On (2014-02-08 19:43 -0500), Jay Ashworth wrote:
In the architecture I described, though, is it really true that the odds
of the common types of failure are higher than with only one?
I think so, lets assume arbitrarily that probability of NTP server not
starting to give incorrect time is 99%
Best practice is five. =) I don't remember if it's in FAQ on ntp.org or in
David Mills' book. Your local clock is kind of gullible push-over which
will vote for the party providing most reasonable data. The algorithm
would filter out insane sources which run too far from the rest and then
group
- Original Message -
From: Saku Ytti s...@ytti.fi
In the architecture I described, though, is it really true that the
odds of the common types of failure are higher than with only one?
I think so, lets assume arbitrarily that probability of NTP server not
starting to give
On (2014-02-09 15:16 -0500), Jay Ashworth wrote:
Then either of two servers not giving incorrect time is 0.99**2 i.e. 98%, so
two NTP servers would be 1% point more likely to give incorrect time than
one
over 1 year time.
That's only true if the two devices have common failure modes,
- Original Message -
From: Saku Ytti s...@ytti.fi
That's only true if the two devices have common failure modes,
though, is it not?
No, we can assume arbitrary fault which causes NTP to output bad time. With
two NTP servers it's more likely that any one of them will start doing
On 2/9/2014 2:45 PM, Jay Ashworth wrote:
Or do I understand NTP less well than I think?
I am of the private opinion that if your name is not David Mill (and
MAYBE if it IS) the answer is either 42 or yes.
--
Requiescas in pace o email Two identifying characteristics
On (2014-02-09 15:45 -0500), Jay Ashworth wrote:
If I'm locked to 2 coherent upstreams and one goes insane, I'm going to
know which one it is, because the other one will still match what I already
have running, no?
Or do I understand NTP less well than I think?
I don't think you can
On Sun, Feb 9, 2014 at 2:45 PM, Jay Ashworth j...@baylink.com wrote:
[snip]
If I'm locked to 2 coherent upstreams and one goes insane, I'm going to
know which one it is, because the other one will still match what I already
have running, no?
The question should be how assured is the
On (2014-02-09 21:08 +0100), Andriy Bilous wrote:
Best practice is five. =) I don't remember if it's in FAQ on ntp.org or in
David Mills' book. Your local clock is kind of gullible push-over which
will vote for the party providing most reasonable data. The algorithm
would filter out insane
Look back in the archives and see the problems that erupted when one of
the big guys rebooted and came on line with bad time(tock.usno.navy.mil
in Nov of 2012). It was talked about in Outages and other lists at the
time it happened.
On 02/09/14 14:56, Saku Ytti wrote:
On (2014-02-09 15:45
On Sun, Feb 09, 2014 at 03:45:19PM -0500, Jay Ashworth wrote:
- Original Message -
From: Saku Ytti s...@ytti.fi
That's only true if the two devices have common failure modes,
though, is it not?
No, we can assume arbitrary fault which causes NTP to output bad time. With
Unfortunately I don't have the book handy. May be I am wrong too. Just
checked and 4 looks to be a valid solution for 1 falseticker according to
Byzantine Generals' Problem.
On Sun, Feb 9, 2014 at 10:03 PM, Saku Ytti s...@ytti.fi wrote:
On (2014-02-09 21:08 +0100), Andriy Bilous wrote:
Best
On Feb 9, 2014, at 3:50 PM, Larry Sheldon larryshel...@cox.net wrote:
On 2/9/2014 2:45 PM, Jay Ashworth wrote:
Or do I understand NTP less well than I think?
I am of the private opinion that if your name is not David Mill (and MAYBE
if it IS) the answer is either 42 or yes.
— ...
From
On 2/9/2014 6:42 PM, James R Cutler wrote:
On Feb 9, 2014, at 3:50 PM, Larry Sheldon larryshel...@cox.net
wrote:
On 2/9/2014 2:45 PM, Jay Ashworth wrote:
Or do I understand NTP less well than I think?
I am of the private opinion that if your name is not David Mill
(and MAYBE if it IS) the
On 2/9/2014 7:04 PM, Larry Sheldon wrote:
In the 1990s I found myself administering a campus network for a
University--the only people less prepared than I as everybody else.
In the 1990s I found myself administering a campus network for a
University--the only people less prepared than I Was
On Fri, Feb 07, 2014 at 01:14:09PM -0500, Jared Mauch wrote:
If you want something that is cheap as in you for your home, I can
recommend this: ~$350 w/ antenna, etc..
http://www.netburnerstore.com/product_p/pk70ex-ntp.htm
You can get the whole thing going quickly. Majdi has also had
- Original Message -
From: Saku Ytti s...@ytti.fi
On (2014-02-06 21:14 -0500), Jay Ashworth wrote:
My usual practice is to set up two in house servers, each of which
talks to:
And then point everyone in house to both of them, assuming they
accept multiple server names.
Two
- Original Message -
From: Jimmy Hess mysi...@gmail.com
Don't forget poor performance due to high latency, or
Server X emitting corrupted or inaccurate data
My two internal servers were my two uplink firewalls, and were pretty
thoroughly monitored. Had NTP gone insane, I've had heard
Original Message -
From: Matthew Huff mh...@ox.com
Working in the financial world, the best practices is to have 4 ntp
servers (if not using PTP).
1) You need 3 to determine the correct time (and detect bad tickers)
2) If you lose 1 of the 3 above, then you no longer can determine
On (2014-02-06 21:14 -0500), Jay Ashworth wrote:
My usual practice is to set up two in house servers, each of which
talks to:
And then point everyone in house to both of them, assuming they accept
multiple server names.
Two is worst possible amount of NTP servers to have. Either one fails
On Fri, Feb 7, 2014 at 5:35 AM, Saku Ytti s...@ytti.fi wrote:
On (2014-02-06 21:14 -0500), Jay Ashworth wrote:
My usual practice is to set up two in house servers, each of which
talks to:
Two is worst possible amount of NTP servers to have. Either one fails and
your timing is wrong,
On 2/7/2014 3:35 AM, Saku Ytti wrote:
On (2014-02-06 21:14 -0500), Jay Ashworth wrote:
My usual practice is to set up two in house servers, each of which
talks to:
And then point everyone in house to both of them, assuming they accept
multiple server names.
Two is worst possible amount of
-Original Message-
From: Roy [mailto:r.engehau...@gmail.com]
Sent: Friday, February 7, 2014 10:23 AM
To: nanog@nanog.org
Subject: Re: Need trusted NTP Sources
On 2/7/2014 3:35 AM, Saku Ytti wrote:
On (2014-02-06 21:14 -0500), Jay Ashworth wrote:
My usual practice is to set up two in house
On Feb 7, 2014, at 10:56 AM, Matthew Huff mh...@ox.com wrote:
Working in the financial world, the best practices is to have 4 ntp servers
(if not using PTP).
1) You need 3 to determine the correct time (and detect bad tickers)
2) If you lose 1 of the 3 above, then you no longer can
With a quick and easy mod, another option for $35 is a Sure Electronics
GPS board.
GPS: http://www.sureelectronics.net/goods.php?id=99
Mod: http://www.satsignal.eu/ntp/Sure-GPS.htm
-Alby
On 2/7/2014 1:14 PM, Jared Mauch wrote:
Having a number of NTP servers will help you detect false
Raspberry Pi
---
This unfortunately doest give you trusted time. It gives you David's
Raspberry Pi with an Adafruit Ultimate GPS breakout board which is a
waste of time if you need an evidence grade of time service. It also
means you assemble it and run it yourself.
If you
On Fri, Feb 07, 2014 at 03:32:22PM -0500, Anthony Williams wrote:
With a quick and easy mod, another option for $35 is a Sure Electronics
GPS board.
GPS: http://www.sureelectronics.net/goods.php?id=99
Mod: http://www.satsignal.eu/ntp/Sure-GPS.htm
-Alby
On 2/7/2014 1:14 PM, Jared
www.pool.ntp.org
Oorspronkelijk bericht
Van: Notify Me notify.s...@gmail.com
Datum:
Aan: nanog@nanog.org list nanog@nanog.org,af...@afnog.org
Onderwerp: Need trusted NTP Sources
Hi !
I'm trying to help a company I work for to pass an audit, and we've
been told we need
On 06/02/2014 10:03, Notify Me wrote:
I'm trying to help a company I work for to pass an audit, and we've
been told we need trusted NTP sources (RedHat doesn't cut it).
So presuming that your company is using RH or Fedora or CentOS something,
the auditors are claiming that Red Hat, Inc is
We're a redhat shop, and we use redhat auth which by default uses redhat
NTP sources. Sounds odd to me too. They claim this is what PCI DSS demands.
On Feb 6, 2014 11:43 AM, Nick Hilliard n...@foobar.org wrote:
On 06/02/2014 10:03, Notify Me wrote:
I'm trying to help a company I work for to
According to the auditors, trusted means
1. Universities or Research facilities (nuclear/atomic facilities,
space research (such as NASA) etc.)
2. Main country internet/telecom providers
3. Government departments
4. Satellites (using GPS module)
Which is a bit of a tall order over here.
On Thu,
On 06/02/2014 11:46, Notify Me wrote:
We're a redhat shop, and we use redhat auth which by default uses redhat
NTP sources. Sounds odd to me too. They claim this is what PCI DSS demands.
PCI DSS states:
10.4.3 Time settings are received from industry-accepted time sources.
The default RHEL
GPS time sources are pretty cheap ( US$500) and easy to set up nowadays.
You could probably build your own for less that US$100:
http://www.satsignal.eu/ntp/Raspberry-Pi-NTP.html
Aled
On 6 February 2014 11:51, Notify Me notify.s...@gmail.com wrote:
According to the auditors, trusted means
I'm trying to help a company I work for to pass an audit, and we've
been told we need trusted NTP sources (RedHat doesn't cut it). Being
located in Nigeria, Africa, I'm not very knowledgeable about trusted
sources therein.
Please can anyone help with sources that wouldn't mind letting us
On 6 February 2014 12:30, Martin Hotze m.ho...@hotze.com wrote:
I'm trying to help a company I work for to pass an audit, and we've
been told we need trusted NTP sources (RedHat doesn't cut it). Being
located in Nigeria, Africa,
[...]
So build your own stratum 1 server (maybe a second
On 06/02/2014 12:30, Martin Hotze wrote:
here is a well done how-to:
http://open.konspyre.org/blog/2012/10/18/raspberry-pi-time-server/
The OP had a question about standards compliance, not about something that
made technical sense and would deliver a superior service. The two things
aren't
Raspberries! Not common currency here either, but let's see!
grateful for all the input and responses, this list is amazing as usual.
On Thu, Feb 6, 2014 at 1:41 PM, Aled Morris al...@qix.co.uk wrote:
On 6 February 2014 12:30, Martin Hotze m.ho...@hotze.com wrote:
I'm trying to help a company
PCI DSS only requires that all clocks be synchronized; It doesn't
/require/ how.
If you have servers getting time from external sources (authenticated
always a plus) and peering with each other internally, then you comply
with PCI DSS 2.0 (3.0 has no changes to this that I'm aware of).
OTOH, I'm
Once upon a time, Nick Hilliard n...@foobar.org said:
So presuming that your company is using RH or Fedora or CentOS something,
the auditors are claiming that Red Hat, Inc is trusted enough to provide a
precompiled based operating system with no feasible means of proving its
reliability, but
It has been a while since I have done anything with NTP, but I would start
with ntp.org (which didn't exist when I WAS working with it) which I am led
to believe has the stuff that used to be at U. Delaware, like the public
servers lists:
http://support.ntp.org/bin/view/Servers/WebHome
Where
After all these years I still can not get used to the non-standard NANOG
response to reply. I wonder if there is a way for ne to fix that locally.
On 2/6/2014 8:49 AM, Larry Sheldon wrote:
On 2/6/2014 4:43 AM, Nick Hilliard wrote:
On 06/02/2014 10:03, Notify Me wrote:
I'm trying to help a
On 2/6/2014 9:02 AM, Nick Hilliard wrote:
On 06/02/2014 14:57, Larry Sheldon wrote:
http://support.ntp.org/bin/view/Servers/PublicTimeServer79
bear in mind that due to the vagaries of african peering weirdness, the
actual path from there to the OP's network could be over multiple
Hi Alexander,
I think you or your consultant may have an overly strict reading of the PCI
documents.
Looking at section 10.4 of PCI DSS 3.0, and from having gone through PCI a few
times...
If you have your PCI hosts directly going against ntp.org or similar, then you
are not in compliance.
My
On (2014-02-06 07:24 -0800), Michael DeMan wrote:
A) Run a local set of NTP servers - these are your 'trusted' servers, under
your control, properly managed/secured, fully meshed, etc.
I'm not sure if full-mesh is best practice, the external clients should have
full view of as close to source
On Thu, 6 Feb 2014, Notify Me wrote:
According to the auditors, trusted means
1. Universities or Research facilities (nuclear/atomic facilities,
space research (such as NASA) etc.)
2. Main country internet/telecom providers
3. Government departments
4. Satellites (using GPS module)
Which is a
On Thu, Feb 6, 2014 at 9:03 PM, Notify Me notify.s...@gmail.com wrote:
I'm trying to help a company I work for to pass an audit, and we've
been told we need trusted NTP sources (RedHat doesn't cut it). Being
located in Nigeria, Africa, I'm not very knowledgeable about trusted
sources therein.
On Thu, Feb 6, 2014 at 8:28 AM, jamie rishaw j...@arpa.com wrote:
PCI DSS only requires that all clocks be synchronized; It doesn't
/require/ how.
If you read requirement 10.4 more carefully, you will find that it Does
require that time
be synchronized from an INDUSTRY ACCEPTED external
-Original Message-
From: Notify Me [mailto:notify.s...@gmail.com]
Sent: Thursday, February 06, 2014 4:54 AM
To: Aled Morris
Cc: nanog@nanog.org; Martin Hotze
Subject: Re: Need trusted NTP Sources
Raspberries! Not common currency here either, but let's see!
While I would be using
- Original Message -
From: Mark Milhollan m...@pixelgate.net
Generally speaking, you'll need at least 3 sources if you want
stablity.
My usual practice is to set up two in house servers, each of which
talks to:
time.windows.com
time.apple.com
and one of the NIST servers
On 2/6/2014 8:24 PM, Jay Ashworth wrote:
Mailing lists aren't *supposed* to set Reply-To, Larry; your mail client is
supposed to have a Reply To List command.
It does. And does not light up for most of the lists I am on (including
one I own). I am apparently not bright enough to notice
- Original Message -
From: Larry Sheldon larryshel...@cox.net
After all these years I still can not get used to the non-standard NANOG
response to reply. I wonder if there is a way for ne to fix that.
Noo!!! Everybody!!! Don't reply to that!!!
:-)
Mailing lists aren't *supposed*
, February 06, 2014 10:34 AM
To: nanog@nanog.org
Subject: Re: Need trusted NTP Sources
On (2014-02-06 07:24 -0800), Michael DeMan wrote:
A) Run a local set of NTP servers - these are your 'trusted' servers,
under your control, properly managed/secured, fully meshed, etc.
I'm not sure if full-mesh is best
52 matches
Mail list logo