofed signal.

If I'm trying to get time out of a NAVSTAR (yes, I know, shut up) receiver,
it can see like 8-20 birds, right?  Is there not some voting and such inside
such a receiver?  Just letting it see one 'bird' with spoofed time doesn't 
seem like it ought to work, to me; what don't I know?

Cheers,
-- jra
-- 
Jay R. Ashworth  Baylink   j...@baylink.com
Designer The Things I Think   RFC 2100
Ashworth & Associates   http://www.bcp38.info  2000 Land Rover DII
St Petersburg FL USA  BCP38: Ask For It By Name!   +1 727 647 1274

Re: NTP Sync Issue Across Tata (Europe)

[Jay R. Ashworth]

- Original Message -
> From: "John Gilmore" 

> Am I confused?  Getting the time over a multi-gigabit Internet from a
> national time standard agency such as NIST (or your local country's
> equivalent) should produce far better accuracy and stability than
> relying on locally received GPS signals.  GPS uses very weak radio
> signals which are regularly spoofed by all sorts of bad actors:
> 
>  https://www.gps.gov/spectrum/jamming/
> 
> for all sorts of reasons (like misleading drone navigation):
> 
>  https://en.wikipedia.org/wiki/Iran%E2%80%93U.S._RQ-170_incident
> 
> Depending on satnav systems creates a large single point of failure for
> worldwide civilian infrastructure.
> 
> Jamming GPS with subtly fake time data near big data centers seems like
> an easy move that would cause all sorts of distributed algorithms to
> start failing in unusual ways.  And in a more serious wartime attack,
> many or most GPS satellites themselves would be destroyed or disabled.

Maybe I'm getting too old, but it seems to me like the time when Internet
systems design engineers did *not* need to design like a nation-state actor
might affect their systems by combat attack... ended a couple decades ago.

And if your bean-counters tell you it's not cost-effective to make it that 
tight, maybe it's time to change jobs?

Cheers,
-- jra
-- 
Jay R. Ashworth  Baylink   j...@baylink.com
Designer The Things I Think   RFC 2100
Ashworth & Associates   http://www.bcp38.info  2000 Land Rover DII
St Petersburg FL USA  BCP38: Ask For It By Name!   +1 727 647 1274

Re: NTP Sync Issue Across Tata (Europe)

[Masataka Ohta]

John Gilmore wrote:


Subsequent conversation has shown that you are both right here.

Yes, many public NTP servers ARE using GPS-derived time.
Yes, some public NTP servers ARE NOT using GPS-derived time.


The point is whether

: 2) Run a set of internal NTPd servers, and configure them to pull
: time from all of your GPS-derived NTP servers, AND trusted public
: NTP servers

is a proper recommendation against total GPS failure or not.


At one point I proposed that some big NTP server pools be segregated by
names, to distinguish between GPS-derived time and national-standard
derived time.  For example, two domain names could be e.g.:

   fromnist.pool.tick.tock
   fromgps.pool.tick.tock


A problem is that a public NTP server, which is not necessarily
stratum 1, may depends on both.

Another problem is that domain name management is not so
trustworthy. An NTP server once relying on NIST may now
relying on GPS but an administrator of the server may not
change its domain name.

"trusted public NTP servers" is not a trustworthy or
verifiable concept.


PS: When we say "GPS", do we really mean any GNSS (global navigation
satellite system)?  There are now four such systems that have global
coverage, plus regionals.  While they attempt to coordinate their
time-bases and reference-frames, they are using different hardware and
systems, and are under different administration, so there are some
differences in the clock values returned by each GNSS.  These
differences and discontinuties have ranged up to 100ns in normal
operation, and higher amounts in the past.  See:


Because of the relativity, 100ns of time difference between
locations more than 30m apart can not be a problem for correct
transaction processing or ordering of events.

Masataka Ohta

Re: NTP Sync Issue Across Tata (Europe)

[John Gilmore]

Forrest Christian (List Account)  wrote:
> > > At some point, using publicly available NTP sources is redundant
> > > unless one wants to mitigate away the risks behind failure of the GPS
> > > system itself.

On Fri, Aug 11, 2023, 3:33 AM Masataka Ohta wrote:
> > Your assumption that public NTP servers were not GPS-derived NTP
> > servers is just wrong.

Subsequent conversation has shown that you are both right here.

Yes, many public NTP servers ARE using GPS-derived time.
Yes, some public NTP servers ARE NOT using GPS-derived time.

Up to this point, popular public NTP pools have not made these
distinctions readily configurable, though.

For sites that need to run even during a war, or a similar situation
that is likely to disrupt or distort GPS, they might like to have access
to NTP servers that are completely independent from GPS.

At one point I proposed that some big NTP server pools be segregated by
names, to distinguish between GPS-derived time and national-standard
derived time.  For example, two domain names could be e.g.:

  fromnist.pool.tick.tock
  fromgps.pool.tick.tock

If you wanted particular redundancy, say because you have a local GPS
clock and you want a non-GPS check on that, you'd use
fromnist.pool.tick.tock (or fromnict.pool.tick.tock for the Japanese
timebase, etc).

(If you were agnostic about where your times comes from, you would just
use a generic domain name like vendorname.pool.tick.tock.)

An automated tool could periodically trace that the stratum 0 source
currently being used by each node in each of the pools is actually the
same as advertised in its domain name.  Alerting any difference to the
relevant system administrators would allow those clocks to continue
running with a backup timebase, while making it more likely that some
human would work to restore their access to the correct stratum 0
source.

So far this is just an idea.

John

PS: When we say "GPS", do we really mean any GNSS (global navigation
satellite system)?  There are now four such systems that have global
coverage, plus regionals.  While they attempt to coordinate their
time-bases and reference-frames, they are using different hardware and
systems, and are under different administration, so there are some
differences in the clock values returned by each GNSS.  These
differences and discontinuties have ranged up to 100ns in normal
operation, and higher amounts in the past.  See:

  Nicolini, Luca; Caporali, Alessandro (9 January 2018). "Investigation
  on Reference Frames and Time Systems in Multi-GNSS". Remote
  Sensing. 10 (2): 80. doi:10.3390/rs10010080.
  https://www.mdpi.com/2072-4292/10/1/80

Re: NTP Sync Issue Across Tata (Europe)

[Masataka Ohta]

Forrest Christian (List Account) wrote:


The NIST time servers do NOT get their time from GPS.


No, of course. I know it very well.

However, as I wrote:

> But, additionally relying on remote servers (including those
> provided by NIST) is subject to DOS attacks.

the (mostly wired) Internet is just as secure/insecure as
wireless GPS, over which NIST servers can not be reliably
accessed.

Just as many people who only know wired Internet blindly
think wireless channels are secure, you can not recognize
various attack modes for the mostly wired internet.


These are physical realizations of UTC...  that is,  a phase-aligned 1PPS
pulse and a high precision clock signal.   These realizations are used to
directly drive the NIST NTP servers at each location.   GPS is not
involved.


UTC??? You are totally wrong.

Just as many other people, you are purposelessly seeking
meaningless accuracy assuming inertial frame of UTC,
which is *NOT* required for correct transactions

Because of relativity, we can assume *ANY* inertial frame
for simultaneity, which means simultaneity requirement is
not so strong.

Moreover, information cone allows even less simultaneity
for correct transactions.


These two timescales are within a few ns
of each other, also verified with GNSS common view technology, so one can
consider them the same for most purposes.


You don't understand simultaneity of theory of relativity at all.

10ns of time difference can not be physically or logically meaningful
between locations with 3m distance.


Note that a similar process is used to derive UTC(NICT) in Japan.


Depending on inertial system, time in US and JP can be different
a lot more than 1ms, which means timing error between mainland
US and Japan can be a lot more than 1ms.


As far as a rubidium clock goes, I'd much rather see it disciplined
regularly to a GPS time source, but that comes from the fact that I like my
1PPS to be within a microsecond or so of UTC due to the precision I need in
the lab.


As I already wrote:

: For millisecond accuracy, Rb clocks do not need any synchronization
: for centuries.
: Rb clocks on GPS are a lot more frequently synchronized, because
: a lot more accuracy is required for positioning (10ns of timing
: error means 3m of positioning error).

you didn't understand the required accuracy for the Internet operators,
which is your problem.


Note that some of the high end appliances I'm referring to just use GPS
over days and weeks to discipline a precision oscillator (sometimes
rubidium) which is essentially an automatic calibrating version of what
you're proposing.


That has nothing to do with the a lot more broad required accuracy
required by the theory of special relativity for proper causality.

Masataka Ohta

Re: NTP Sync Issue Across Tata (Europe)

[Forrest Christian (List Account)]

The NIST time servers do NOT get their time from GPS.

NIST, like several government standards agencies and other research labs
around the globe, run an ensemble of high precision atomic clocks.  In the
case of NIST, they use the ensemble to produce the timescale UTC(NIST) at
their Boulder,  Colorado campus.

In addition,  they produce secondary copies of the timescale at Fort
Collins and Maryland.   The time transfer from Boulder to these locations
use various techniques,  but not traditional "get your time from GPS"
methods.   The closest they come is that the Maryland location uses GNSS
common view time transfer where the phase difference between the UTC(NIST)
realization at each site is measured against the signal from a single GPS
satellite that both sites can see in the sky at the same time.  The GPS
signal is only used as a reference... think start button on a stopwatch.
If both sides have the same delay from a specific feature in the GPS signal
then you can be sure they are synchronized with each other.  This is also
just a measurement, and a scientist makes the decision about whether the
timescale needs to be adjusted to be kept within specs.

These are physical realizations of UTC...  that is,  a phase-aligned 1PPS
pulse and a high precision clock signal.   These realizations are used to
directly drive the NIST NTP servers at each location.   GPS is not
involved.

Note that this realization of UTC is different than what you get from GPS.
GPS gets its time from the naval observatory which has it's own ensemble of
clocks which produce UTC(USNO).  These two timescales are within a few ns
of each other, also verified with GNSS common view technology, so one can
consider them the same for most purposes.

Note that a similar process is used to derive UTC(NICT) in Japan.  Pointing
a NTP server at ntp.nict.jp would result in receiving time that was
produced independently by NICT, and was not transmitted by GPS.

There are various simplifications I've made to the above description so
there are a few places the description leaves out intermediate steps.

As far as a rubidium clock goes, I'd much rather see it disciplined
regularly to a GPS time source, but that comes from the fact that I like my
1PPS to be within a microsecond or so of UTC due to the precision I need in
the lab.  If I let either of my lab rubidiums free run for more than a few
days,  I'm typically off UTC by more than that amount.But that level of
accuracy isn't typically needed for computer time so I will concede that
you could get away with freerunning for an extended period.   Not hundreds
of years on a rubidium.   But a while.   Assuming the original calibration
was done correctly.

Note that some of the high end appliances I'm referring to just use GPS
over days and weeks to discipline a precision oscillator (sometimes
rubidium) which is essentially an automatic calibrating version of what
you're proposing.


On Fri, Aug 11, 2023, 3:33 AM Masataka Ohta <
mo...@necom830.hpcl.titech.ac.jp> wrote:

> Forrest Christian (List Account) wrote:
>
> > The recommendation tends to be the following:
> >
> > 1) Run your GPS-derived NTP appliances, but DO NOT point end-user
> > clients at it. 2) Run a set of internal NTPd servers, and configure
> > them to pull time from all of your GPS-derived NTP servers, AND
> > trusted public NTP servers 3) Point your clients at the internal NTPd
> > servers.
>
> That is not a very good recommendation. See below.
>
> > At some point, using publicly available NTP sources is redundant
> > unless one wants to mitigate away the risks behind failure of the GPS
> > system itself.
>
> Your assumption that public NTP servers were not GPS-derived NTP
> servers is just wrong.
>
> > What I'm advocating against is the seemingly common practice to go
> > buy an off-the-shelf lower-cost GPS-NTP appliance (under $1K or so),
> > stick an antenna in a window or maybe on the rooftop, and point all
> > your devices at that device.
>
> Relying on a local expensive GPS appliance does not improve
> security so much and is the worst thing to do.
>
> But, additionally relying on remote servers (including those
> provided by NIST) is subject to DOS attacks.
>
> As such, the ultimate (a little expensive) solution is to have
> your own Rb clocks locally.
>
> Masataka Ohta
>
>

Re: NTP Sync Issue Across Tata (Europe)

[Masataka Ohta]

Forrest Christian (List Account) wrote:


The recommendation tends to be the following:

1) Run your GPS-derived NTP appliances, but DO NOT point end-user
clients at it. 2) Run a set of internal NTPd servers, and configure
them to pull time from all of your GPS-derived NTP servers, AND
trusted public NTP servers 3) Point your clients at the internal NTPd
servers.


That is not a very good recommendation. See below.


At some point, using publicly available NTP sources is redundant
unless one wants to mitigate away the risks behind failure of the GPS
system itself.


Your assumption that public NTP servers were not GPS-derived NTP
servers is just wrong.


What I'm advocating against is the seemingly common practice to go
buy an off-the-shelf lower-cost GPS-NTP appliance (under $1K or so),
stick an antenna in a window or maybe on the rooftop, and point all
your devices at that device.


Relying on a local expensive GPS appliance does not improve
security so much and is the worst thing to do.

But, additionally relying on remote servers (including those
provided by NIST) is subject to DOS attacks.

As such, the ultimate (a little expensive) solution is to have
your own Rb clocks locally.

Masataka Ohta

Re: NTP Sync Issue Across Tata (Europe)

[Forrest Christian (List Account)]

The recommendation tends to be the following:

1) Run your GPS-derived NTP appliances, but DO NOT point end-user clients
at it.
2) Run a set of internal NTPd servers, and configure them to pull time from
all of your GPS-derived NTP servers, AND trusted public NTP servers
3) Point your clients at the internal NTPd servers.

Note that it's not entirely unreasonable to go out and buy numerous GPS
appliances, deploy them at multiple locations, and point your NTPd servers
at those.   With enough sites, your NTPd server will skip over any
defective NTP appliance.At some point, using publicly available NTP
sources is redundant unless one wants to mitigate away the risks behind
failure of the GPS system itself.

What I'm advocating against is the seemingly common practice to go buy an
off-the-shelf lower-cost GPS-NTP appliance (under $1K or so), stick an
antenna in a window or maybe on the rooftop, and point all your devices at
that device.This is asking for a failure for reasons I've covered
previously.   Robust time needs multiple time sources in order to mitigate
against any one source being spoofed or jammed.   The more time sources you
incorporate into your solution, the less likely it is that any one of them
going haywire would cause a timing failure.

On Wed, Aug 9, 2023 at 6:12 PM Mel Beckman  wrote:

> Seth,
>
> My point exactly. Use GPS as primary, and have anti-PS back up, and if you
> want automatic fail over, do that in an intermediate server on your site
> that makes a conscious test and decision to fail over to regular NTP
>
> -mel via cell
>
> > On Aug 9, 2023, at 5:01 PM, Seth Mattinen via NANOG 
> wrote:
> >
> > On 8/9/23 3:25 PM, Forrest Christian (List Account) wrote:
> >> Note that NIST operates a pool of 24 time servers for public use.
> These are spread across four different locations in two different states.
> My understanding is that they all get their time directly from the official
> NIST clocks without GPS or NTP being involved.
> >
> > I used to jump through all the hoops for that but honestly I like the
> appliances better (they are also PTP grandmaster clocks). I can always
> disable the GPS inputs if any of the doom and gloom actually comes to pass.
> >
> > ~Seth
>


-- 
- Forrest

Re: NTP Sync Issue Across Tata (Europe)

[Forrest Christian (List Account)]

ll the extant spoofing only
> tampers with the ephemeris (satellite position) data, not the timing
> stream. That's because hackers have been aiming at navigation, and may not
> have expressed interest in GPS tampering when NTP tampering is so easy 
>
> To spoof GPS clocks, a hacker has to know where the antennas are, and get
> above them in order to inject a signal with the right directionality.
> Commercial GPS clock vendors have implemented various anti-spoofing
> measures that, for example, only accept signals from a certain cone of
> visibility, which faces up. They have other measures too, some of which
> exploit geographic diversity, so if  you can have two or more GPS clocks in
> different hub sites, the clocks will reject spoofing signals.
>
> This seems like a much easier defense than deploying secure NTP (NTS),
> which adds a huge amount of complexity. At least one researcher has shown
> that poluting the existing public NTP pool with enough bogus servers to
> seriously impact network time is trivial (I cited their paper in an earlier
> post on this thread).  A well funded state actor could be laying the
> framework for such an attack as we speak, lying in wait until an
> opportunity to disrupt Internet NTP globally.
>
>-mel
> --
> *From:* NANOG  on behalf of Jay
> Hennigan 
> *Sent:* Wednesday, August 9, 2023 10:58 AM
> *To:* nanog@nanog.org 
> *Subject:* Re: NTP Sync Issue Across Tata (Europe)
>
> On 8/9/23 09:29, Seth Mattinen via NANOG wrote:
>
> > I liked having a WWVB receiver in my mix, but all the hardware
> > appliances (at least those offering OCXO or Rubidium oscillator options)
> > seem to have rejected it in favor of GPS only. I can only conclude that
> > either vendors think options like WWVB are a dead end or there's no
> > demand for GPS alternatives.
>
> Both GPS and WWVB are over-the-air. There has been concern expressed of
> a bad actor spoofing or jamming GPS. Comparatively speaking, jamming or
> spoofing WWVB is a trivial joke.
>
> --
> Jay Hennigan - j...@west.net
> Network Engineering - CCIE #7880
> 503 897-8550 - WB6RDV
>
>

Re: NTP Sync Issue Across Tata (Europe)

[Mel Beckman]

Seth,

My point exactly. Use GPS as primary, and have anti-PS back up, and if you want 
automatic fail over, do that in an intermediate server on your site that makes 
a conscious test and decision to fail over to regular NTP

-mel via cell

> On Aug 9, 2023, at 5:01 PM, Seth Mattinen via NANOG  wrote:
> 
> On 8/9/23 3:25 PM, Forrest Christian (List Account) wrote:
>> Note that NIST operates a pool of 24 time servers for public use.These 
>> are spread across four different locations in two different states.  My 
>> understanding is that they all get their time directly from the official 
>> NIST clocks without GPS or NTP being involved.
> 
> I used to jump through all the hoops for that but honestly I like the 
> appliances better (they are also PTP grandmaster clocks). I can always 
> disable the GPS inputs if any of the doom and gloom actually comes to pass.
> 
> ~Seth

Re: NTP Sync Issue Across Tata (Europe)

[Seth Mattinen via NANOG]

On 8/9/23 3:25 PM, Forrest Christian (List Account) wrote:
Note that NIST operates a pool of 24 time servers for public use.  
  These are spread across four different locations in two different 
states.  My understanding is that they all get their time directly from 
the official NIST clocks without GPS or NTP being involved.




I used to jump through all the hoops for that but honestly I like the 
appliances better (they are also PTP grandmaster clocks). I can always 
disable the GPS inputs if any of the doom and gloom actually comes to pass.


~Seth

Re: NTP Sync Issue Across Tata (Europe)

[Forrest Christian (List Account)]

Note that NIST operates a pool of 24 time servers for public use.   These
are spread across four different locations in two different states.  My
understanding is that they all get their time directly from the official
NIST clocks without GPS or NTP being involved.

You can also request a symmetrical key,  exchanged via paper mail,  for
four of them if you would like to run ntp encryption.

See https://tf.nist.gov/tf-cgi/servers.cgi

You could also add official servers operated by the time labs of other
countries.   A list of many of them are at the end of the pdf at
https://webtai.bipm.org/ftp/pub/tai/annual-reports/bipm-annual-report/TIMESERVICES/timeservices.pdf
 .


On Wed, Aug 9, 2023, 10:30 AM Seth Mattinen via NANOG 
wrote:

> On 8/9/23 2:39 AM, Forrest Christian (List Account) wrote:
> > When GPS is working, time transmission with accuracies of under 1
> > microsecond is common.   This is especially true if the GPS integrates
> > some sort of disciplined oscillator.  Note that this is in excess of
> > what NTPd running on a typical OS can reliably retransmit.
> >
> > BUT..  if I was to choose only one protocol, it would be NTP, not GPS,
> > because of all of the reasons you mention.
> >
> > I find it distressing that sites are relying on GPS only.  I suspect
> > that this a failure to assign proper risk to using GPS.  It's
> > particularly odd when one considers that adding NTP time sources are
> > essentially free and improve robustness and reliability greatly.
> >
>
>
> I liked having a WWVB receiver in my mix, but all the hardware
> appliances (at least those offering OCXO or Rubidium oscillator options)
> seem to have rejected it in favor of GPS only. I can only conclude that
> either vendors think options like WWVB are a dead end or there's no
> demand for GPS alternatives.
>
> Products like the BlueSky GNSS Firewall exist, but not something I've
> thought was as necessary expenditure for my needs (yet). Mouser lists it
> at just under $10k.
>
> Personally I'm just not that comfortable using random unknown platform
> and unknown installation conditions time server pools over the big-I
> internet. I would possibly consider NTP servers operated by entities I
> have peering with.
>
> ~Seth
>

Re: NTP Sync Issue Across Tata (Europe)

[Mel Beckman]

While GPS spoofing is technically possible, all the extant spoofing only 
tampers with the ephemeris (satellite position) data, not the timing stream. 
That's because hackers have been aiming at navigation, and may not have 
expressed interest in GPS tampering when NTP tampering is so easy 

To spoof GPS clocks, a hacker has to know where the antennas are, and get above 
them in order to inject a signal with the right directionality. Commercial GPS 
clock vendors have implemented various anti-spoofing measures that, for 
example, only accept signals from a certain cone of visibility, which faces up. 
They have other measures too, some of which exploit geographic diversity, so if 
 you can have two or more GPS clocks in different hub sites, the clocks will 
reject spoofing signals.

This seems like a much easier defense than deploying secure NTP (NTS), which 
adds a huge amount of complexity. At least one researcher has shown that 
poluting the existing public NTP pool with enough bogus servers to seriously 
impact network time is trivial (I cited their paper in an earlier post on this 
thread).  A well funded state actor could be laying the framework for such an 
attack as we speak, lying in wait until an opportunity to disrupt Internet NTP 
globally.

   -mel

From: NANOG  on behalf of Jay Hennigan 

Sent: Wednesday, August 9, 2023 10:58 AM
To: nanog@nanog.org 
Subject: Re: NTP Sync Issue Across Tata (Europe)

On 8/9/23 09:29, Seth Mattinen via NANOG wrote:

> I liked having a WWVB receiver in my mix, but all the hardware
> appliances (at least those offering OCXO or Rubidium oscillator options)
> seem to have rejected it in favor of GPS only. I can only conclude that
> either vendors think options like WWVB are a dead end or there's no
> demand for GPS alternatives.

Both GPS and WWVB are over-the-air. There has been concern expressed of
a bad actor spoofing or jamming GPS. Comparatively speaking, jamming or
spoofing WWVB is a trivial joke.

--
Jay Hennigan - j...@west.net
Network Engineering - CCIE #7880
503 897-8550 - WB6RDV

Re: NTP Sync Issue Across Tata (Europe)

[Chris Adams]

Once upon a time, Jay Hennigan  said:
> Both GPS and WWVB are over-the-air. There has been concern expressed
> of a bad actor spoofing or jamming GPS. Comparatively speaking,
> jamming or spoofing WWVB is a trivial joke.

WWVB is not generally useful for precision timing applications, due to
the distance and wave reflections.  Also, from a security point of view,
I have read that it is legal to have your own low-power transmitter on
the WWVB frequency, and there are instructions for doing it with a Pi,
so it would be very cheap and easy to mess with somebody's WWVB signal.
-- 
Chris Adams 

Re: NTP Sync Issue Across Tata (Europe)

[Jay Hennigan]

On 8/9/23 09:29, Seth Mattinen via NANOG wrote:

I liked having a WWVB receiver in my mix, but all the hardware 
appliances (at least those offering OCXO or Rubidium oscillator options) 
seem to have rejected it in favor of GPS only. I can only conclude that 
either vendors think options like WWVB are a dead end or there's no 
demand for GPS alternatives.


Both GPS and WWVB are over-the-air. There has been concern expressed of 
a bad actor spoofing or jamming GPS. Comparatively speaking, jamming or 
spoofing WWVB is a trivial joke.


--
Jay Hennigan - j...@west.net
Network Engineering - CCIE #7880
503 897-8550 - WB6RDV

Re: NTP Sync Issue Across Tata (Europe)

[Seth Mattinen via NANOG]

On 8/9/23 2:39 AM, Forrest Christian (List Account) wrote:
When GPS is working, time transmission with accuracies of under 1 
microsecond is common.   This is especially true if the GPS integrates 
some sort of disciplined oscillator.  Note that this is in excess of 
what NTPd running on a typical OS can reliably retransmit.


BUT..  if I was to choose only one protocol, it would be NTP, not GPS, 
because of all of the reasons you mention.


I find it distressing that sites are relying on GPS only.  I suspect 
that this a failure to assign proper risk to using GPS.  It's 
particularly odd when one considers that adding NTP time sources are 
essentially free and improve robustness and reliability greatly.





I liked having a WWVB receiver in my mix, but all the hardware 
appliances (at least those offering OCXO or Rubidium oscillator options) 
seem to have rejected it in favor of GPS only. I can only conclude that 
either vendors think options like WWVB are a dead end or there's no 
demand for GPS alternatives.


Products like the BlueSky GNSS Firewall exist, but not something I've 
thought was as necessary expenditure for my needs (yet). Mouser lists it 
at just under $10k.


Personally I'm just not that comfortable using random unknown platform 
and unknown installation conditions time server pools over the big-I 
internet. I would possibly consider NTP servers operated by entities I 
have peering with.


~Seth

Re: NTP Sync Issue Across Tata (Europe)

[Masataka Ohta]

John Gilmore wrote:


 I was also speaking specifically about installing GPS antennas in
 viable places, not using a facility-provided GPS or NTP service.


Am I confused?  Getting the time over a multi-gigabit Internet from a
national time standard agency such as NIST (or your local country's
equivalent) should produce far better accuracy and stability than
relying on locally received GPS signals.


When the (wrong) question is "how to build a stratum 1 server?",
that can not be an answer.


GPS uses very weak radio
signals which are regularly spoofed by all sorts of bad actors:


The question, seemingly, is not "how to build a secure stratum
1 server?".

BTW, the proper question should be "how to obtain secure time?".

Masataka Ohta

Re: NTP Sync Issue Across Tata (Europe)

[Forrest Christian (List Account)]

When GPS is working, time transmission with accuracies of under 1
microsecond is common.   This is especially true if the GPS integrates some
sort of disciplined oscillator.  Note that this is in excess of what NTPd
running on a typical OS can reliably retransmit.

BUT..  if I was to choose only one protocol, it would be NTP, not GPS,
because of all of the reasons you mention.

I find it distressing that sites are relying on GPS only.  I suspect that
this a failure to assign proper risk to using GPS.  It's particularly odd
when one considers that adding NTP time sources are essentially free and
improve robustness and reliability greatly.

NTP is not without it's risks but the most common server implementation is
specifically designed to be able to discard time sources which are not
telling the truth, provided the server is given enough valid time sources.
Even if a spoofed or misconfigured server is giving the wrong time,  NTPd
will be able to ignore those errant time sources.

 When configured with numerous network time sources and a GPS source,  NTPd
will determine what the correct time should be, and then will use the
higher accuracy GPS source to improve the overall accuracy.  This is more
or less automatic since the latency to the GPS time source will be
essentially zero when compared to a typical network source.

However,  if the GPS source starts lying about the time,  NTPd will start
ignoring it as a potential time source even with the lower latency.
Without having non-GPS sources in your configuration, this essentially free
protection against GPS spoofing is no longer available since it has nothing
to compare it to.

If your network is large enough that you could install multiple GPS
receivers in diverse locations,  then I'd configure all of the NTPd servers
to pull from all of the GPS receivers.  That way you gain additional
redundancy.  I'd still not drop the public trusted NTP servers though.




On Tue, Aug 8, 2023, 2:58 PM John Gilmore  wrote:

> > I was also speaking specifically about installing GPS antennas in
> > viable places, not using a facility-provided GPS or NTP service.
>
> Am I confused?  Getting the time over a multi-gigabit Internet from a
> national time standard agency such as NIST (or your local country's
> equivalent) should produce far better accuracy and stability than
> relying on locally received GPS signals.  GPS uses very weak radio
> signals which are regularly spoofed by all sorts of bad actors:
>
>   https://www.gps.gov/spectrum/jamming/
>
> for all sorts of reasons (like misleading drone navigation):
>
>   https://en.wikipedia.org/wiki/Iran%E2%80%93U.S._RQ-170_incident
>
> Depending on satnav systems creates a large single point of failure for
> worldwide civilian infrastructure.
>
> Jamming GPS with subtly fake time data near big data centers seems like
> an easy move that would cause all sorts of distributed algorithms to
> start failing in unusual ways.  And in a more serious wartime attack,
> many or most GPS satellites themselves would be destroyed or disabled.
> Yet digital radio modulations like FT8 or DMR rely on tight time
> synchronization among different transmitters.  So do many modern
> cellphone modulations -- not to mention distributed database sync
> algorithms.  Depending on any of these for emergency communications when
> their time comes from GPS, is a recipe for having no communications
> during wars or cyber-wars in which GPS satellites are attacked or
> jammed.  See a longer explanation here:
>
>   https://www.ardc.net/apply/grants/2020-grants/grant-ntpsec/
>
> I suspect that even today, if you rely on civilian GPS time near the US
> White House, Pentagon, or other military targets like bases, you will
> discover "anomalies" in the local radio GPS data, compared to what you
> get from an authenticated time standard over NTP.  How reliable is
> civilian GPS time in Ukraine these days?
>
> John
>
>

Re: NTP Sync Issue Across Tata (Europe)

[Martin Hannigan]

Same here. Latency and the algo work together. Time outs or un-reachable peers 
are network issues.

Paging Randy Bush.

Get Outlook for iOS<https://aka.ms/o0ukef>

From: NANOG  on behalf of John 
Gilmore 
Sent: Tuesday, August 8, 2023 17:01
To: Mel Beckman 
Cc: nanog@nanog.org 
Subject: Re: NTP Sync Issue Across Tata (Europe)

> I was also speaking specifically about installing GPS antennas in
> viable places, not using a facility-provided GPS or NTP service.

Am I confused?  Getting the time over a multi-gigabit Internet from a
national time standard agency such as NIST (or your local country's
equivalent) should produce far better accuracy and stability than
relying on locally received GPS signals.  GPS uses very weak radio
signals which are regularly spoofed by all sorts of bad actors:

  https://www.gps.gov/spectrum/jamming/

for all sorts of reasons (like misleading drone navigation):

  https://en.wikipedia.org/wiki/Iran%E2%80%93U.S._RQ-170_incident

Depending on satnav systems creates a large single point of failure for
worldwide civilian infrastructure.

Jamming GPS with subtly fake time data near big data centers seems like
an easy move that would cause all sorts of distributed algorithms to
start failing in unusual ways.  And in a more serious wartime attack,
many or most GPS satellites themselves would be destroyed or disabled.
Yet digital radio modulations like FT8 or DMR rely on tight time
synchronization among different transmitters.  So do many modern
cellphone modulations -- not to mention distributed database sync
algorithms.  Depending on any of these for emergency communications when
their time comes from GPS, is a recipe for having no communications
during wars or cyber-wars in which GPS satellites are attacked or
jammed.  See a longer explanation here:

  https://www.ardc.net/apply/grants/2020-grants/grant-ntpsec/

I suspect that even today, if you rely on civilian GPS time near the US
White House, Pentagon, or other military targets like bases, you will
discover "anomalies" in the local radio GPS data, compared to what you
get from an authenticated time standard over NTP.  How reliable is
civilian GPS time in Ukraine these days?

John

Re: NTP Sync Issue Across Tata (Europe)

[John Gilmore]

> I was also speaking specifically about installing GPS antennas in
> viable places, not using a facility-provided GPS or NTP service.

Am I confused?  Getting the time over a multi-gigabit Internet from a
national time standard agency such as NIST (or your local country's
equivalent) should produce far better accuracy and stability than
relying on locally received GPS signals.  GPS uses very weak radio
signals which are regularly spoofed by all sorts of bad actors:

  https://www.gps.gov/spectrum/jamming/

for all sorts of reasons (like misleading drone navigation):

  https://en.wikipedia.org/wiki/Iran%E2%80%93U.S._RQ-170_incident

Depending on satnav systems creates a large single point of failure for
worldwide civilian infrastructure.

Jamming GPS with subtly fake time data near big data centers seems like
an easy move that would cause all sorts of distributed algorithms to
start failing in unusual ways.  And in a more serious wartime attack,
many or most GPS satellites themselves would be destroyed or disabled.
Yet digital radio modulations like FT8 or DMR rely on tight time
synchronization among different transmitters.  So do many modern
cellphone modulations -- not to mention distributed database sync
algorithms.  Depending on any of these for emergency communications when
their time comes from GPS, is a recipe for having no communications
during wars or cyber-wars in which GPS satellites are attacked or
jammed.  See a longer explanation here:

  https://www.ardc.net/apply/grants/2020-grants/grant-ntpsec/

I suspect that even today, if you rely on civilian GPS time near the US
White House, Pentagon, or other military targets like bases, you will
discover "anomalies" in the local radio GPS data, compared to what you
get from an authenticated time standard over NTP.  How reliable is
civilian GPS time in Ukraine these days?

John

Re: NTP Sync Issue Across Tata (Europe)

[Mel Beckman]

Go for it. I’m sure NTS’ complexity clocks lots of hours for expensive 
consultants :)

Me, I’m sticking with GPS.)

-mel via cell

On Aug 8, 2023, at 11:34 AM, Rubens Kuhl  wrote:


So little deployment that has 3500 occurrences according to 
shodan.io.  With such few choices, It should be hard to find 
suitable options.

Rubens




Em ter., 8 de ago. de 2023 13:02, Mel Beckman 
mailto:m...@beckman.org>> escreveu:
I’m familiar with NTS, which is pointedly not NTP.  That’s like saying “TCP 
port 80 can be made secure,: just use a VPN!” Perhaps when NTS is widely 
deployed it will be an option. As the RFC was only approved in 2020, that will 
probably take a decade. Or more. (I’m talking about you, IPv6 :) Not to mention 
the complexity or NTS for hardware implementation in network elements, a 
primary application (https://tinyurl.com/ntsishard).

 -mel

> On Aug 8, 2023, at 8:26 AM, Rubens Kuhl 
> mailto:rube...@gmail.com>> wrote:
>
> On Tue, Aug 8, 2023 at 12:12 PM Mel Beckman 
> mailto:m...@beckman.org>> wrote:
>>
>> Until the Internet NTP network can be made secure, no.
>
> Internet NTP can be made secure, it's called NTS.
> https://developers.cloudflare.com/time-services/nts/ describes it with
> links to the RFC, and describes one of the many NTP servers that is
> available with NTS, time.cloudflare.com. I 
> already mentioned 5 others,
> and there are many more than those 6.
>
>
> Rubens

Re: NTP Sync Issue Across Tata (Europe)

[Mel Beckman]

Well, an iLEC CO is hardly a data center. Plus you have to be a CLEC to get in.

I’ve built out CLEC spaces in many COs. They invariably connect via fiber to a 
CLEC core data center, where they invariably run their own GPS clocks. Plus 
they run rubidium clocks in the racks at the CO, so they can freewheel for days.

-mel via cell

On Aug 8, 2023, at 11:21 AM, Mike Hammett  wrote:


Frontier COs is the easiest example.No antennas and no time service. Yes, they 
provide BITS, but BITS isn't time.

I was also speaking specifically about installing GPS antennas in viable 
places, not using a facility-provided GPS or NTP service.



-
Mike Hammett
Intelligent Computing Solutions<http://www.ics-il.com/>
[http://www.ics-il.com/images/fbicon.png]<https://www.facebook.com/ICSIL>[http://www.ics-il.com/images/googleicon.png]<https://plus.google.com/+IntelligentComputingSolutionsDeKalb>[http://www.ics-il.com/images/linkedinicon.png]<https://www.linkedin.com/company/intelligent-computing-solutions>[http://www.ics-il.com/images/twittericon.png]<https://twitter.com/ICSIL>
Midwest Internet Exchange<http://www.midwest-ix.com/>
[http://www.ics-il.com/images/fbicon.png]<https://www.facebook.com/mdwestix>[http://www.ics-il.com/images/linkedinicon.png]<https://www.linkedin.com/company/midwest-internet-exchange>[http://www.ics-il.com/images/twittericon.png]<https://twitter.com/mdwestix>
The Brothers WISP<http://www.thebrotherswisp.com/>
[http://www.ics-il.com/images/fbicon.png]<https://www.facebook.com/thebrotherswisp>[http://www.ics-il.com/images/youtubeicon.png]<https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>

From: "Mel Beckman" 
To: "Mike Hammett" 
Cc: nanog@nanog.org, "Mark Tinka" 
Sent: Tuesday, August 8, 2023 10:36:46 AM
Subject: Re: NTP Sync Issue Across Tata (Europe)

I’d be interested in an example of a Colo that does NOT provide GPS-based NTP 
even if they don’t let tenants install their own. I’ve never, ever seen one.

 -mel

On Aug 8, 2023, at 8:20 AM, Mike Hammett  wrote:


My facility experience ranges from prohibited to infeasible. I must not be in 
the right facilities.


Yes, many radio platforms have GPS for timing. Some expose it for external time 
and timing purposes, some do not. Naturally, they do have a pretty good view of 
the sky.



-
Mike Hammett
Intelligent Computing Solutions<http://www.ics-il.com/>
[http://www.ics-il.com/images/fbicon.png]<https://www.facebook.com/ICSIL>[http://www.ics-il.com/images/googleicon.png]<https://plus.google.com/+IntelligentComputingSolutionsDeKalb>[http://www.ics-il.com/images/linkedinicon.png]<https://www.linkedin.com/company/intelligent-computing-solutions>[http://www.ics-il.com/images/twittericon.png]<https://twitter.com/ICSIL>
Midwest Internet Exchange<http://www.midwest-ix.com/>
[http://www.ics-il.com/images/fbicon.png]<https://www.facebook.com/mdwestix>[http://www.ics-il.com/images/linkedinicon.png]<https://www.linkedin.com/company/midwest-internet-exchange>[http://www.ics-il.com/images/twittericon.png]<https://twitter.com/mdwestix>
The Brothers WISP<http://www.thebrotherswisp.com/>
[http://www.ics-il.com/images/fbicon.png]<https://www.facebook.com/thebrotherswisp>[http://www.ics-il.com/images/youtubeicon.png]<https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>
________
From: "Mel Beckman" 
To: "Mike Hammett" 
Cc: nanog@nanog.org, "Mark Tinka" 
Sent: Tuesday, August 8, 2023 10:05:55 AM
Subject: Re: NTP Sync Issue Across Tata (Europe)

It works fine, and is an industry standard. you have to mount the GPS antenna 
near a window with sky visibility, or on the roof. Many point-to-point 
microwave radios have GPS built in to obtain accurate timing for transmission 
multiplexing.

 -mel

On Aug 8, 2023, at 7:16 AM, Mike Hammett  wrote:


"We use these exclusively in data centers"

How well does GPS work inside the datacenter?



-
Mike Hammett
Intelligent Computing Solutions<http://www.ics-il.com/>
[http://www.ics-il.com/images/fbicon.png]<https://www.facebook.com/ICSIL>[http://www.ics-il.com/images/googleicon.png]<https://plus.google.com/+IntelligentComputingSolutionsDeKalb>[http://www.ics-il.com/images/linkedinicon.png]<https://www.linkedin.com/company/intelligent-computing-solutions>[http://www.ics-il.com/images/twittericon.png]<https://twitter.com/ICSIL>
Midwest Internet Exchange<http://www.midwest-ix.com/>
[http://www.ics-il.com/images/fbicon.png]<https://www.facebook.com/mdwestix>[http://www.ics-il.com/images/linkedinicon.png]<https://www.linkedin.com/company/midwest-internet-exchange>[http://www.ics-il.com/images/twittericon.png]<https://twitter.com/mdwestix>
The Brothers WISP<http://www.thebrotherswisp.com/

Re: NTP Sync Issue Across Tata (Europe)

[Rubens Kuhl]

So little deployment that has 3500 occurrences according to shodan.io.
With such few choices, It should be hard to find suitable options.

Rubens




Em ter., 8 de ago. de 2023 13:02, Mel Beckman  escreveu:

> I’m familiar with NTS, which is pointedly not NTP.  That’s like saying
> “TCP port 80 can be made secure,: just use a VPN!” Perhaps when NTS is
> widely deployed it will be an option. As the RFC was only approved in 2020,
> that will probably take a decade. Or more. (I’m talking about you, IPv6 :)
> Not to mention the complexity or NTS for hardware implementation in network
> elements, a primary application (https://tinyurl.com/ntsishard).
>
>  -mel
>
> > On Aug 8, 2023, at 8:26 AM, Rubens Kuhl  wrote:
> >
> > On Tue, Aug 8, 2023 at 12:12 PM Mel Beckman  wrote:
> >>
> >> Until the Internet NTP network can be made secure, no.
> >
> > Internet NTP can be made secure, it's called NTS.
> > https://developers.cloudflare.com/time-services/nts/ describes it with
> > links to the RFC, and describes one of the many NTP servers that is
> > available with NTS, time.cloudflare.com. I already mentioned 5 others,
> > and there are many more than those 6.
> >
> >
> > Rubens
>

Re: NTP Sync Issue Across Tata (Europe)

[Mike Hammett]

Frontier COs is the easiest example.No antennas and no time service. Yes, they 
provide BITS, but BITS isn't time. 


I was also speaking specifically about installing GPS antennas in viable 
places, not using a facility-provided GPS or NTP service. 




- 
Mike Hammett 
Intelligent Computing Solutions 

Midwest Internet Exchange 

The Brothers WISP 

- Original Message -

From: "Mel Beckman"  
To: "Mike Hammett"  
Cc: nanog@nanog.org, "Mark Tinka"  
Sent: Tuesday, August 8, 2023 10:36:46 AM 
Subject: Re: NTP Sync Issue Across Tata (Europe) 

I’d be interested in an example of a Colo that does NOT provide GPS-based NTP 
even if they don’t let tenants install their own. I’ve never, ever seen one. 


-mel 



On Aug 8, 2023, at 8:20 AM, Mike Hammett  wrote: 







My facility experience ranges from prohibited to infeasible. I must not be in 
the right facilities. 




Yes, many radio platforms have GPS for timing. Some expose it for external time 
and timing purposes, some do not. Naturally, they do have a pretty good view of 
the sky. 




- 
Mike Hammett 
Intelligent Computing Solutions 

Midwest Internet Exchange 

The Brothers WISP 

- Original Message -

From: "Mel Beckman"  
To: "Mike Hammett"  
Cc: nanog@nanog.org, "Mark Tinka"  
Sent: Tuesday, August 8, 2023 10:05:55 AM 
Subject: Re: NTP Sync Issue Across Tata (Europe) 

It works fine, and is an industry standard. you have to mount the GPS antenna 
near a window with sky visibility, or on the roof. Many point-to-point 
microwave radios have GPS built in to obtain accurate timing for transmission 
multiplexing. 


-mel 



On Aug 8, 2023, at 7:16 AM, Mike Hammett  wrote: 







"We use these exclusively in data centers" 


How well does GPS work inside the datacenter? 




- 
Mike Hammett 
Intelligent Computing Solutions 

Midwest Internet Exchange 

The Brothers WISP 

- Original Message -

From: "Mel Beckman"  
To: "Mark Tinka"  
Cc: nanog@nanog.org 
Sent: Saturday, August 5, 2023 2:26:37 PM 
Subject: Re: NTP Sync Issue Across Tata (Europe) 

Mark, 

You might consider setting up your own GPS-based NTP network. Commercial 
Ethernet GPS-sourced NTP servers, such as the Time Machines, TM1000A, are as 
little as $400. Or you can roll your own using a Raspberry Pi or similar nano 
computer with a GPS module and antenna. We use these exclusively in data 
centers now rather than depending on Internet NTP servers, primarily for 
security, because financial transactions in e-commerce can be sensitive to 
false time information. There are also a variety of NTP-based Internet attacks, 
so if you can block NTP at your border you’ve eliminated another attack 
surface. 

-mel via cell 

> On Aug 5, 2023, at 11:22 AM, Mark Tinka  wrote: 
> 
> 
> 
>> On 8/5/23 20:17, Chris Adams wrote: 
>> 
>> It's the NTP pool people you need to talk to - the .freebsd. bit is just 
>> a vendored entry into the pool (more for load tracking and management). 
> 
> Yes, Andreas clarified in unicast. Will do. Thanks. 
> 
> Mark. 

Re: NTP Sync Issue Across Tata (Europe)

[Mel Beckman]

I’m familiar with NTS, which is pointedly not NTP.  That’s like saying “TCP 
port 80 can be made secure,: just use a VPN!” Perhaps when NTS is widely 
deployed it will be an option. As the RFC was only approved in 2020, that will 
probably take a decade. Or more. (I’m talking about you, IPv6 :) Not to mention 
the complexity or NTS for hardware implementation in network elements, a 
primary application (https://tinyurl.com/ntsishard).

 -mel 

> On Aug 8, 2023, at 8:26 AM, Rubens Kuhl  wrote:
> 
> On Tue, Aug 8, 2023 at 12:12 PM Mel Beckman  wrote:
>> 
>> Until the Internet NTP network can be made secure, no.
> 
> Internet NTP can be made secure, it's called NTS.
> https://developers.cloudflare.com/time-services/nts/ describes it with
> links to the RFC, and describes one of the many NTP servers that is
> available with NTS, time.cloudflare.com. I already mentioned 5 others,
> and there are many more than those 6.
> 
> 
> Rubens

Re: NTP Sync Issue Across Tata (Europe)

[Mel Beckman]

I’d be interested in an example of a Colo that does NOT provide GPS-based NTP 
even if they don’t let tenants install their own. I’ve never, ever seen one.

 -mel

On Aug 8, 2023, at 8:20 AM, Mike Hammett  wrote:


My facility experience ranges from prohibited to infeasible. I must not be in 
the right facilities.


Yes, many radio platforms have GPS for timing. Some expose it for external time 
and timing purposes, some do not. Naturally, they do have a pretty good view of 
the sky.



-
Mike Hammett
Intelligent Computing Solutions<http://www.ics-il.com/>
[http://www.ics-il.com/images/fbicon.png]<https://www.facebook.com/ICSIL>[http://www.ics-il.com/images/googleicon.png]<https://plus.google.com/+IntelligentComputingSolutionsDeKalb>[http://www.ics-il.com/images/linkedinicon.png]<https://www.linkedin.com/company/intelligent-computing-solutions>[http://www.ics-il.com/images/twittericon.png]<https://twitter.com/ICSIL>
Midwest Internet Exchange<http://www.midwest-ix.com/>
[http://www.ics-il.com/images/fbicon.png]<https://www.facebook.com/mdwestix>[http://www.ics-il.com/images/linkedinicon.png]<https://www.linkedin.com/company/midwest-internet-exchange>[http://www.ics-il.com/images/twittericon.png]<https://twitter.com/mdwestix>
The Brothers WISP<http://www.thebrotherswisp.com/>
[http://www.ics-il.com/images/fbicon.png]<https://www.facebook.com/thebrotherswisp>[http://www.ics-il.com/images/youtubeicon.png]<https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>

From: "Mel Beckman" 
To: "Mike Hammett" 
Cc: nanog@nanog.org, "Mark Tinka" 
Sent: Tuesday, August 8, 2023 10:05:55 AM
Subject: Re: NTP Sync Issue Across Tata (Europe)

It works fine, and is an industry standard. you have to mount the GPS antenna 
near a window with sky visibility, or on the roof. Many point-to-point 
microwave radios have GPS built in to obtain accurate timing for transmission 
multiplexing.

 -mel

On Aug 8, 2023, at 7:16 AM, Mike Hammett  wrote:


"We use these exclusively in data centers"

How well does GPS work inside the datacenter?



-
Mike Hammett
Intelligent Computing Solutions<http://www.ics-il.com/>
[http://www.ics-il.com/images/fbicon.png]<https://www.facebook.com/ICSIL>[http://www.ics-il.com/images/googleicon.png]<https://plus.google.com/+IntelligentComputingSolutionsDeKalb>[http://www.ics-il.com/images/linkedinicon.png]<https://www.linkedin.com/company/intelligent-computing-solutions>[http://www.ics-il.com/images/twittericon.png]<https://twitter.com/ICSIL>
Midwest Internet Exchange<http://www.midwest-ix.com/>
[http://www.ics-il.com/images/fbicon.png]<https://www.facebook.com/mdwestix>[http://www.ics-il.com/images/linkedinicon.png]<https://www.linkedin.com/company/midwest-internet-exchange>[http://www.ics-il.com/images/twittericon.png]<https://twitter.com/mdwestix>
The Brothers WISP<http://www.thebrotherswisp.com/>
[http://www.ics-il.com/images/fbicon.png]<https://www.facebook.com/thebrotherswisp>[http://www.ics-il.com/images/youtubeicon.png]<https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>

From: "Mel Beckman" 
To: "Mark Tinka" 
Cc: nanog@nanog.org
Sent: Saturday, August 5, 2023 2:26:37 PM
Subject: Re: NTP Sync Issue Across Tata (Europe)

Mark,

You might consider setting up your own GPS-based NTP network. Commercial 
Ethernet GPS-sourced NTP servers, such as the Time Machines, TM1000A, are as 
little as $400. Or you can roll your own using a Raspberry Pi or similar nano 
computer with a GPS module and antenna. We use these exclusively in data 
centers now rather than depending on Internet NTP servers, primarily for 
security, because financial transactions in e-commerce can be sensitive to 
false time information. There are also a variety of NTP-based Internet attacks, 
so if you can block NTP at your border you’ve eliminated another attack surface.

-mel via cell

> On Aug 5, 2023, at 11:22 AM, Mark Tinka  wrote:
>
> 
>
>> On 8/5/23 20:17, Chris Adams wrote:
>>
>> It's the NTP pool people you need to talk to - the .freebsd. bit is just
>> a vendored entry into the pool (more for load tracking and management).
>
> Yes, Andreas clarified in unicast. Will do. Thanks.
>
> Mark.

Re: NTP Sync Issue Across Tata (Europe)

[Rubens Kuhl]

On Tue, Aug 8, 2023 at 12:12 PM Mel Beckman  wrote:
>
> Until the Internet NTP network can be made secure, no.

Internet NTP can be made secure, it's called NTS.
https://developers.cloudflare.com/time-services/nts/ describes it with
links to the RFC, and describes one of the many NTP servers that is
available with NTS, time.cloudflare.com. I already mentioned 5 others,
and there are many more than those 6.


Rubens

Re: NTP Sync Issue Across Tata (Europe)

[Mike Hammett]

My facility experience ranges from prohibited to infeasible. I must not be in 
the right facilities. 




Yes, many radio platforms have GPS for timing. Some expose it for external time 
and timing purposes, some do not. Naturally, they do have a pretty good view of 
the sky. 




- 
Mike Hammett 
Intelligent Computing Solutions 

Midwest Internet Exchange 

The Brothers WISP 

- Original Message -

From: "Mel Beckman"  
To: "Mike Hammett"  
Cc: nanog@nanog.org, "Mark Tinka"  
Sent: Tuesday, August 8, 2023 10:05:55 AM 
Subject: Re: NTP Sync Issue Across Tata (Europe) 

It works fine, and is an industry standard. you have to mount the GPS antenna 
near a window with sky visibility, or on the roof. Many point-to-point 
microwave radios have GPS built in to obtain accurate timing for transmission 
multiplexing. 


-mel 



On Aug 8, 2023, at 7:16 AM, Mike Hammett  wrote: 







"We use these exclusively in data centers" 


How well does GPS work inside the datacenter? 




- 
Mike Hammett 
Intelligent Computing Solutions 

Midwest Internet Exchange 

The Brothers WISP 

- Original Message -

From: "Mel Beckman"  
To: "Mark Tinka"  
Cc: nanog@nanog.org 
Sent: Saturday, August 5, 2023 2:26:37 PM 
Subject: Re: NTP Sync Issue Across Tata (Europe) 

Mark, 

You might consider setting up your own GPS-based NTP network. Commercial 
Ethernet GPS-sourced NTP servers, such as the Time Machines, TM1000A, are as 
little as $400. Or you can roll your own using a Raspberry Pi or similar nano 
computer with a GPS module and antenna. We use these exclusively in data 
centers now rather than depending on Internet NTP servers, primarily for 
security, because financial transactions in e-commerce can be sensitive to 
false time information. There are also a variety of NTP-based Internet attacks, 
so if you can block NTP at your border you’ve eliminated another attack 
surface. 

-mel via cell 

> On Aug 5, 2023, at 11:22 AM, Mark Tinka  wrote: 
> 
> 
> 
>> On 8/5/23 20:17, Chris Adams wrote: 
>> 
>> It's the NTP pool people you need to talk to - the .freebsd. bit is just 
>> a vendored entry into the pool (more for load tracking and management). 
> 
> Yes, Andreas clarified in unicast. Will do. Thanks. 
> 
> Mark. 

Re: NTP Sync Issue Across Tata (Europe)

[Mel Beckman]

Until the Internet NTP network can be made secure, no. Do you have a citation 
for your Jersey event? I doubt GPS caused the problem, but I’d like to see the 
documentation.

Using GPS for time sync is simple risk management: the risk of Internet NTP 
with known, well documented vulnerabilities and many security incidents, versus 
the risk of some theoretical GPS-based vulnerability, for which mitigations 
such as geographic diversity are readily available. Sure, you could use 
Internet NTP as a last resort should GPS fail globally (perhaps due to a 
theoretical — but conceivable — meteor storm). But that would be a fall-back. I 
would not mix the systems.

 -mel

> On Aug 8, 2023, at 1:36 AM, Matthew Richardson  
> wrote:
> 
> Mel Beckman wrote:-
> 
>> It's a problem that has received a lot of attention in both NTP and
>> aviation navigation circles. What is hard to defend against is total signal
>> suppression via high powered jamming. But that you can do with a
>> geographically diverse GPS NTP network.
> 
> Whilst looking forward to being corrected, GPS (even across multiple
> locations) seems to be a SINGLE source of time.  You seem (have I
> misunderstood?) to be a proponent of using GPS exclusively as the external
> clock source.
> 
> Might it be preferable to have a mixture of GPS (perhaps with another GNSS)
> together with carefully selected Internet-based NTP servers?
> 
> I recall an incident over here in Jersey (the one they named New Jersey
> after!) where our primary telco had a substantial time shift on one of
> their two GPS synced servers.  This managed to adjust the clock on enough
> of their routers that the certificate-based OSPF authentication considered
> the certificates invalid, and caused a failure of almost their whole
> network.
> 
> This is, of course, not to say that GPS is not a very good clock source,
> but rather to wonder whether more diversity would be preferable than using
> it as a single source.
> 
> --
> Best wishes,
> Matthew
> 
> --
>> From: Mel Beckman 
>> To: "Forrest Christian (List Account)" 
>> Cc: Nanog 
>> Date: Mon, 7 Aug 2023 14:03:30 +
>> Subject: Re: NTP Sync Issue Across Tata (Europe)
> 
>> Forrest,
>> 
>> GPS spoofing may work with a primitive Raspberry Pi-based NTP server, but 
>> commercial industrial NTP servers have specific anti-spoofing mitigations. 
>> There are also antenna diversity strategies that vendors support to ensure 
>> the signal being relied upon is coming from the right direction. It's a 
>> problem that has received a lot of attention in both NTP and aviation 
>> navigation circles. What is hard to defend against is total signal 
>> suppression via high powered jamming. But that you can do with a 
>> geographically diverse GPS NTP network.
>> 
>> -mel
>> 
>> On Aug 7, 2023, at 1:39 AM, Forrest Christian (List Account) 
>>  wrote:
>> 
>> ?
>> The problem with relying exclusively on GPS to do time distribution is the 
>> ease with which one can spoof the GPS signals.
>> 
>> With a budget of around $1K, not including a laptop, anyone with decent 
>> technical skills could convince a typical GPS receiver it was at any 
>> position and was at any time in the world.   All it takes is a decent 
>> directional antenna, some SDR hardware, and depending on the location and 
>> directivity of your antenna maybe a smallish amplifier.   There is much 
>> discussion right now in the PNT (Position, Navigation and Timing) community 
>> as to how best to secure the GNSS network, but right now one should consider 
>> the data from GPS to be no more trustworthy than some random NTP server on 
>> the internet.
>> 
>> In order to build a resilient NTP server infrastructure you need multiple 
>> sources of time distributed by multiple methods - typically both via 
>> satellite (GPS) and by terrestrial (NTP) methods.   NTP does a pretty good 
>> job of sorting out multiple time servers and discarding sources that are 
>> lying.  But to do this you need multiple time sources.  A common 
>> recommendation is to run a couple/few NTP servers which only get time from a 
>> GPS receiver and only serve time to a second tier of servers that pull from 
>> both those in-house GPS-timed-NTP servers and other trusted NTP servers.   
>> I'd recommend selecting the time servers to gain geographic diversity, i.e. 
>> poll NIST servers in Maryland and Colorado, and possibly both.
>> 
>> Note that NIST will exchange (via mail) a set of keys with you to talk 
>> encrypted NTP with you.   See 
>> https://www.nist.gov/pml/time-and-frequency-division

Re: NTP Sync Issue Across Tata (Europe)

[Mel Beckman]

It works fine, and is an industry standard. you have to mount the GPS antenna 
near a window with sky visibility, or on the roof. Many point-to-point 
microwave radios have GPS built in to obtain accurate timing for transmission 
multiplexing.

 -mel

On Aug 8, 2023, at 7:16 AM, Mike Hammett  wrote:


"We use these exclusively in data centers"

How well does GPS work inside the datacenter?



-
Mike Hammett
Intelligent Computing Solutions<http://www.ics-il.com/>
[http://www.ics-il.com/images/fbicon.png]<https://www.facebook.com/ICSIL>[http://www.ics-il.com/images/googleicon.png]<https://plus.google.com/+IntelligentComputingSolutionsDeKalb>[http://www.ics-il.com/images/linkedinicon.png]<https://www.linkedin.com/company/intelligent-computing-solutions>[http://www.ics-il.com/images/twittericon.png]<https://twitter.com/ICSIL>
Midwest Internet Exchange<http://www.midwest-ix.com/>
[http://www.ics-il.com/images/fbicon.png]<https://www.facebook.com/mdwestix>[http://www.ics-il.com/images/linkedinicon.png]<https://www.linkedin.com/company/midwest-internet-exchange>[http://www.ics-il.com/images/twittericon.png]<https://twitter.com/mdwestix>
The Brothers WISP<http://www.thebrotherswisp.com/>
[http://www.ics-il.com/images/fbicon.png]<https://www.facebook.com/thebrotherswisp>[http://www.ics-il.com/images/youtubeicon.png]<https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>

From: "Mel Beckman" 
To: "Mark Tinka" 
Cc: nanog@nanog.org
Sent: Saturday, August 5, 2023 2:26:37 PM
Subject: Re: NTP Sync Issue Across Tata (Europe)

Mark,

You might consider setting up your own GPS-based NTP network. Commercial 
Ethernet GPS-sourced NTP servers, such as the Time Machines, TM1000A, are as 
little as $400. Or you can roll your own using a Raspberry Pi or similar nano 
computer with a GPS module and antenna. We use these exclusively in data 
centers now rather than depending on Internet NTP servers, primarily for 
security, because financial transactions in e-commerce can be sensitive to 
false time information. There are also a variety of NTP-based Internet attacks, 
so if you can block NTP at your border you’ve eliminated another attack surface.

-mel via cell

> On Aug 5, 2023, at 11:22 AM, Mark Tinka  wrote:
>
> 
>
>> On 8/5/23 20:17, Chris Adams wrote:
>>
>> It's the NTP pool people you need to talk to - the .freebsd. bit is just
>> a vendored entry into the pool (more for load tracking and management).
>
> Yes, Andreas clarified in unicast. Will do. Thanks.
>
> Mark.

Re: NTP Sync Issue Across Tata (Europe)

[Mike Hammett]

"We use these exclusively in data centers" 


How well does GPS work inside the datacenter? 




- 
Mike Hammett 
Intelligent Computing Solutions 

Midwest Internet Exchange 

The Brothers WISP 

- Original Message -

From: "Mel Beckman"  
To: "Mark Tinka"  
Cc: nanog@nanog.org 
Sent: Saturday, August 5, 2023 2:26:37 PM 
Subject: Re: NTP Sync Issue Across Tata (Europe) 

Mark, 

You might consider setting up your own GPS-based NTP network. Commercial 
Ethernet GPS-sourced NTP servers, such as the Time Machines, TM1000A, are as 
little as $400. Or you can roll your own using a Raspberry Pi or similar nano 
computer with a GPS module and antenna. We use these exclusively in data 
centers now rather than depending on Internet NTP servers, primarily for 
security, because financial transactions in e-commerce can be sensitive to 
false time information. There are also a variety of NTP-based Internet attacks, 
so if you can block NTP at your border you’ve eliminated another attack 
surface. 

-mel via cell 

> On Aug 5, 2023, at 11:22 AM, Mark Tinka  wrote: 
> 
> 
> 
>> On 8/5/23 20:17, Chris Adams wrote: 
>> 
>> It's the NTP pool people you need to talk to - the .freebsd. bit is just 
>> a vendored entry into the pool (more for load tracking and management). 
> 
> Yes, Andreas clarified in unicast. Will do. Thanks. 
> 
> Mark. 

Re: NTP Sync Issue Across Tata (Europe)

[Matthew Richardson via NANOG]

Mel Beckman wrote:-

>It’s a problem that has received a lot of attention in both NTP and
>aviation navigation circles. What is hard to defend against is total signal
>suppression via high powered jamming. But that you can do with a
>geographically diverse GPS NTP network.

Whilst looking forward to being corrected, GPS (even across multiple
locations) seems to be a SINGLE source of time.  You seem (have I
misunderstood?) to be a proponent of using GPS exclusively as the external
clock source.

Might it be preferable to have a mixture of GPS (perhaps with another GNSS)
together with carefully selected Internet-based NTP servers?

I recall an incident over here in Jersey (the one they named New Jersey
after!) where our primary telco had a substantial time shift on one of
their two GPS synced servers.  This managed to adjust the clock on enough
of their routers that the certificate-based OSPF authentication considered
the certificates invalid, and caused a failure of almost their whole
network.

This is, of course, not to say that GPS is not a very good clock source,
but rather to wonder whether more diversity would be preferable than using
it as a single source.

--
Best wishes,
Matthew

 --
>From: Mel Beckman 
>To: "Forrest Christian (List Account)" 
>Cc: Nanog 
>Date: Mon, 7 Aug 2023 14:03:30 +
>Subject: Re: NTP Sync Issue Across Tata (Europe)

>Forrest,
>
>GPS spoofing may work with a primitive Raspberry Pi-based NTP server, but 
>commercial industrial NTP servers have specific anti-spoofing mitigations. 
>There are also antenna diversity strategies that vendors support to ensure the 
>signal being relied upon is coming from the right direction. It’s a problem 
>that has received a lot of attention in both NTP and aviation navigation 
>circles. What is hard to defend against is total signal suppression via high 
>powered jamming. But that you can do with a geographically diverse GPS NTP 
>network.
>
> -mel
>
>On Aug 7, 2023, at 1:39 AM, Forrest Christian (List Account) 
> wrote:
>
>?
>The problem with relying exclusively on GPS to do time distribution is the 
>ease with which one can spoof the GPS signals.
>
>With a budget of around $1K, not including a laptop, anyone with decent 
>technical skills could convince a typical GPS receiver it was at any position 
>and was at any time in the world.   All it takes is a decent directional 
>antenna, some SDR hardware, and depending on the location and directivity of 
>your antenna maybe a smallish amplifier.   There is much discussion right now 
>in the PNT (Position, Navigation and Timing) community as to how best to 
>secure the GNSS network, but right now one should consider the data from GPS 
>to be no more trustworthy than some random NTP server on the internet.
>
>In order to build a resilient NTP server infrastructure you need multiple 
>sources of time distributed by multiple methods - typically both via satellite 
>(GPS) and by terrestrial (NTP) methods.   NTP does a pretty good job of 
>sorting out multiple time servers and discarding sources that are lying.  But 
>to do this you need multiple time sources.  A common recommendation is to run 
>a couple/few NTP servers which only get time from a GPS receiver and only 
>serve time to a second tier of servers that pull from both those in-house 
>GPS-timed-NTP servers and other trusted NTP servers.   I'd recommend selecting 
>the time servers to gain geographic diversity, i.e. poll NIST servers in 
>Maryland and Colorado, and possibly both.
>
>Note that NIST will exchange (via mail) a set of keys with you to talk 
>encrypted NTP with you.   See 
>https://www.nist.gov/pml/time-and-frequency-division/time-services/nist-authenticated-ntp-service
> .
>
>
>
>On Sun, Aug 6, 2023 at 8:36?PM Mel Beckman 
>mailto:m...@beckman.org>> wrote:
>GPS Selective Availability did not disrupt the timing chain of GPS, only the 
>ephemeris (position information).  But a government-disrupted timebase 
>scenario has never occurred, while hackers are a documented threat.
>
>DNS has DNSSec, which while not deployed as broadly as we might like, at least 
>lets us know which servers we can trust.
>
>Your own atomic clocks still have to be synced to a common standard to be 
>useful. To what are they sync’d? GPS, I’ll wager.
>
>I sense hand-waving :)
>
>-mel via cell
>
>On Aug 6, 2023, at 7:04 PM, Rubens Kuhl 
>mailto:rube...@gmail.com>> wrote:
>
>?
>
>
>On Sun, Aug 6, 2023 at 8:20?PM Mel Beckman 
>mailto:m...@beckman.org>> wrote:
>Or one can read recent research papers that thoroughly document the incredible 
>fragility of the existing NTP hierarchy and soberly consider their 
>recommendations for remediation:
>
>The paper suggests the compromi

Re: NTP Sync Issue Across Tata (Europe)

[Masataka Ohta]

Forrest Christian (List Account) wrote:


Depends on how synchronized you need to be.


Sure. But, we should be assuming NTP is mostly enough.


A rubidium oscillator or Chip Scale Atomic Clock is in the price range you
quote.  However, these can drift enough that you should occasionally
synchronize with a reference time source.  This is to ensure continued
millisecond accuracy.  Of course it all depends on how much drift you'll
tolerate, and if you're OK with being within a second, then a rubidium
might be ok.


For millisecond accuracy, Rb clocks do not need any synchronization
for centuries.

Rb clocks on GPS are a lot more frequently synchronized, because
a lot more accuracy is required for positioning (10ns of timing
error means 3m of positioning error).

Masataka Ohta

Re: NTP Sync Issue Across Tata (Europe)

[Masataka Ohta]

Mel Beckman wrote:

> To be useful, any atomic clocks you operate must be synchronized
> to a Stratum Zero time source, such as GPS.

Only initially.


Precise time is crucial to a variety of economic activities around
the world. Communication systems, electrical power grids, and
financial networks all rely on precision timing for synchronization
and operational efficiency. The free availability of GPS time has
enabled cost savings for companies that depend on precise time and
has led to significant advances in capability.


FYI, time difference between two points is not noticeable, that
is, does not affect correctness of any distributed algorithm,
if the difference is below the communication delay between
the points, which means rough synchronization by NTP is
good enough.

That is an information theoretic version of relativity of simultaneity:

https://en.wikipedia.org/wiki/Relativity_of_simultaneity

For information theoretic simultaneity, you can consider, instead
of light cone, information cone.

Masataka Ohta

Re: NTP Sync Issue Across Tata (Europe)

[Forrest Christian (List Account)]

Depends on how synchronized you need to be.

In the context of running airgapped:

 A rubidium oscillator or Chip Scale Atomic Clock is in the price range you
quote.  However, these can drift enough that you should occasionally
synchronize with a reference time source.  This is to ensure continued
millisecond accuracy.  Of course it all depends on how much drift you'll
tolerate, and if you're OK with being within a second, then a rubidium
might be ok.

Caesium oscillators which have much lower drift are in the $30K-50K range.
These would require significantly less frequent synchronization, but are
definitely not a few thousand dollars.

Note that these are both just oscillators and they need additional support
hardware to be able to be queried by NTP.  Or stated differently,  they
still need a NTP server.  Yes, there are products out there which integrate
everything in one box at an additional cost.






On Mon, Aug 7, 2023, 11:02 PM Masataka Ohta <
mo...@necom830.hpcl.titech.ac.jp> wrote:

> Forrest Christian (List Account) wrote:
>
> > In the middle tends to be a more moderate solution which involves a mix
> of
> > time transmission methods from a variety of geographically and/or network
> > diverse sources.  Taking time from the public trusted ntp servers and
> > adding lower cost GPS receivers at diverse points in your network seems
> > like a good compromise in the middle.  That way,  only coordinated
> attacks
> > will be successful.
>
> Instead, just rely on atomic clocks operated by you. They are not
> so expensive (several thousand dollars) and should be accurate
> enough without adjustment for hundreds of years. There can be no
> coordinated attacks. They may be remotely accessed through
> secured NTP.
>
> Masataka Ohta
>

Re: NTP Sync Issue Across Tata (Europe)

[Mel Beckman]

Masataka,

To be useful, any atomic clocks you operate must be synchronized to a Stratum 
Zero time source, such as GPS. Such clocks are useful when you need exceptional 
accuracy, such as for Building Integrated Timing Service (BITS), but unless 
they’re synchronized you can’t coordinate time-sensitive activities such as 
digital certificate validation with anyone else on the Internet.

From 
https://www.gps.gov/applications/timing/


Each GPS satellite contains multiple atomic clocks that contribute very precise 
time data to the GPS signals. GPS receivers decode these signals, effectively 
synchronizing each receiver to the atomic clocks. This enables users to 
determine the time to within 100 billionths of a second, without the cost of 
owning and operating atomic clocks.

Precise time is crucial to a variety of economic activities around the world. 
Communication systems, electrical power grids, and financial networks all rely 
on precision timing for synchronization and operational efficiency. The free 
availability of GPS time has enabled cost savings for companies that depend on 
precise time and has led to significant advances in capability.

-mel via cell

On Aug 7, 2023, at 10:04 PM, Masataka Ohta  
wrote:

Forrest Christian (List Account) wrote:

In the middle tends to be a more moderate solution which involves a mix of
time transmission methods from a variety of geographically and/or network
diverse sources.  Taking time from the public trusted ntp servers and
adding lower cost GPS receivers at diverse points in your network seems
like a good compromise in the middle.  That way,  only coordinated attacks
will be successful.

Instead, just rely on atomic clocks operated by you. They are not
so expensive (several thousand dollars) and should be accurate
enough without adjustment for hundreds of years. There can be no
coordinated attacks. They may be remotely accessed through
secured NTP.

   Masataka Ohta

Re: NTP Sync Issue Across Tata (Europe)

[Masataka Ohta]

Forrest Christian (List Account) wrote:


In the middle tends to be a more moderate solution which involves a mix of
time transmission methods from a variety of geographically and/or network
diverse sources.  Taking time from the public trusted ntp servers and
adding lower cost GPS receivers at diverse points in your network seems
like a good compromise in the middle.  That way,  only coordinated attacks
will be successful.


Instead, just rely on atomic clocks operated by you. They are not
so expensive (several thousand dollars) and should be accurate
enough without adjustment for hundreds of years. There can be no
coordinated attacks. They may be remotely accessed through
secured NTP.

Masataka Ohta

Re: NTP Sync Issue Across Tata (Europe)

[Forrest Christian (List Account)]

Those particular boxes are not cheap.   (Yes I know the units you talk
about).  Note that some of them rely on terrestrial communication of
ephermis data to validate the GPS data to further make the time more
robust.

I was hopefully trying to dispel the seemingly common thread in this
discussion that somehow a $400 GPS derived ntp clock is more robust than
using the public NTP infrastructure.  Without understanding that GPS
receivers are also subject to similar attacks as NTP, one comes to the
wrong conclusion about how to build a robust timing infrastructure.   GPS
is subject to DoS and spoofing attacks just like NTP, and as such, it's
important to mitigate those as well if you care about time stability.

In the end, it's all about risk vs cost to mitigate risk.If you're
running a tiny network, deriving your time from the public NTP servers is
fine.

 At the other end of the scale is using exotic hardened solutions which
derive their own clock source and can hold over time for days or weeks in
the event of a failure or attack.

In the middle tends to be a more moderate solution which involves a mix of
time transmission methods from a variety of geographically and/or network
diverse sources.  Taking time from the public trusted ntp servers and
adding lower cost GPS receivers at diverse points in your network seems
like a good compromise in the middle.  That way,  only coordinated attacks
will be successful.


On Mon, Aug 7, 2023, 8:03 AM Mel Beckman  wrote:

> Forrest,
>
> GPS spoofing may work with a primitive Raspberry Pi-based NTP server, but
> commercial industrial NTP servers have specific anti-spoofing mitigations.
> There are also antenna diversity strategies that vendors support to ensure
> the signal being relied upon is coming from the right direction. It’s a
> problem that has received a lot of attention in both NTP and aviation
> navigation circles. What is hard to defend against is total signal
> suppression via high powered jamming. But that you can do with a
> geographically diverse GPS NTP network.
>
>  -mel
>
> On Aug 7, 2023, at 1:39 AM, Forrest Christian (List Account) <
> li...@packetflux.com> wrote:
>
> 
> The problem with relying exclusively on GPS to do time distribution is the
> ease with which one can spoof the GPS signals.
>
> With a budget of around $1K, not including a laptop, anyone with decent
> technical skills could convince a typical GPS receiver it was at any
> position and was at any time in the world.   All it takes is a decent
> directional antenna, some SDR hardware, and depending on the location and
> directivity of your antenna maybe a smallish amplifier.   There is much
> discussion right now in the PNT (Position, Navigation and Timing) community
> as to how best to secure the GNSS network, but right now one should
> consider the data from GPS to be no more trustworthy than some random NTP
> server on the internet.
>
> In order to build a resilient NTP server infrastructure you need multiple
> sources of time distributed by multiple methods - typically both via
> satellite (GPS) and by terrestrial (NTP) methods.   NTP does a pretty good
> job of sorting out multiple time servers and discarding sources that are
> lying.  But to do this you need multiple time sources.  A common
> recommendation is to run a couple/few NTP servers which only get time from
> a GPS receiver and only serve time to a second tier of servers that pull
> from both those in-house GPS-timed-NTP servers and other trusted NTP
> servers.   I'd recommend selecting the time servers to gain geographic
> diversity, i.e. poll NIST servers in Maryland and Colorado, and possibly
> both.
>
> Note that NIST will exchange (via mail) a set of keys with you to talk
> encrypted NTP with you.   See
> https://www.nist.gov/pml/time-and-frequency-division/time-services/nist-authenticated-ntp-service
> .
>
>
>
> On Sun, Aug 6, 2023 at 8:36 PM Mel Beckman  wrote:
>
>> GPS Selective Availability did not disrupt the timing chain of GPS, only
>> the ephemeris (position information).  But a government-disrupted timebase
>> scenario has never occurred, while hackers are a documented threat.
>>
>> DNS has DNSSec, which while not deployed as broadly as we might like, at
>> least lets us know which servers we can trust.
>>
>> Your own atomic clocks still have to be synced to a common standard to be
>> useful. To what are they sync’d? GPS, I’ll wager.
>>
>> I sense hand-waving :)
>>
>> -mel via cell
>>
>> On Aug 6, 2023, at 7:04 PM, Rubens Kuhl  wrote:
>>
>> 
>>
>>
>> On Sun, Aug 6, 2023 at 8:20 PM Mel Beckman  wrote:
>>
>>> Or one can read recent research papers that thoroughly document the
>>> incredible fragility of the existing NTP hierarchy and soberly consider
>>> their recommendations for remediation:
>>>
>>
>> The paper suggests the compromise of critical infrastructure. So, besides
>> not using NTP, why not stop using DNS ? Just populate a hosts file with all
>> you need.
>>
>> BTW, the stratum-0 source you 

Re: NTP Sync Issue Across Tata (Europe)

[Mel Beckman]

Forrest,

GPS spoofing may work with a primitive Raspberry Pi-based NTP server, but 
commercial industrial NTP servers have specific anti-spoofing mitigations. 
There are also antenna diversity strategies that vendors support to ensure the 
signal being relied upon is coming from the right direction. It’s a problem 
that has received a lot of attention in both NTP and aviation navigation 
circles. What is hard to defend against is total signal suppression via high 
powered jamming. But that you can do with a geographically diverse GPS NTP 
network.

 -mel

On Aug 7, 2023, at 1:39 AM, Forrest Christian (List Account) 
 wrote:


The problem with relying exclusively on GPS to do time distribution is the ease 
with which one can spoof the GPS signals.

With a budget of around $1K, not including a laptop, anyone with decent 
technical skills could convince a typical GPS receiver it was at any position 
and was at any time in the world.   All it takes is a decent directional 
antenna, some SDR hardware, and depending on the location and directivity of 
your antenna maybe a smallish amplifier.   There is much discussion right now 
in the PNT (Position, Navigation and Timing) community as to how best to secure 
the GNSS network, but right now one should consider the data from GPS to be no 
more trustworthy than some random NTP server on the internet.

In order to build a resilient NTP server infrastructure you need multiple 
sources of time distributed by multiple methods - typically both via satellite 
(GPS) and by terrestrial (NTP) methods.   NTP does a pretty good job of sorting 
out multiple time servers and discarding sources that are lying.  But to do 
this you need multiple time sources.  A common recommendation is to run a 
couple/few NTP servers which only get time from a GPS receiver and only serve 
time to a second tier of servers that pull from both those in-house 
GPS-timed-NTP servers and other trusted NTP servers.   I'd recommend selecting 
the time servers to gain geographic diversity, i.e. poll NIST servers in 
Maryland and Colorado, and possibly both.

Note that NIST will exchange (via mail) a set of keys with you to talk 
encrypted NTP with you.   See 
https://www.nist.gov/pml/time-and-frequency-division/time-services/nist-authenticated-ntp-service
 .



On Sun, Aug 6, 2023 at 8:36 PM Mel Beckman 
mailto:m...@beckman.org>> wrote:
GPS Selective Availability did not disrupt the timing chain of GPS, only the 
ephemeris (position information).  But a government-disrupted timebase scenario 
has never occurred, while hackers are a documented threat.

DNS has DNSSec, which while not deployed as broadly as we might like, at least 
lets us know which servers we can trust.

Your own atomic clocks still have to be synced to a common standard to be 
useful. To what are they sync’d? GPS, I’ll wager.

I sense hand-waving :)

-mel via cell

On Aug 6, 2023, at 7:04 PM, Rubens Kuhl 
mailto:rube...@gmail.com>> wrote:




On Sun, Aug 6, 2023 at 8:20 PM Mel Beckman 
mailto:m...@beckman.org>> wrote:
Or one can read recent research papers that thoroughly document the incredible 
fragility of the existing NTP hierarchy and soberly consider their 
recommendations for remediation:

The paper suggests the compromise of critical infrastructure. So, besides not 
using NTP, why not stop using DNS ? Just populate a hosts file with all you 
need.

BTW, the stratum-0 source you suggested is known to have been manipulated in 
the past (https://www.gps.gov/systems/gps/modernization/sa/), so you need to 
bet on that specific state actor not returning to old habits.

OTOH, 4 of the 5 servers I suggested have their own atomic clock, and you can 
keep using GPS as well. If GPS goes bananas on timing, that source will just be 
disregarded (one of the features of the NTP architecture that has been pointed 
out over and over in this thread and you keep ignoring it).

Rubens


--
- Forrest

Re: NTP Sync Issue Across Tata (Europe)

[Rubens Kuhl]

The paper suggests the compromise of critical infrastructure. So, besides
not using NTP, why not stop using DNS ? Just populate a hosts file with all
you need.

BTW, the stratum-0 source you suggested is known to have been manipulated
in the past (https://www.gps.gov/systems/gps/modernization/sa/), so you
need to bet on that specific state actor not returning to old habits.

OTOH, 4 of the 5 servers I suggested have their own atomic clock, and you
can keep using GPS as well. If GPS goes bananas on timing, that source will
just be disregarded (one of the features of the NTP architecture that has
been pointed out over and over in this thread and you keep ignoring it).

Rubens



Rubens



On Sun, Aug 6, 2023 at 8:20 PM Mel Beckman  wrote:

> Or one can read recent research papers that thoroughly document the
> incredible fragility of the existing NTP hierarchy and soberly consider
> their recommendations for remediation:
>
> [image: preview.png]
>
> ndss2021_1A-2_24302_paper
> 
> PDF Document · 1.7 MB
> 
>
> 
>
> Or simply use non-Internet NTP servers based on a Stratum-0 GPS source for
> mission-critical network timing.
>
> Until then, we may all wake up one morning and discover massive data
> breaches traced to an unfounded reliance on insecure public NTP servers.
> Then the game truly will be over, but not in our favor.
>
>  -mel
>
> On Aug 6, 2023, at 2:35 PM, Rubens Kuhl  wrote:
>
> Or one can select NTS-capable NTP servers, like those 5:
> a.st1.ntp.br
> b.st1.ntp.br
> c.st1.ntp.br
> d.st1.ntp.br
> gps.ntp.br
>
> Or any other NTP server that has NTS deployed. Game-over for NTP
> impersonation.
>
>
> Rubens
>
> On Sun, Aug 6, 2023 at 4:41 PM Mel Beckman  wrote:
>
>
> In a nutshell, no. Refer to my prior cites for detailed explanations. For
> a list of real-world attack incidents, see
>
>
> https://en.m.wikipedia.org/wiki/NTP_server_misuse_and_abuse#
>
>
>
> -mel
>
>
> On Aug 6, 2023, at 12:03 PM, Royce Williams 
> wrote:
>
>
> 
>
> Naively, instead of abstaining ;) ... isn't robust diversity of NTP
> peering a reasonable mitigation for this, as designed?
>
>
> Royce
>
>
> On Sun, Aug 6, 2023 at 10:21 AM Mel Beckman  wrote:
>
>
> William,
>
>
> Due to flaws in the NTP protocol, a simple UDP filter is not enough. These
> flaws make it trivial to spoof NTP packets, and many firewalls have no
> specific protection against this. in one attack the malefactor simply fires
> a continuous stream of NTP packets with invalid time at your firewall. When
> your NTP client queries the spoofed server, the malicious packet is the one
> you likely receive.
>
>
> That’s just one attack vector. There are several others, and all have
> complex remediation. Why should people bother being exposed to the risk at
> all? Simply avoid Internet-routed NTP. there are many solutions, as I’ve
> already described. Having suffered through such attacks more than once, I
> can say from personal experience that you don’t want to risk it.
>
>
>

Re: NTP Sync Issue Across Tata (Europe)

[Dorn Hetzel via NANOG]

Diversity from GPS might also be obtained by setting one receiver for GPS
and another for Galileo.  I think I'd skip GLONASS for now :)


On Mon, Aug 7, 2023, 06:09 Rubens Kuhl  wrote:

> > > The paper suggests the compromise of critical infrastructure. So,
> besides not using NTP, why not stop using DNS ? Just populate a hosts file
> with all you need.
> >
> > Well DNS can be cryptographically secured.  There really isn’t any good
> reasons to not sign your zones today.  The majority of responses from
> authoritative servers are validated today so if you sign the responses will
> be checked.  Unfortunately most to those validations still result in
> insecure instead of secure because people are not signing their zones.
>
> So does NTP, with NTS.
>
> https://datatracker.ietf.org/doc/html/rfc8915
>
>
> Rubens
>

Re: NTP Sync Issue Across Tata (Europe)

[Rubens Kuhl]

> > The paper suggests the compromise of critical infrastructure. So, besides 
> > not using NTP, why not stop using DNS ? Just populate a hosts file with all 
> > you need.
>
> Well DNS can be cryptographically secured.  There really isn’t any good 
> reasons to not sign your zones today.  The majority of responses from 
> authoritative servers are validated today so if you sign the responses will 
> be checked.  Unfortunately most to those validations still result in insecure 
> instead of secure because people are not signing their zones.

So does NTP, with NTS.

https://datatracker.ietf.org/doc/html/rfc8915


Rubens

Re: NTP Sync Issue Across Tata (Europe)

[Rubens Kuhl]

On Sun, Aug 6, 2023 at 11:36 PM Mel Beckman  wrote:
>
> GPS Selective Availability did not disrupt the timing chain of GPS, only the 
> ephemeris (position information).  But a government-disrupted timebase 
> scenario has never occurred, while hackers are a documented threat.
>
> DNS has DNSSec, which while not deployed as broadly as we might like, at 
> least lets us know which servers we can trust.

NTP has NTS, which all 5 servers I mentioned have, and many more also have.

> Your own atomic clocks still have to be synced to a common standard to be 
> useful. To what are they sync’d? GPS, I’ll wager.

Nope, they are synced to the reference atomic clock of National
Observatory, pretty similar to USNO but local.

Rubens

Re: NTP Sync Issue Across Tata (Europe)

[Giovane C. M. Moura via NANOG]

So the Anycast address our devices use internally to find the closest
 NTP server is geo-mapped to MU. 


So indeed, the pool will only send you a single NTP server in this case.
GeoDNS essentially map  you to mu.pool.ntp.org.

You can verify what NTP servers you can expect from the Pool by querying 
it directly (and thus bypassing GeoDNS mappings)


$ dig mu.pool.ntp.org


mu.pool.ntp.org.62  IN  A   197.224.66.40


However, the physical server is 
geo-mapped to the specific countries in Europe, e.g., GB, NL, FR, DE,


What really matters from GeoDNS is the IP address of your client -- the 
one that goes in the NTP query. So if you are using your anycast address 
to query, it does not matter what are the unicast addresses of your servers.



Unless the geo data ntp.org are using is inconsistent, I'd imagine
the servers should be mapped to a European pool, since the physical
address from which the server queries the pool is geo-mapped locally,
for this specific reason.


They also use the latest Maxmind mappings, and I confirmed it 
experimentally. ( I think it's fully automated their update method)


/giovane

Re: NTP Sync Issue Across Tata (Europe)

[Mark Tinka]

On 8/7/23 11:04, Giovane C. M. Moura via NANOG wrote:

TL;DR: I'd guess your NTP Server IP address is geolocated to 
Mauritius. The Mauritius zone[0] on the pool has only one server, so 
you'll only see this one. To fix it, use europe.pool.ntp.org (_do not_ 
use pool.ntp.org).


So the Anycast address our devices use internally to find the closest 
NTP server is geo-mapped to MU. However, the physical server is 
geo-mapped to the specific countries in Europe, e.g., GB, NL, FR, DE, e.t.c.


Unless the geo data ntp.org are using is inconsistent, I'd imagine the 
servers should be mapped to a European pool, since the physical address 
from which the server queries the pool is geo-mapped locally, for this 
specific reason.


Mark.

Re: NTP Sync Issue Across Tata (Europe)

[Giovane C. M. Moura via NANOG]

Hi Mark,



I have NTP servers in Europe that are choosing Tata (6453) to get to
 0.freebsd.pool.ntp.org which lives on 197.224.66.40:


NTP is not sync'ing to that address, and sessions stay in an Init
state.
TL;DR: I'd guess your NTP Server IP address is geolocated to Mauritius. 
The Mauritius zone[0] on the pool has only one server, so you'll only 
see this one. To fix it, use europe.pool.ntp.org (_do not_ use 
pool.ntp.org).



Longer answer:

NTP pool folks use GeoDNS[1], which is their DNS server to map clients 
to servers.


The `0.freebsd.pool.ntp.org` name is just an alias for them -- what they 
really do is this:


 * Get geolocation_data(client_IP_address): 
 * check country subzone in NTP pool (e.g, nl.pool.ntp.org [2]):
   * If there are >=1  servers in the zone, return (up to) 4 or them
   * If there is one, then return just one (this is a _known issue_)
   * if there is none, then fall back to the continent zone (Europe[3])

I've seen the same issue before with Guernsey clients (only one server). 
We have contact the pool operators and they are working now on a new 
GeoDNS version to prevent this from happening [4]


More details in [5].

In short, change your ntp configuration; the issue you have is that 
despite having 4k servers on the Pool, this strict GeoDNS mapping 
prevents you from accessing the other servers just bc of your IP 
address. The reasoning is to prevent asymmetric routing [4], but they 
are working on a fix to prevent these scenarios.



/giovane

[0] https://www.ntppool.org/zone/mu
[1] https://github.com/abh/geodns
[2] https://www.ntppool.org/zone/nl
[3] https://www.ntppool.org/zone/europe
[4] https://community.ntppool.org/t/minor-new-features-on-the-website/2947/8
[5] 
https://www.sidnlabs.nl/downloads/5aPx86UtFmvKs6WE3LHwbU/c6acce6a012fe07256bab8caefff54af/Diving_into_the_NTP_Pool.pdf

Re: NTP Sync Issue Across Tata (Europe)

[Forrest Christian (List Account)]

I  forgot to finish my thought in the third paragraph before hitting send.

What I was going to express was that one should choose not only close,
trusted, NTP servers, but also perhaps ones from different government
agencies, or different sources.   Sourcing time from multiple sources not
likely to be affected by the same outage and/or attack is good robust
design.

On Mon, Aug 7, 2023 at 2:39 AM Forrest Christian (List Account) <
li...@packetflux.com> wrote:

> The problem with relying exclusively on GPS to do time distribution is the
> ease with which one can spoof the GPS signals.
>
> With a budget of around $1K, not including a laptop, anyone with decent
> technical skills could convince a typical GPS receiver it was at any
> position and was at any time in the world.   All it takes is a decent
> directional antenna, some SDR hardware, and depending on the location and
> directivity of your antenna maybe a smallish amplifier.   There is much
> discussion right now in the PNT (Position, Navigation and Timing) community
> as to how best to secure the GNSS network, but right now one should
> consider the data from GPS to be no more trustworthy than some random NTP
> server on the internet.
>
> In order to build a resilient NTP server infrastructure you need multiple
> sources of time distributed by multiple methods - typically both via
> satellite (GPS) and by terrestrial (NTP) methods.   NTP does a pretty good
> job of sorting out multiple time servers and discarding sources that are
> lying.  But to do this you need multiple time sources.  A common
> recommendation is to run a couple/few NTP servers which only get time from
> a GPS receiver and only serve time to a second tier of servers that pull
> from both those in-house GPS-timed-NTP servers and other trusted NTP
> servers.   I'd recommend selecting the time servers to gain geographic
> diversity, i.e. poll NIST servers in Maryland and Colorado, and possibly
> both.
>
> Note that NIST will exchange (via mail) a set of keys with you to talk
> encrypted NTP with you.   See
> https://www.nist.gov/pml/time-and-frequency-division/time-services/nist-authenticated-ntp-service
> .
>
>
>
> On Sun, Aug 6, 2023 at 8:36 PM Mel Beckman  wrote:
>
>> GPS Selective Availability did not disrupt the timing chain of GPS, only
>> the ephemeris (position information).  But a government-disrupted timebase
>> scenario has never occurred, while hackers are a documented threat.
>>
>> DNS has DNSSec, which while not deployed as broadly as we might like, at
>> least lets us know which servers we can trust.
>>
>> Your own atomic clocks still have to be synced to a common standard to be
>> useful. To what are they sync’d? GPS, I’ll wager.
>>
>> I sense hand-waving :)
>>
>> -mel via cell
>>
>> On Aug 6, 2023, at 7:04 PM, Rubens Kuhl  wrote:
>>
>> 
>>
>>
>> On Sun, Aug 6, 2023 at 8:20 PM Mel Beckman  wrote:
>>
>>> Or one can read recent research papers that thoroughly document the
>>> incredible fragility of the existing NTP hierarchy and soberly consider
>>> their recommendations for remediation:
>>>
>>
>> The paper suggests the compromise of critical infrastructure. So, besides
>> not using NTP, why not stop using DNS ? Just populate a hosts file with all
>> you need.
>>
>> BTW, the stratum-0 source you suggested is known to have been manipulated
>> in the past (https://www.gps.gov/systems/gps/modernization/sa/), so you
>> need to bet on that specific state actor not returning to old habits.
>>
>> OTOH, 4 of the 5 servers I suggested have their own atomic clock, and you
>> can keep using GPS as well. If GPS goes bananas on timing, that source will
>> just be disregarded (one of the features of the NTP architecture that has
>> been pointed out over and over in this thread and you keep ignoring it).
>>
>> Rubens
>>
>>
>
> --
> - Forrest
>


-- 
- Forrest

Re: NTP Sync Issue Across Tata (Europe)

[Mark Tinka]

On 8/5/23 21:26, Mel Beckman wrote:


Mark,

You might consider setting up your own GPS-based NTP network. Commercial 
Ethernet GPS-sourced NTP servers, such as the Time Machines, TM1000A, are as 
little as $400. Or you can roll your own using a Raspberry Pi or similar nano 
computer with a GPS module and antenna. We use these exclusively in data 
centers now rather than depending on Internet NTP servers, primarily for 
security, because financial transactions in e-commerce can be sensitive to 
false time information. There are also a variety of NTP-based Internet attacks, 
so if you can block NTP at your border you’ve eliminated another attack surface.


To be honest, we have decent resiliency across the network to weather 
issues such as these. While going the GPS route is not a bad idea, I 
have more pressing problems to fix right now.


All that said, the issue seems to have corrected itself re: the Tata 
path (even if it's still the same path).


Appreciate all the feedback and support. Thanks.

Mark.

Re: NTP Sync Issue Across Tata (Europe)

[Forrest Christian (List Account)]

The problem with relying exclusively on GPS to do time distribution is the
ease with which one can spoof the GPS signals.

With a budget of around $1K, not including a laptop, anyone with decent
technical skills could convince a typical GPS receiver it was at any
position and was at any time in the world.   All it takes is a decent
directional antenna, some SDR hardware, and depending on the location and
directivity of your antenna maybe a smallish amplifier.   There is much
discussion right now in the PNT (Position, Navigation and Timing) community
as to how best to secure the GNSS network, but right now one should
consider the data from GPS to be no more trustworthy than some random NTP
server on the internet.

In order to build a resilient NTP server infrastructure you need multiple
sources of time distributed by multiple methods - typically both via
satellite (GPS) and by terrestrial (NTP) methods.   NTP does a pretty good
job of sorting out multiple time servers and discarding sources that are
lying.  But to do this you need multiple time sources.  A common
recommendation is to run a couple/few NTP servers which only get time from
a GPS receiver and only serve time to a second tier of servers that pull
from both those in-house GPS-timed-NTP servers and other trusted NTP
servers.   I'd recommend selecting the time servers to gain geographic
diversity, i.e. poll NIST servers in Maryland and Colorado, and possibly
both.

Note that NIST will exchange (via mail) a set of keys with you to talk
encrypted NTP with you.   See
https://www.nist.gov/pml/time-and-frequency-division/time-services/nist-authenticated-ntp-service
.



On Sun, Aug 6, 2023 at 8:36 PM Mel Beckman  wrote:

> GPS Selective Availability did not disrupt the timing chain of GPS, only
> the ephemeris (position information).  But a government-disrupted timebase
> scenario has never occurred, while hackers are a documented threat.
>
> DNS has DNSSec, which while not deployed as broadly as we might like, at
> least lets us know which servers we can trust.
>
> Your own atomic clocks still have to be synced to a common standard to be
> useful. To what are they sync’d? GPS, I’ll wager.
>
> I sense hand-waving :)
>
> -mel via cell
>
> On Aug 6, 2023, at 7:04 PM, Rubens Kuhl  wrote:
>
> 
>
>
> On Sun, Aug 6, 2023 at 8:20 PM Mel Beckman  wrote:
>
>> Or one can read recent research papers that thoroughly document the
>> incredible fragility of the existing NTP hierarchy and soberly consider
>> their recommendations for remediation:
>>
>
> The paper suggests the compromise of critical infrastructure. So, besides
> not using NTP, why not stop using DNS ? Just populate a hosts file with all
> you need.
>
> BTW, the stratum-0 source you suggested is known to have been manipulated
> in the past (https://www.gps.gov/systems/gps/modernization/sa/), so you
> need to bet on that specific state actor not returning to old habits.
>
> OTOH, 4 of the 5 servers I suggested have their own atomic clock, and you
> can keep using GPS as well. If GPS goes bananas on timing, that source will
> just be disregarded (one of the features of the NTP architecture that has
> been pointed out over and over in this thread and you keep ignoring it).
>
> Rubens
>
>

-- 
- Forrest

Re: NTP Sync Issue Across Tata (Europe)

[Mel Beckman]

GPS Selective Availability did not disrupt the timing chain of GPS, only the 
ephemeris (position information).  But a government-disrupted timebase scenario 
has never occurred, while hackers are a documented threat.

DNS has DNSSec, which while not deployed as broadly as we might like, at least 
lets us know which servers we can trust.

Your own atomic clocks still have to be synced to a common standard to be 
useful. To what are they sync’d? GPS, I’ll wager.

I sense hand-waving :)

-mel via cell

On Aug 6, 2023, at 7:04 PM, Rubens Kuhl  wrote:




On Sun, Aug 6, 2023 at 8:20 PM Mel Beckman 
mailto:m...@beckman.org>> wrote:
Or one can read recent research papers that thoroughly document the incredible 
fragility of the existing NTP hierarchy and soberly consider their 
recommendations for remediation:

The paper suggests the compromise of critical infrastructure. So, besides not 
using NTP, why not stop using DNS ? Just populate a hosts file with all you 
need.

BTW, the stratum-0 source you suggested is known to have been manipulated in 
the past (https://www.gps.gov/systems/gps/modernization/sa/), so you need to 
bet on that specific state actor not returning to old habits.

OTOH, 4 of the 5 servers I suggested have their own atomic clock, and you can 
keep using GPS as well. If GPS goes bananas on timing, that source will just be 
disregarded (one of the features of the NTP architecture that has been pointed 
out over and over in this thread and you keep ignoring it).

Rubens

Re: NTP Sync Issue Across Tata (Europe)

[Mark Andrews]

> On 7 Aug 2023, at 12:02, Rubens Kuhl  wrote:
> 
> 
> 
> On Sun, Aug 6, 2023 at 8:20 PM Mel Beckman  wrote:
> Or one can read recent research papers that thoroughly document the 
> incredible fragility of the existing NTP hierarchy and soberly consider their 
> recommendations for remediation:
> 
> The paper suggests the compromise of critical infrastructure. So, besides not 
> using NTP, why not stop using DNS ? Just populate a hosts file with all you 
> need. 

Well DNS can be cryptographically secured.  There really isn’t any good reasons 
to not sign your zones today.  The majority of responses from authoritative 
servers are validated today so if you sign the responses will be checked.  
Unfortunately most to those validations still result in insecure instead of 
secure because people are not signing their zones.

> BTW, the stratum-0 source you suggested is known to have been manipulated in 
> the past (https://www.gps.gov/systems/gps/modernization/sa/), so you need to 
> bet on that specific state actor not returning to old habits. 
> 
> OTOH, 4 of the 5 servers I suggested have their own atomic clock, and you can 
> keep using GPS as well. If GPS goes bananas on timing, that source will just 
> be disregarded (one of the features of the NTP architecture that has been 
> pointed out over and over in this thread and you keep ignoring it). 
> 
> Rubens 

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org

Re: NTP Sync Issue Across Tata (Europe)

[Rubens Kuhl]

On Sun, Aug 6, 2023 at 8:20 PM Mel Beckman  wrote:

> Or one can read recent research papers that thoroughly document the
> incredible fragility of the existing NTP hierarchy and soberly consider
> their recommendations for remediation:
>

The paper suggests the compromise of critical infrastructure. So, besides
not using NTP, why not stop using DNS ? Just populate a hosts file with all
you need.

BTW, the stratum-0 source you suggested is known to have been manipulated
in the past (https://www.gps.gov/systems/gps/modernization/sa/), so you
need to bet on that specific state actor not returning to old habits.

OTOH, 4 of the 5 servers I suggested have their own atomic clock, and you
can keep using GPS as well. If GPS goes bananas on timing, that source will
just be disregarded (one of the features of the NTP architecture that has
been pointed out over and over in this thread and you keep ignoring it).

Rubens

Re: NTP Sync Issue Across Tata (Europe)

[Mel Beckman]

Bill,

You’re mistaking targeted NTP attacks with global ones. Yes, to attack your 
specific NTP client, the attacker has to know which NTP servers you’re using. 
But to simply succeed at random attacks, the attacker need only spoof popular 
servers. This is how time-shifting attacks work. Once an attack succeeds with a 
random victim, the hacker goes to work compromising time-sensitive security 
services.

And don’t forget that anyone can join pool.ntp.org. Including hackers. There is 
no credentialed vetting process.

 -mel

> On Aug 6, 2023, at 4:30 PM, William Herrin  wrote:
> 
> On Sun, Aug 6, 2023 at 1:19 PM Royce Williams  .com> wrote:
>> Wouldn't a robust implementation of peering - say, seven peers, with the NTP 
>> algorithm handily selecting a subset to peer with for each cycle - require 
>> an attacker to know and overwhelm not just one, but a majority of the peer 
>> IPs?
> 
> Hi Royce,
> 
> More or less, yes. There are some corner cases where that may not be
> true, but in terms of designing a useful attack, the attacker has to
> be able to figure out which NTP servers you're talking to, flood you
> with enough packets forged from all of them that the forged packet
> arrives ahead of the real one, generally no more than 10s of
> milliseconds behind the sent packet that only happens once every 15
> minutes or so. And then it has to move you off real time gradually
> enough for the NTP daemon not to decide the peer has become a false
> ticker.
> 
> It's like DNS cache poisoning but a few orders of magnitude harder.
> 
> 
>> This is *not* to say that I'm advocating against maintaining local stratum 
>> 0s as part of a proper operator-grade NTP mesh. (My definition of "robust 
>> implementation" would include both local stratum 0 and a healthy serving of 
>> Internet stratum 1s). I'm just suggesting "don't peer with public servers" 
>> seems draconian given the deliberate design choices of the protocol.
>> 
>> For this audience, this would recommend a tiered system where multiple 
>> mixed-stratum internal stratrum 0+1s would peer with each other, and 
>> maintain internal-facing consensus for all other downstream internal devices 
>> - such that the vast majority of internal peers would indeed not be talking 
>> to the public Internet (but the "parent" peers would, and have the mesh and 
>> mix that I describe).
> 
> 
> Well, it's not really one-size-fits-all.
> 
> Some systems consist of a well defined network containing routers and
> servers with clear boundaries between self and Internet. Your approach
> would work well there.
> 
> Some systems consist of equipment scattered at various data centers,
> interconnected by the Internet itself. Implementing a GPS time
> receiver at every one could get very expensive very fast. Standard
> security rules apply: don't spend more protecting yourself than the
> risk-cost. Risk is threat times vulnerability. Given the complexity of
> the attack, you have to consider whether you're enough of a target
> (threat) for anyone to bother.
> 
> Some systems are heavily virtualized, scattered over many vendors and
> locations. You could -try- to track down a "secured" NTP source from
> the vendor at each location, but that way lies configuration insanity.
> 
> Some systems are air-gapped from the Internet. You're going to get
> time from GPS or the cellular phone network. GPS devices like the one
> Mel pointed out are probably cheaper and more accurate.
> 
> Regards,
> Bill Herrin
> 
> 
> -- 
> William Herrin
> b...@herrin.us
> https://bill.herrin.us/

Fwd: NTP Sync Issue Across Tata (Europe)

[Mel Beckman]

Or one can read recent research papers that thoroughly document the incredible 
fragility of the existing NTP hierarchy and soberly consider their 
recommendations for remediation:

https://www.ndss-symposium.org/wp-content/uploads/ndss2021_1A-2_24302_paper.pdf

Or simply use non-Internet NTP servers based on a Stratum-0 GPS source for 
mission-critical network timing.

Until then, we may all wake up one morning and discover massive data breaches 
traced to an unfounded reliance on insecure public NTP servers. Then the game 
truly will be over, but not in our favor.

 -mel

On Aug 6, 2023, at 2:35 PM, Rubens Kuhl  wrote:

Or one can select NTS-capable NTP servers, like those 5:
a.st1.ntp.br
b.st1.ntp.br
c.st1.ntp.br
d.st1.ntp.br
gps.ntp.br

Or any other NTP server that has NTS deployed. Game-over for NTP impersonation.


Rubens

On Sun, Aug 6, 2023 at 4:41 PM Mel Beckman  wrote:

In a nutshell, no. Refer to my prior cites for detailed explanations. For a 
list of real-world attack incidents, see

https://en.m.wikipedia.org/wiki/NTP_server_misuse_and_abuse#


-mel

On Aug 6, 2023, at 12:03 PM, Royce Williams  wrote:


Naively, instead of abstaining ;) ... isn't robust diversity of NTP peering a 
reasonable mitigation for this, as designed?

Royce

On Sun, Aug 6, 2023 at 10:21 AM Mel Beckman  wrote:

William,

Due to flaws in the NTP protocol, a simple UDP filter is not enough. These 
flaws make it trivial to spoof NTP packets, and many firewalls have no specific 
protection against this. in one attack the malefactor simply fires a continuous 
stream of NTP packets with invalid time at your firewall. When your NTP client 
queries the spoofed server, the malicious packet is the one you likely receive.

That’s just one attack vector. There are several others, and all have complex 
remediation. Why should people bother being exposed to the risk at all? Simply 
avoid Internet-routed NTP. there are many solutions, as I’ve already described. 
Having suffered through such attacks more than once, I can say from personal 
experience that you don’t want to risk it.

Re: NTP Sync Issue Across Tata (Europe)

[William Herrin]

On Sun, Aug 6, 2023 at 1:19 PM Royce Williams  wrote:
> Wouldn't a robust implementation of peering - say, seven peers, with the NTP 
> algorithm handily selecting a subset to peer with for each cycle - require an 
> attacker to know and overwhelm not just one, but a majority of the peer IPs?

Hi Royce,

More or less, yes. There are some corner cases where that may not be
true, but in terms of designing a useful attack, the attacker has to
be able to figure out which NTP servers you're talking to, flood you
with enough packets forged from all of them that the forged packet
arrives ahead of the real one, generally no more than 10s of
milliseconds behind the sent packet that only happens once every 15
minutes or so. And then it has to move you off real time gradually
enough for the NTP daemon not to decide the peer has become a false
ticker.

It's like DNS cache poisoning but a few orders of magnitude harder.


> This is *not* to say that I'm advocating against maintaining local stratum 0s 
> as part of a proper operator-grade NTP mesh. (My definition of "robust 
> implementation" would include both local stratum 0 and a healthy serving of 
> Internet stratum 1s). I'm just suggesting "don't peer with public servers" 
> seems draconian given the deliberate design choices of the protocol.
>
> For this audience, this would recommend a tiered system where multiple 
> mixed-stratum internal stratrum 0+1s would peer with each other, and maintain 
> internal-facing consensus for all other downstream internal devices - such 
> that the vast majority of internal peers would indeed not be talking to the 
> public Internet (but the "parent" peers would, and have the mesh and mix that 
> I describe).


Well, it's not really one-size-fits-all.

Some systems consist of a well defined network containing routers and
servers with clear boundaries between self and Internet. Your approach
would work well there.

Some systems consist of equipment scattered at various data centers,
interconnected by the Internet itself. Implementing a GPS time
receiver at every one could get very expensive very fast. Standard
security rules apply: don't spend more protecting yourself than the
risk-cost. Risk is threat times vulnerability. Given the complexity of
the attack, you have to consider whether you're enough of a target
(threat) for anyone to bother.

Some systems are heavily virtualized, scattered over many vendors and
locations. You could -try- to track down a "secured" NTP source from
the vendor at each location, but that way lies configuration insanity.

Some systems are air-gapped from the Internet. You're going to get
time from GPS or the cellular phone network. GPS devices like the one
Mel pointed out are probably cheaper and more accurate.

Regards,
Bill Herrin


-- 
William Herrin
b...@herrin.us
https://bill.herrin.us/

Re: NTP Sync Issue Across Tata (Europe)

[Rubens Kuhl]

Or one can select NTS-capable NTP servers, like those 5:
a.st1.ntp.br
b.st1.ntp.br
c.st1.ntp.br
d.st1.ntp.br
gps.ntp.br

Or any other NTP server that has NTS deployed. Game-over for NTP impersonation.


Rubens

On Sun, Aug 6, 2023 at 4:41 PM Mel Beckman  wrote:
>
> In a nutshell, no. Refer to my prior cites for detailed explanations. For a 
> list of real-world attack incidents, see
>
> https://en.m.wikipedia.org/wiki/NTP_server_misuse_and_abuse#
>
>
>  -mel
>
> On Aug 6, 2023, at 12:03 PM, Royce Williams  wrote:
>
> 
> Naively, instead of abstaining ;) ... isn't robust diversity of NTP peering a 
> reasonable mitigation for this, as designed?
>
> Royce
>
> On Sun, Aug 6, 2023 at 10:21 AM Mel Beckman  wrote:
>>
>> William,
>>
>> Due to flaws in the NTP protocol, a simple UDP filter is not enough. These 
>> flaws make it trivial to spoof NTP packets, and many firewalls have no 
>> specific protection against this. in one attack the malefactor simply fires 
>> a continuous stream of NTP packets with invalid time at your firewall. When 
>> your NTP client queries the spoofed server, the malicious packet is the one 
>> you likely receive.
>>
>> That’s just one attack vector. There are several others, and all have 
>> complex remediation. Why should people bother being exposed to the risk at 
>> all? Simply avoid Internet-routed NTP. there are many solutions, as I’ve 
>> already described. Having suffered through such attacks more than once, I 
>> can say from personal experience that you don’t want to risk it.
>>

Re: NTP Sync Issue Across Tata (Europe)

[Neil Hanlon]

This entirely discounts the fact that bcp-38 and bcp-84 which, more or
less, eliminate this "problem space" entirely.

I find it hard to believe ntp reflection is actually a problem in the year
2023, assuming you're not running a ridiculously old ntp client and have
taken really simple steps to protect your network.

On Sun, Aug 6, 2023, 15:42 Mel Beckman  wrote:

> In a nutshell, no. Refer to my prior cites for detailed explanations. For
> a list of real-world attack incidents, see
>
> https://en.m.wikipedia.org/wiki/NTP_server_misuse_and_abuse#
> 
>
>
>  -mel
>
> On Aug 6, 2023, at 12:03 PM, Royce Williams 
> wrote:
>
> 
> Naively, instead of abstaining ;) ... isn't robust diversity of NTP
> peering a reasonable mitigation for this, as designed?
>
> Royce
>
> On Sun, Aug 6, 2023 at 10:21 AM Mel Beckman  wrote:
>
>> William,
>>
>> Due to flaws in the NTP protocol, a simple UDP filter is not enough.
>> These flaws make it trivial to spoof NTP packets, and many firewalls have
>> no specific protection against this. in one attack the malefactor simply
>> fires a continuous stream of NTP packets with invalid time at your
>> firewall. When your NTP client queries the spoofed server, the malicious
>> packet is the one you likely receive.
>>
>> That’s just one attack vector. There are several others, and all have
>> complex remediation. Why should people bother being exposed to the risk at
>> all? Simply avoid Internet-routed NTP. there are many solutions, as I’ve
>> already described. Having suffered through such attacks more than once, I
>> can say from personal experience that you don’t want to risk it.
>>
>>

Re: NTP Sync Issue Across Tata (Europe)

[Royce Williams]

Respectfully, that Wikipedia article (which is mostly about legit but
unauthorized clients overwhelming a given peer) and your cites don't seem
to cover what I was responding to - the "don't peer with public NTP because
someone can flood your firewall and spoof the responses" problem. I just
want to make sure that I'm understanding the distinction betwen this class
and other classes of attack.

Wouldn't a robust implementation of peering - say, seven peers, with the
NTP algorithm handily selecting a subset to peer with for each cycle -
require an attacker to know and overwhelm not just one, but a majority of
the peer IPs?

This is *not* to say that I'm advocating against maintaining local stratum
0s as part of a proper operator-grade NTP mesh. (My definition of "robust
implementation" would include both local stratum 0 and a healthy serving of
Internet stratum 1s). I'm just suggesting "don't peer with public servers"
seems draconian given the deliberate design choices of the protocol.

For this audience, this would recommend a tiered system where multiple
mixed-stratum internal stratrum 0+1s would peer with each other, and
maintain internal-facing consensus for all other downstream internal
devices - such that the vast majority of internal peers would indeed not be
talking to the public Internet (but the "parent" peers would, and have the
mesh and mix that I describe).

And I'm well aware of who I'm saying this to ... so I expect to find out
where I'm wrong, as I keep digging. :D

-- 
Royce

On Sun, Aug 6, 2023 at 11:40 AM Mel Beckman  wrote:

> In a nutshell, no. Refer to my prior cites for detailed explanations. For
> a list of real-world attack incidents, see
>
> https://en.m.wikipedia.org/wiki/NTP_server_misuse_and_abuse#
> 
>
>
>  -mel
>
> On Aug 6, 2023, at 12:03 PM, Royce Williams 
> wrote:
>
> 
> Naively, instead of abstaining ;) ... isn't robust diversity of NTP
> peering a reasonable mitigation for this, as designed?
>
> Royce
>
> On Sun, Aug 6, 2023 at 10:21 AM Mel Beckman  wrote:
>
>> William,
>>
>> Due to flaws in the NTP protocol, a simple UDP filter is not enough.
>> These flaws make it trivial to spoof NTP packets, and many firewalls have
>> no specific protection against this. in one attack the malefactor simply
>> fires a continuous stream of NTP packets with invalid time at your
>> firewall. When your NTP client queries the spoofed server, the malicious
>> packet is the one you likely receive.
>>
>> That’s just one attack vector. There are several others, and all have
>> complex remediation. Why should people bother being exposed to the risk at
>> all? Simply avoid Internet-routed NTP. there are many solutions, as I’ve
>> already described. Having suffered through such attacks more than once, I
>> can say from personal experience that you don’t want to risk it.
>>
>>

Re: NTP Sync Issue Across Tata (Europe)

[Mel Beckman]

In a nutshell, no. Refer to my prior cites for detailed explanations. For a 
list of real-world attack incidents, see

https://en.m.wikipedia.org/wiki/NTP_server_misuse_and_abuse#


 -mel

On Aug 6, 2023, at 12:03 PM, Royce Williams  wrote:


Naively, instead of abstaining ;) ... isn't robust diversity of NTP peering a 
reasonable mitigation for this, as designed?

Royce

On Sun, Aug 6, 2023 at 10:21 AM Mel Beckman 
mailto:m...@beckman.org>> wrote:
William,

Due to flaws in the NTP protocol, a simple UDP filter is not enough. These 
flaws make it trivial to spoof NTP packets, and many firewalls have no specific 
protection against this. in one attack the malefactor simply fires a continuous 
stream of NTP packets with invalid time at your firewall. When your NTP client 
queries the spoofed server, the malicious packet is the one you likely receive.

That’s just one attack vector. There are several others, and all have complex 
remediation. Why should people bother being exposed to the risk at all? Simply 
avoid Internet-routed NTP. there are many solutions, as I’ve already described. 
Having suffered through such attacks more than once, I can say from personal 
experience that you don’t want to risk it.

Re: NTP Sync Issue Across Tata (Europe)

[James R Cutler]

A carefully selected set of stratum 0 sources for a set of stratum 1 servers is 
the heart of good NTP source design. With at least four “local” stratum 1 
servers, Dr. Mills algorithm is excellent at distinguishing truechimers from 
falsetickers and providing a reliable source of monotonic time. DOS is a 
separate problem.

My NTP network deployment experience for a major auto manufacturer, among 
others, is in agreement with William Herin. A GPS NTP source is a valid Stratum 
0 source, but relying on a single instance for local time is not exceedingly 
better than querying time.apple.com  or a similar 
source.
-
James R. Cutler 
> 
> William,
> 
> Due to flaws in the NTP protocol, a simple UDP filter is not enough. These 
> flaws make it trivial to spoof NTP packets, and many firewalls have no 
> specific protection against this. in one attack the malefactor simply fires a 
> continuous stream of NTP packets with invalid time at your firewall. When 
> your NTP client queries the spoofed server, the malicious packet is the one 
> you likely receive.
> 
> That’s just one attack vector. There are several others, and all have complex 
> remediation. Why should people bother being exposed to the risk at all? 
> Simply avoid Internet-routed NTP. there are many solutions, as I’ve already 
> described. Having suffered through such attacks more than once, I can say 
> from personal experience that you don’t want to risk it.
> 
> -mel 
> 
>> On Aug 6, 2023, at 10:53 AM, William Herrin  wrote:
>> 
>> On Sat, Aug 5, 2023 at 7:24 PM Mel Beckman  wrote:
>>> That still leaves you open to NTP attacks. The USNO accuracy and monitoring 
>>> is worthless if you suffer, for example, an NTP DDoS attack.
>> 
>> Hi Mel,
>> 
>> From what I can tell, a fairly simple firewall policy of allow UDP 123
>> from known NTP clients and established connections (I sent them a UDP
>> packet recently) stops every one of those attacks (that's actually an
>> NTP attack and not something else like a DNS attack) except for
>> upstream address hijack that happens to coincide with your system
>> boot. And it still depends on the attacker executing an additional
>> sophisticated attack to do more than cause you a denial of service.
>> 
>> The links you sent are very interesting, at least in an academic
>> sense, but they don't cause me to be unduly concerned about employing
>> NTP.
>> 
>> 
>>> if you can eliminate such security problems for $400, I say it’s cheap at 
>>> twice the price.
>> 
>> Except you can't. Redundancy is required for any critical service. At
>> the $400 price point, your approach has multiple
>> single-points-of-failure. The device itself of course. Your ability to
>> receive continuous non-jammed GPS signals at the location where you're
>> able to place an antenna. And in your plan you'll need one of these in
>> every discontiguous network where you have equipment since you're not
>> doing NTP over the Internet.
>> 
>> Not to mention the operations cost. Keeping track of a six inch brick
>> with a wall wart and an antenna installed at a remote site is... not
>> entirely abnormal but it's a one-off that consumes manpower.
>> 
>> And then you're only vulnerable to the litany of Internet attacks
>> which don't involve NTP. Yay!
>> 
>> Don't get me wrong: the Time Machines TM1000A you recommended looks
>> like a cool little device well worth checking into. As a supplement to
>> Internet NTP, not a replacement.
>> 
>> Regards,
>> Bill Herrin
>> 
>> 
>> --
>> William Herrin
>> b...@herrin.us
>> https://bill.herrin.us/

Re: NTP Sync Issue Across Tata (Europe)

[Royce Williams]

Naively, instead of abstaining ;) ... isn't robust diversity of NTP peering
a reasonable mitigation for this, as designed?

Royce

On Sun, Aug 6, 2023 at 10:21 AM Mel Beckman  wrote:

> William,
>
> Due to flaws in the NTP protocol, a simple UDP filter is not enough. These
> flaws make it trivial to spoof NTP packets, and many firewalls have no
> specific protection against this. in one attack the malefactor simply fires
> a continuous stream of NTP packets with invalid time at your firewall. When
> your NTP client queries the spoofed server, the malicious packet is the one
> you likely receive.
>
> That’s just one attack vector. There are several others, and all have
> complex remediation. Why should people bother being exposed to the risk at
> all? Simply avoid Internet-routed NTP. there are many solutions, as I’ve
> already described. Having suffered through such attacks more than once, I
> can say from personal experience that you don’t want to risk it.
>
>

Re: NTP Sync Issue Across Tata (Europe)

[Mel Beckman]

William,

Due to flaws in the NTP protocol, a simple UDP filter is not enough. These 
flaws make it trivial to spoof NTP packets, and many firewalls have no specific 
protection against this. in one attack the malefactor simply fires a continuous 
stream of NTP packets with invalid time at your firewall. When your NTP client 
queries the spoofed server, the malicious packet is the one you likely receive.

That’s just one attack vector. There are several others, and all have complex 
remediation. Why should people bother being exposed to the risk at all? Simply 
avoid Internet-routed NTP. there are many solutions, as I’ve already described. 
Having suffered through such attacks more than once, I can say from personal 
experience that you don’t want to risk it.

 -mel 

> On Aug 6, 2023, at 10:53 AM, William Herrin  wrote:
> 
> On Sat, Aug 5, 2023 at 7:24 PM Mel Beckman  wrote:
>> That still leaves you open to NTP attacks. The USNO accuracy and monitoring 
>> is worthless if you suffer, for example, an NTP DDoS attack.
> 
> Hi Mel,
> 
> From what I can tell, a fairly simple firewall policy of allow UDP 123
> from known NTP clients and established connections (I sent them a UDP
> packet recently) stops every one of those attacks (that's actually an
> NTP attack and not something else like a DNS attack) except for
> upstream address hijack that happens to coincide with your system
> boot. And it still depends on the attacker executing an additional
> sophisticated attack to do more than cause you a denial of service.
> 
> The links you sent are very interesting, at least in an academic
> sense, but they don't cause me to be unduly concerned about employing
> NTP.
> 
> 
>> if you can eliminate such security problems for $400, I say it’s cheap at 
>> twice the price.
> 
> Except you can't. Redundancy is required for any critical service. At
> the $400 price point, your approach has multiple
> single-points-of-failure. The device itself of course. Your ability to
> receive continuous non-jammed GPS signals at the location where you're
> able to place an antenna. And in your plan you'll need one of these in
> every discontiguous network where you have equipment since you're not
> doing NTP over the Internet.
> 
> Not to mention the operations cost. Keeping track of a six inch brick
> with a wall wart and an antenna installed at a remote site is... not
> entirely abnormal but it's a one-off that consumes manpower.
> 
> And then you're only vulnerable to the litany of Internet attacks
> which don't involve NTP. Yay!
> 
> Don't get me wrong: the Time Machines TM1000A you recommended looks
> like a cool little device well worth checking into. As a supplement to
> Internet NTP, not a replacement.
> 
> Regards,
> Bill Herrin
> 
> 
> --
> William Herrin
> b...@herrin.us
> https://bill.herrin.us/

Re: NTP Sync Issue Across Tata (Europe)

[William Herrin]

On Sat, Aug 5, 2023 at 7:24 PM Mel Beckman  wrote:
> That still leaves you open to NTP attacks. The USNO accuracy and monitoring 
> is worthless if you suffer, for example, an NTP DDoS attack.

Hi Mel,

>From what I can tell, a fairly simple firewall policy of allow UDP 123
from known NTP clients and established connections (I sent them a UDP
packet recently) stops every one of those attacks (that's actually an
NTP attack and not something else like a DNS attack) except for
upstream address hijack that happens to coincide with your system
boot. And it still depends on the attacker executing an additional
sophisticated attack to do more than cause you a denial of service.

The links you sent are very interesting, at least in an academic
sense, but they don't cause me to be unduly concerned about employing
NTP.


> if you can eliminate such security problems for $400, I say it’s cheap at 
> twice the price.

Except you can't. Redundancy is required for any critical service. At
the $400 price point, your approach has multiple
single-points-of-failure. The device itself of course. Your ability to
receive continuous non-jammed GPS signals at the location where you're
able to place an antenna. And in your plan you'll need one of these in
every discontiguous network where you have equipment since you're not
doing NTP over the Internet.

Not to mention the operations cost. Keeping track of a six inch brick
with a wall wart and an antenna installed at a remote site is... not
entirely abnormal but it's a one-off that consumes manpower.

And then you're only vulnerable to the litany of Internet attacks
which don't involve NTP. Yay!

Don't get me wrong: the Time Machines TM1000A you recommended looks
like a cool little device well worth checking into. As a supplement to
Internet NTP, not a replacement.

Regards,
Bill Herrin


--
William Herrin
b...@herrin.us
https://bill.herrin.us/

Re: NTP Sync Issue Across Tata (Europe)

[Mel Beckman]

Niels,

You’re the first person to mention neutral collocation facilities as a 
requirement. The OP only talked about servers generally. Obviously, building 
your own GPS-based NTP network requires you have visibility to the sky. 
However, that need not be rooftop access. We routinely locate GPS antennae for 
time synch at CLEC colos in an available window, behind the glass. Nobody has 
yet charged us anything more than a one-time cabling fee for that.

But most carrier-neutral colos already have their own GPS-derived, non-Internet 
time source to which you can subscribe. There is thus no reason to build your 
own airgapped network, as one is already available from the facility. If you 
don’t need PTP 50-μs-precise timing for SONET and whatnot, ordinary NTP is very 
cost effective. For example:


About Equinix Precision 
Time
docs.equinix.com
[favicon-16x16.png]

Most colos also offer their own Stratum-1 public NTP servers for free. For 
example, Hurricane Electric (https://www.he.net/adm/ntp.html). Being you’re 
already on-net in the colo, that would still give you NTP that doesn’t transit 
the Internet. Still way better than pool.ntp.org!


 -mel

On Aug 6, 2023, at 4:53 AM, Niels Bakker  wrote:

* m...@beckman.org (Mel Beckman) [Sun 06 Aug 2023, 04:26 CEST]:
if you can eliminate such security problems for $400, I say it’s cheap at twice 
the price.

You must be unfamiliar with the prices neutral colocation facilities charge for 
roof access.


   -- Niels.

Re: NTP Sync Issue Across Tata (Europe)

[Niels Bakker]

* m...@beckman.org (Mel Beckman) [Sun 06 Aug 2023, 04:26 CEST]:
if you can eliminate such security problems for $400, I say it’s 
cheap at twice the price.


You must be unfamiliar with the prices neutral colocation facilities 
charge for roof access.



-- Niels.

Re: NTP Sync Issue Across Tata (Europe)

[Mel Beckman]

Bill,

That still leaves you open to NTP attacks. The USNO accuracy and monitoring is 
worthless if you suffer, for example, an NTP DDoS attack.


[ddos-lc.png]
NTP amplification DDoS 
attack
cloudflare.com


There  are also replay and Man in the middle attacks (MITM) which can corrupt 
local NTP servers’ time basis. Worse, security flaws in NTP make others 
security protocols, such as SSL, vulnerable.

https://www.sidn.nl/en/news-and-blogs/security-flaws-in-network-time-protocol-make-other-security-protocols-vulnerable

if you can eliminate such security problems for $400, I say it’s cheap at twice 
the price.

 -mel

On Aug 5, 2023, at 6:18 PM, William Herrin  wrote:

On Sat, Aug 5, 2023 at 12:26 PM Mel Beckman  wrote:
You might consider setting up your own GPS-based NTP network.

GPS time is monitored (and when necessary, adjusted) from the U.S.
Naval Observatory Master Clock, which is -the- authoritative time
source for the United States. The USNO also provides an NTP time
source from the same master clock:

https://www.cnmoc.usff.navy.mil/Our-Commands/United-States-Naval-Observatory/Precise-Time-Department/Network-Time-Protocol-NTP/

You -should not- just point your servers there, but it's useful to
point a few servers each at one of them in order to serve as your
network stratum 2 sources that keep the rest of your machines in sync
with each other.

That last point is key. You don't want your servers in sync with
random Internet time sources. You want them in sync with each other.

Regards,
Bill Herrin



--
William Herrin
b...@herrin.us
https://bill.herrin.us/

Re: NTP Sync Issue Across Tata (Europe)

[William Herrin]

On Sat, Aug 5, 2023 at 12:26 PM Mel Beckman  wrote:
> You might consider setting up your own GPS-based NTP network.

GPS time is monitored (and when necessary, adjusted) from the U.S.
Naval Observatory Master Clock, which is -the- authoritative time
source for the United States. The USNO also provides an NTP time
source from the same master clock:

https://www.cnmoc.usff.navy.mil/Our-Commands/United-States-Naval-Observatory/Precise-Time-Department/Network-Time-Protocol-NTP/

You -should not- just point your servers there, but it's useful to
point a few servers each at one of them in order to serve as your
network stratum 2 sources that keep the rest of your machines in sync
with each other.

That last point is key. You don't want your servers in sync with
random Internet time sources. You want them in sync with each other.

Regards,
Bill Herrin



-- 
William Herrin
b...@herrin.us
https://bill.herrin.us/

Re: NTP Sync Issue Across Tata (Europe)

[Rubens Kuhl]

If the path has simmetric one way latencies you don't have to pick a lower
latency faulty one. Perhaps creating a selection at startup and then using
that collection ?

Rubens

Em sáb., 5 de ago. de 2023 12:42, Mark Tinka  escreveu:

> Hi all.
>
> I have NTP servers in Europe that are choosing Tata (6453) to get to
> 0.freebsd.pool.ntp.org which lives on 197.224.66.40:
>
> traceroute -I 0.freebsd.pool.ntp.org
> traceroute to 0.freebsd.pool.ntp.org (197.224.66.40), 64 hops max, 48
> byte packets
>  1  ae-2-24.er-01-ams.nl.seacomnet.com (105.26.64.13)  0.300 ms  0.301
> ms  0.215 ms
>  2  ce-0-0-11.cr-01-mrs.fr.seacomnet.com (105.16.8.201)  22.163 ms
> 22.370 ms  22.084 ms
>  3  ce-0-0-3.br-01-mrs.fr.seacomnet.com (105.16.32.254)  20.230 ms
> 20.243 ms  20.139 ms
>  4  ix-hge-0-0-0-28.ecore3.emrs2-marseille.as6453.net (80.231.165.52)
> 21.875 ms  21.679 ms  21.762 ms
>  5  * if-be-3-2.ecore2.emrs2-marseille.as6453.net (195.219.175.0)  42.751
> ms *
>  6  if-ae-25-2.tcore1.ldn-london.as6453.net (195.219.175.5)  43.509 ms
> 43.280 ms  43.353 ms
>  7  195.219.83.158 (195.219.83.158)  203.310 ms  203.452 ms  203.209 ms
>  8  196.20.225.84 (196.20.225.84)  208.289 ms  208.637 ms  208.374 ms
>  9  197.226.230.13 (197.226.230.13)  209.657 ms  209.658 ms  209.830 ms
> 10  197.224.66.40 (197.224.66.40)  208.638 ms  208.632 ms  208.712 ms
>
> NTP is not sync'ing to that address, and sessions stay in an Init state.
>
> Other NTP servers I have in Africa are reaching the same address via local
> Anycast hosters, and sync'ing just fine.
>
> Anyone else seeing this particular issue across Tata in Europe?
>
> Mark.
>

Re: NTP Sync Issue Across Tata (Europe)

[Mel Beckman]

Mark,

You might consider setting up your own GPS-based NTP network. Commercial 
Ethernet GPS-sourced NTP servers, such as the Time Machines, TM1000A, are as 
little as $400. Or you can roll your own using a Raspberry Pi or similar nano 
computer with a GPS module and antenna. We use these exclusively in data 
centers now rather than depending on Internet NTP servers, primarily for 
security, because financial transactions in e-commerce can be sensitive to 
false time information. There are also a variety of NTP-based Internet attacks, 
so if you can block NTP at your border you’ve eliminated another attack surface.

-mel via cell

> On Aug 5, 2023, at 11:22 AM, Mark Tinka  wrote:
> 
> 
> 
>> On 8/5/23 20:17, Chris Adams wrote:
>> 
>> It's the NTP pool people you need to talk to - the .freebsd. bit is just
>> a vendored entry into the pool (more for load tracking and management).
> 
> Yes, Andreas clarified in unicast. Will do. Thanks.
> 
> Mark.

Re: NTP Sync Issue Across Tata (Europe)

[Mark Tinka]

On 8/5/23 20:17, Chris Adams wrote:


It's the NTP pool people you need to talk to - the .freebsd. bit is just
a vendored entry into the pool (more for load tracking and management).


Yes, Andreas clarified in unicast. Will do. Thanks.

Mark.

Re: NTP Sync Issue Across Tata (Europe)

[Chris Adams]

Once upon a time, Mark Tinka  said:
> On 8/5/23 19:51, Andreas Ott wrote:
> >See for yourself how his pool server scores at
> >https://www.ntppool.org/scores/197.224.66.40
> >
> >I am not sure why it would be inserted into DNS answers for a
> >worldwide pool like 0.freebsd as it clearly does have connectivity
> >issues from some of the pool project's own sensors.
> 
> Many thanks, Andreas.
> 
> I'll take this up with the FreeBSD folk.

It's the NTP pool people you need to talk to - the .freebsd. bit is just
a vendored entry into the pool (more for load tracking and management).

-- 
Chris Adams 

Re: NTP Sync Issue Across Tata (Europe)

[Mark Tinka]

On 8/5/23 19:51, Andreas Ott wrote:

See for yourself how his pool server scores at 
https://www.ntppool.org/scores/197.224.66.40


I am not sure why it would be inserted into DNS answers for a 
worldwide pool like 0.freebsd as it clearly does have connectivity 
issues from some of the pool project's own sensors.


Many thanks, Andreas.

I'll take this up with the FreeBSD folk.

Mark.

Re: NTP Sync Issue Across Tata (Europe)

[Andreas Ott]

See for yourself how his pool server scores at
https://www.ntppool.org/scores/197.224.66.40

I am not sure why it would be inserted into DNS answers for a worldwide
pool like 0.freebsd as it clearly does have connectivity issues from some
of the pool project's own sensors.
-andreas

On Sat, Aug 5, 2023 at 9:37 AM Mark Tinka  wrote:

>
> I was speaking about Europe.
>
> There is no problem in Africa.
>
>

Re: NTP Sync Issue Across Tata (Europe)

[Mark Tinka]

On 8/5/23 18:30, Matthew McGehrin wrote:


Hi Mark.

Wouldn't a local server be more optimal?

IE:

   server 0.nl.pool.ntp.org
   server 1.nl.pool.ntp.org
   server 2.nl.pool.ntp.org
   server 3.nl.pool.ntp.org


I have a bunch of servers all over Europe I'd prefer not to touch if 
this is just a transient issue.




Or for Africa
server 0.za.pool.ntp.org
   server 1.za.pool.ntp.org
   server 2.za.pool.ntp.org
   server 3.za.pool.ntp.org


I was speaking about Europe.

There is no problem in Africa.

Mark.

Re: NTP Sync Issue Across Tata (Europe)

[Matthew McGehrin]

Hi Mark.

Wouldn't a local server be more optimal?

IE:

   server 0.nl.pool.ntp.org
   server 1.nl.pool.ntp.org
   server 2.nl.pool.ntp.org
   server 3.nl.pool.ntp.org

Or for Africa
   server 0.za.pool.ntp.org
   server 1.za.pool.ntp.org
   server 2.za.pool.ntp.org
   server 3.za.pool.ntp.org

Matthew

On 8/5/2023 10:41 AM, Mark Tinka wrote:

Hi all.

I have NTP servers in Europe that are choosing Tata (6453) to get to 
0.freebsd.pool.ntp.org which lives on 197.224.66.40:


traceroute -I 0.freebsd.pool.ntp.org
traceroute to 0.freebsd.pool.ntp.org (197.224.66.40), 64 hops max, 48 
byte packets



Mark.

NTP Sync Issue Across Tata (Europe)

[Mark Tinka]

Hi all.

I have NTP servers in Europe that are choosing Tata (6453) to get to 
0.freebsd.pool.ntp.org which lives on 197.224.66.40:


traceroute -I 0.freebsd.pool.ntp.org
traceroute to 0.freebsd.pool.ntp.org (197.224.66.40), 64 hops max, 48 
byte packets
 1  ae-2-24.er-01-ams.nl.seacomnet.com (105.26.64.13)  0.300 ms 0.301 
ms  0.215 ms
 2  ce-0-0-11.cr-01-mrs.fr.seacomnet.com (105.16.8.201)  22.163 ms  
22.370 ms  22.084 ms
 3  ce-0-0-3.br-01-mrs.fr.seacomnet.com (105.16.32.254)  20.230 ms  
20.243 ms  20.139 ms
 4  ix-hge-0-0-0-28.ecore3.emrs2-marseille.as6453.net (80.231.165.52)  
21.875 ms  21.679 ms  21.762 ms
 5  * if-be-3-2.ecore2.emrs2-marseille.as6453.net (195.219.175.0) 
42.751 ms *
 6  if-ae-25-2.tcore1.ldn-london.as6453.net (195.219.175.5) 43.509 ms  
43.280 ms  43.353 ms

 7  195.219.83.158 (195.219.83.158)  203.310 ms  203.452 ms 203.209 ms
 8  196.20.225.84 (196.20.225.84)  208.289 ms  208.637 ms  208.374 ms
 9  197.226.230.13 (197.226.230.13)  209.657 ms  209.658 ms 209.830 ms
10  197.224.66.40 (197.224.66.40)  208.638 ms  208.632 ms  208.712 ms

NTP is not sync'ing to that address, and sessions stay in an Init state.

Other NTP servers I have in Africa are reaching the same address via 
local Anycast hosters, and sync'ing just fine.


Anyone else seeing this particular issue across Tata in Europe?

Mark.