Re: Need trusted NTP Sources
On (2014-02-08 19:43 -0500), Jay Ashworth wrote: In the architecture I described, though, is it really true that the odds of the common types of failure are higher than with only one? I think so, lets assume arbitrarily that probability of NTP server not starting to give incorrect time is 99% over 1 year time. Then either of two servers not giving incorrect time is 0.99**2 i.e. 98%, so two NTP servers would be 1% point more likely to give incorrect time than one over 1 year time. Obviously the chance of working is more than 99% maybe it's something like 99.999%? And is that really typical failure-mode or is typical failure-mode complete loss of connectivity? Two NTP servers would protect from this, single not. However loss-of-connectivity minor impact on clients, wrong time has major impact of client. Maybe if loss-of-connectivity is fixed in somewhat short period of time, single NTP always win, if loss-of-connectivity is fixed typically in very long period of time, single NTP loses. I don't really have exact data, but best practice is 2. Matthew said 4, which gives the advantage that in single failure you are still operating redundantly and do not have urgency to fix, with 3 in single failure another failure must not occur before it is fixed. I think 3 is enough, networks are typically designed to handle 1 arbitrary failure at the same time and 2 arbitrary failures in most networks, when chosen correctly, will cause SLA breaking faults (Cheaper to pay SLA compensations than to recover from any 2 failures). But NTP servers are cheap, so if you want to be robust and recover from n false tickers, have 3+n. -- ++ytti
Re: Need trusted NTP Sources
Best practice is five. =) I don't remember if it's in FAQ on ntp.org or in David Mills' book. Your local clock is kind of gullible push-over which will vote for the party providing most reasonable data. The algorithm would filter out insane sources which run too far from the rest and then group sane sources into 2 parties - your clock will follow the one where runners are closer to each other. That is why uneven number of trustworthy sources at least at start is required. With 2 sources you will blindly follow the one which is closer to your own clock. You're also having the the risk to degrade into this situation when you lose 1 out of 3 sources. Four is again 2:2 and only with five you have a good chance to start disciplining your clock into the right direction at the right pace, so when 1 source is lost you (most probably) won't run into insanity. On Sun, Feb 9, 2014 at 9:03 AM, Saku Ytti s...@ytti.fi wrote: On (2014-02-08 19:43 -0500), Jay Ashworth wrote: In the architecture I described, though, is it really true that the odds of the common types of failure are higher than with only one? I think so, lets assume arbitrarily that probability of NTP server not starting to give incorrect time is 99% over 1 year time. Then either of two servers not giving incorrect time is 0.99**2 i.e. 98%, so two NTP servers would be 1% point more likely to give incorrect time than one over 1 year time. Obviously the chance of working is more than 99% maybe it's something like 99.999%? And is that really typical failure-mode or is typical failure-mode complete loss of connectivity? Two NTP servers would protect from this, single not. However loss-of-connectivity minor impact on clients, wrong time has major impact of client. Maybe if loss-of-connectivity is fixed in somewhat short period of time, single NTP always win, if loss-of-connectivity is fixed typically in very long period of time, single NTP loses. I don't really have exact data, but best practice is 2. Matthew said 4, which gives the advantage that in single failure you are still operating redundantly and do not have urgency to fix, with 3 in single failure another failure must not occur before it is fixed. I think 3 is enough, networks are typically designed to handle 1 arbitrary failure at the same time and 2 arbitrary failures in most networks, when chosen correctly, will cause SLA breaking faults (Cheaper to pay SLA compensations than to recover from any 2 failures). But NTP servers are cheap, so if you want to be robust and recover from n false tickers, have 3+n. -- ++ytti
Re: Need trusted NTP Sources
- Original Message - From: Saku Ytti s...@ytti.fi In the architecture I described, though, is it really true that the odds of the common types of failure are higher than with only one? I think so, lets assume arbitrarily that probability of NTP server not starting to give incorrect time is 99% over 1 year time. Then either of two servers not giving incorrect time is 0.99**2 i.e. 98%, so two NTP servers would be 1% point more likely to give incorrect time than one over 1 year time. That's only true if the two devices have common failure modes, though, is it not? -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
Re: Need trusted NTP Sources
On (2014-02-09 15:16 -0500), Jay Ashworth wrote: Then either of two servers not giving incorrect time is 0.99**2 i.e. 98%, so two NTP servers would be 1% point more likely to give incorrect time than one over 1 year time. That's only true if the two devices have common failure modes, though, is it not? No, we can assume arbitrary fault which causes NTP to output bad time. With two NTP servers it's more likely that any one of them will start doing that than with one alone. And if any of the two start doing it, you don't know which one. -- ++ytti
Re: Need trusted NTP Sources
- Original Message - From: Saku Ytti s...@ytti.fi That's only true if the two devices have common failure modes, though, is it not? No, we can assume arbitrary fault which causes NTP to output bad time. With two NTP servers it's more likely that any one of them will start doing that than with one alone. And if any of the two start doing it, you don't know which one. Hey, waitaminnit! I saw you palm that card. :-) If I'm locked to 2 coherent upstreams and one goes insane, I'm going to know which one it is, because the other one will still match what I already have running, no? Or do I understand NTP less well than I think? Cheres, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
Re: Need trusted NTP Sources
On 2/9/2014 2:45 PM, Jay Ashworth wrote: Or do I understand NTP less well than I think? I am of the private opinion that if your name is not David Mill (and MAYBE if it IS) the answer is either 42 or yes. -- Requiescas in pace o email Two identifying characteristics of System Administrators: Ex turpi causa non oritur actio Infallibility, and the ability to learn from their mistakes. (Adapted from Stephen Pinker)
Re: Need trusted NTP Sources
On (2014-02-09 15:45 -0500), Jay Ashworth wrote: If I'm locked to 2 coherent upstreams and one goes insane, I'm going to know which one it is, because the other one will still match what I already have running, no? Or do I understand NTP less well than I think? I don't think you can reasonably tell which of the two is the false ticker. Andriy says your PC would blindly follow one who is in more agreement with your local lock, and PC's have terrible oscillators (I don't know why, 5EUR would buy LOT better oscillator). -- ++ytti
Re: Need trusted NTP Sources
On Sun, Feb 9, 2014 at 2:45 PM, Jay Ashworth j...@baylink.com wrote: [snip] If I'm locked to 2 coherent upstreams and one goes insane, I'm going to know which one it is, because the other one will still match what I already have running, no? The question should be how assured is the reliability of the clocks of the 2 upstream servers.I think I am pretty happy with the concept of having two local centralized NTP servers, used by various servers in an environment some SNTP some NTP, each of the local centralized NTP servers using 5 external time sources. These external time sources need to be periodically checked, to ensure the central NTP servers continue to synchronize with them, and that they continue to be accurate. So the pair of NTP servers is not redundant in the sense that the time is allowed to be wrong, but they are resilient in the sense of being configured, so their own clock should always be correct, unless there is a once in 100 years failure scenario. Each of the local servers, then has two NTP peers as time source, and the local clock discipline, except for virtual machines: which should use just the two NTP servers. A local pair of NTP servers are not redundant in the sense of being able to survive a catastrophic software bug in NTP; the local time sources should be redundant to survive the more highly frequent condition of temporary total failure of a local NTP server. Or do I understand NTP less well than I think? Cheres, -- jra -- -JH
Re: Need trusted NTP Sources
On (2014-02-09 21:08 +0100), Andriy Bilous wrote: Best practice is five. =) I don't remember if it's in FAQ on ntp.org or in David Mills' book. Your local clock is kind of gullible push-over which will vote for the party providing most reasonable data. The algorithm would filter out insane sources which run too far from the rest and then group sane sources into 2 parties - your clock will follow the one where runners are closer to each other. That is why uneven number of trustworthy sources at least at start is required. With 2 sources you will blindly follow the one which is closer to your own clock. You're also having the the risk to degrade into this situation when you lose 1 out of 3 sources. Four is again 2:2 and only with five you have a good chance to start disciplining your clock into the right direction at the right pace, so when 1 source is lost you (most probably) won't run into insanity. I'm having bit difficulties understanding the issue with 4. Is the implication that you have two groups which all agree with each other reasonably well, but do not agree between the groups. Which would mean that 4 cannot handle situation where 2 develop problem where they agree with each other but are wrong. But even in that case, you'd still recover from 1 of them being wrong. So 3 = correct time, no redundancy 4 = correct time, 1 can fail 5 = correct time, 2 can fail and so forth? But not sure here, just stabbing in the dark. For the fun of it, threw email to Mills, if he replies, I'll patch it back here. -- ++ytti
Re: Need trusted NTP Sources
Look back in the archives and see the problems that erupted when one of the big guys rebooted and came on line with bad time(tock.usno.navy.mil in Nov of 2012). It was talked about in Outages and other lists at the time it happened. On 02/09/14 14:56, Saku Ytti wrote: On (2014-02-09 15:45 -0500), Jay Ashworth wrote: If I'm locked to 2 coherent upstreams and one goes insane, I'm going to know which one it is, because the other one will still match what I already have running, no? Or do I understand NTP less well than I think? I don't think you can reasonably tell which of the two is the false ticker. Andriy says your PC would blindly follow one who is in more agreement with your local lock, and PC's have terrible oscillators (I don't know why, 5EUR would buy LOT better oscillator).
Re: Need trusted NTP Sources
On Sun, Feb 09, 2014 at 03:45:19PM -0500, Jay Ashworth wrote: - Original Message - From: Saku Ytti s...@ytti.fi That's only true if the two devices have common failure modes, though, is it not? No, we can assume arbitrary fault which causes NTP to output bad time. With two NTP servers it's more likely that any one of them will start doing that than with one alone. And if any of the two start doing it, you don't know which one. Hey, waitaminnit! I saw you palm that card. :-) If I'm locked to 2 coherent upstreams and one goes insane, I'm going to know which one it is, because the other one will still match what I already have running, no? If it suddenly goes insane as a step function? Sure. But if the one you've selected for synchronization starts drifting off true time very slowly, it will take your clock with it, and then ultimately the other one (that is actually the good clock) will appear to be insane clock. -- Brett
Re: Need trusted NTP Sources
Unfortunately I don't have the book handy. May be I am wrong too. Just checked and 4 looks to be a valid solution for 1 falseticker according to Byzantine Generals' Problem. On Sun, Feb 9, 2014 at 10:03 PM, Saku Ytti s...@ytti.fi wrote: On (2014-02-09 21:08 +0100), Andriy Bilous wrote: Best practice is five. =) I don't remember if it's in FAQ on ntp.org or in David Mills' book. Your local clock is kind of gullible push-over which will vote for the party providing most reasonable data. The algorithm would filter out insane sources which run too far from the rest and then group sane sources into 2 parties - your clock will follow the one where runners are closer to each other. That is why uneven number of trustworthy sources at least at start is required. With 2 sources you will blindly follow the one which is closer to your own clock. You're also having the the risk to degrade into this situation when you lose 1 out of 3 sources. Four is again 2:2 and only with five you have a good chance to start disciplining your clock into the right direction at the right pace, so when 1 source is lost you (most probably) won't run into insanity. I'm having bit difficulties understanding the issue with 4. Is the implication that you have two groups which all agree with each other reasonably well, but do not agree between the groups. Which would mean that 4 cannot handle situation where 2 develop problem where they agree with each other but are wrong. But even in that case, you'd still recover from 1 of them being wrong. So 3 = correct time, no redundancy 4 = correct time, 1 can fail 5 = correct time, 2 can fail and so forth? But not sure here, just stabbing in the dark. For the fun of it, threw email to Mills, if he replies, I'll patch it back here. -- ++ytti
Re: Need trusted NTP Sources
On Feb 9, 2014, at 3:50 PM, Larry Sheldon larryshel...@cox.net wrote: On 2/9/2014 2:45 PM, Jay Ashworth wrote: Or do I understand NTP less well than I think? I am of the private opinion that if your name is not David Mill (and MAYBE if it IS) the answer is either 42 or yes. — ... From http://www.eecis.udel.edu/~mills/database/brief/overview/overview.pdf Intersection and clustering algorithms pick best true chimers and discard false tickers. You should look at this presentation and see why Larry Sheldon’s private opinion is spot on. I won’t begin to try explaining in technical detail how this works. The bottom line is that, within a peer group of NTP servers looking at a reasonably large set of NTP source servers, all kinds of variations in input data are reduced to a coherent local time truth. My template for NTP service deployment for any organization is very simple: 1. Select four or more local systems and configure them as peer NTP servers. In many instances one can leverage local DNS server machines running almost any OS — the NTP daemon runs on at least Windows, OS X, UNIX, Linux. Don’t forget appropriate restrict commands. 2. Configure ntpd on the local servers to also select as servers a list of 8-10 open access servers like pool.ntp.org, usno.navy.mil, nist--ustiming.org. If you can arrange authenticated access to other servers, that is possibly better. 3. As desired, configure ntpd on selected local servers for local clocks or GPS clocks. This has little effect on accuracy, but may enhance reliability. In many cases, it also requires building penetrations for antennas. (Not easy for network guys.) 4. Configure all local time consumers to select from the list of local NTP servers. Authenticate or not as you see fit. You can even use DHCP to inform end systems of NTP server addresses. The router folks will have to include NTP server addresses as part of each configuration package. Over the years I have successfully applied this template for NTP service deployments to several large networks. It just works. signature.asc Description: Message signed with OpenPGP using GPGMail
Re: Need trusted NTP Sources
On 2/9/2014 6:42 PM, James R Cutler wrote: On Feb 9, 2014, at 3:50 PM, Larry Sheldon larryshel...@cox.net wrote: On 2/9/2014 2:45 PM, Jay Ashworth wrote: Or do I understand NTP less well than I think? I am of the private opinion that if your name is not David Mill (and MAYBE if it IS) the answer is either 42 or yes. — ... From http://www.eecis.udel.edu/~mills/database/brief/overview/overview.pdf Intersection and clustering algorithms pick best true chimers and discard false tickers. You should look at this presentation and see why Larry Sheldon’s private opinion is spot on. I won’t begin to try explaining in technical detail how this works. The bottom line is that, within a peer group of NTP servers looking at a reasonably large set of NTP source servers, all kinds of variations in input data are reduced to a coherent local time truth. In the 1990s I found myself administering a campus network for a University--the only people less prepared than I as everybody else. A need arose to have a uniform notion of time across the campus (my recollection had to do with resolving who did it first squabbles as well as trying to solve some problems having to do with the date and time in emails regarding assignments due. I stumbled across NTP somewhere and decided that was the answer, I didn't know about 42 then. Nobody I was in contact with knew any more about it that I did, so I spent a lot of time on eecis learning how to make it play, and how not to be a rude participant. My template for NTP service deployment for any organization is very simple: 1. Select four or more local systems and configure them as peer NTP servers. In many instances one can leverage local DNS server machines running almost any OS — the NTP daemon runs on at least Windows, OS X, UNIX, Linux. Don’t forget appropriate restrict commands. I don't remember now how many boxes I had in my NTP backbone but it was lots--every cisco router I knew the password for (there were a lot of them, supporting frame-relay links to off-campus points), every HP9000 box I had root on, maybe the two Wellfleets -- I don't remember. They all were peers and I connected to a couple of off-network public stratum 1s and 2s not as peers (I had no budget for a stratum 0). 2. Configure ntpd on the local servers to also select as servers a list of 8-10 open access servers like pool.ntp.org, usno.navy.mil, nist--ustiming.org. If you can arrange authenticated access to other servers, that is possibly better. I tried, using ping, to pick sturdy-sounding servers that were close to Omaha. 3. As desired, configure ntpd on selected local servers for local clocks or GPS clocks. This has little effect on accuracy, but may enhance reliability. In many cases, it also requires building penetrations for antennas. (Not easy for network guys.) 4. Configure all local time consumers to select from the list of local NTP servers. Authenticate or not as you see fit. You can even use DHCP to inform end systems of NTP server addresses. The router folks will have to include NTP server addresses as part of each configuration package. Did that. Told machines and people to use their default gateway address as their NTP (or SNTP) server. Over the years I have successfully applied this template for NTP service deployments to several large networks. It just works. It does. It does. -- Requiescas in pace o email Two identifying characteristics of System Administrators: Ex turpi causa non oritur actio Infallibility, and the ability to learn from their mistakes. (Adapted from Stephen Pinker)
Re: Need trusted NTP Sources
On 2/9/2014 7:04 PM, Larry Sheldon wrote: In the 1990s I found myself administering a campus network for a University--the only people less prepared than I as everybody else. In the 1990s I found myself administering a campus network for a University--the only people less prepared than I Was everybody else. -- Requiescas in pace o email Two identifying characteristics of System Administrators: Ex turpi causa non oritur actio Infallibility, and the ability to learn from their mistakes. (Adapted from Stephen Pinker)
Re: Need trusted NTP Sources
On Fri, Feb 07, 2014 at 01:14:09PM -0500, Jared Mauch wrote: If you want something that is cheap as in you for your home, I can recommend this: ~$350 w/ antenna, etc.. http://www.netburnerstore.com/product_p/pk70ex-ntp.htm You can get the whole thing going quickly. Majdi has also had good luck with this unit (perhaps he wants to chime-in, heh pun unintended) regarding a few other devices. The Netburner NTP sample app works well enough for basic home use, although I get better timing performance out of a fleet of hand modified Soekrii. I've been modifying NET4801s to include internal Motorola Oncore timing receivers (this is a tight fit, but doable, in the factory cases), or to break out their second serial port for connections to external reference clocks. (I have one connected to a TrueTime TL-3 to use WWV as a backup to GPS, but it can also be a travelling GPS NTP server with, say, a Garmin GPS18lvc connected.) You can make your own sub-$150 NTP server -- I'll spare the list the details, but those that are interested should see: http://puck.nether.net/~majdi/ntp/ Feedback is appreciated -- I've only spent about an hour on this doc, and it assumes a lot of familiarity with FreeBSD. I will try to flesh it out more as I have time. Cheers, --msa
Re: Need trusted NTP Sources
- Original Message - From: Saku Ytti s...@ytti.fi On (2014-02-06 21:14 -0500), Jay Ashworth wrote: My usual practice is to set up two in house servers, each of which talks to: And then point everyone in house to both of them, assuming they accept multiple server names. Two is worst possible amount of NTP servers to have. Either one fails and your timing is wrong, because you cannot vote false ticker. And chance of either of two failing is higher than one specific of them. Fair point. In practice, it never bit me because nearly everything that wanted NTP would only accept one server name (being windows) and the things that *did* take more than one, I generally pointed to both internals, and something outside the firewall as well. In the architecture I described, though, is it really true that the odds of the common types of failure are higher than with only one? Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
Re: Need trusted NTP Sources
- Original Message - From: Jimmy Hess mysi...@gmail.com Don't forget poor performance due to high latency, or Server X emitting corrupted or inaccurate data My two internal servers were my two uplink firewalls, and were pretty thoroughly monitored. Had NTP gone insane, I've had heard about it. Remember that 3 of the 8 peers on each machine were pool.ntp.org machines, so the cluster, as a cluster, actually had *nine* external peers, each machine having 3 in common, and three which were not (each machine was a DNS resolver, so they didn't share a name cache on *.us.pool.ntp.org Cheers, -- jra Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
Re: Need trusted NTP Sources
Original Message - From: Matthew Huff mh...@ox.com Working in the financial world, the best practices is to have 4 ntp servers (if not using PTP). 1) You need 3 to determine the correct time (and detect bad tickers) 2) If you lose 1 of the 3 above, then you no longer can determine the correct time 3) Therefore with 4, you have redundancy. We have two Symmetricom Stratum 1 time servers synced via GPS with Rubidium oscillators, and two RHEL 6 servers running ntpd for our 4 servers. As I've noted, I had *nine* external peers; 3 shared by both machines (commercial and NIST strat-1's), and 3 each from us.pool, which were generally different servers; I did keep an eye on that. And the NTP servers were monitored. I'm stupid, but I'm not crazy. :-) Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
Re: Need trusted NTP Sources
On (2014-02-06 21:14 -0500), Jay Ashworth wrote: My usual practice is to set up two in house servers, each of which talks to: And then point everyone in house to both of them, assuming they accept multiple server names. Two is worst possible amount of NTP servers to have. Either one fails and your timing is wrong, because you cannot vote false ticker. And chance of either of two failing is higher than one specific of them. -- ++ytti
Re: Need trusted NTP Sources
On Fri, Feb 7, 2014 at 5:35 AM, Saku Ytti s...@ytti.fi wrote: On (2014-02-06 21:14 -0500), Jay Ashworth wrote: My usual practice is to set up two in house servers, each of which talks to: Two is worst possible amount of NTP servers to have. Either one fails and your timing is wrong, because you cannot vote false ticker. And chance of either of two failing is higher than one specific of them. +1 to having at least 3 NTP servers. Because complete outage is only one kind of failure. Don't forget poor performance due to high latency, or Server X emitting corrupted or inaccurate data -- -JH
Re: Need trusted NTP Sources
On 2/7/2014 3:35 AM, Saku Ytti wrote: On (2014-02-06 21:14 -0500), Jay Ashworth wrote: My usual practice is to set up two in house servers, each of which talks to: And then point everyone in house to both of them, assuming they accept multiple server names. Two is worst possible amount of NTP servers to have. Either one fails and your timing is wrong, because you cannot vote false ticker. And chance of either of two failing is higher than one specific of them. A man with a watch knows what time it is. A man with two watches is never sure.
RE: Need trusted NTP Sources
Working in the financial world, the best practices is to have 4 ntp servers (if not using PTP). 1) You need 3 to determine the correct time (and detect bad tickers) 2) If you lose 1 of the 3 above, then you no longer can determine the correct time 3) Therefore with 4, you have redundancy. We have two Symmetricom Stratum 1 time servers synced via GPS with Rubidium oscillators, and two RHEL 6 servers running ntpd for our 4 servers. Matthew Huff | 1 Manhattanville Rd Director of Operations | Purchase, NY 10577 OTA Management LLC | Phone: 914-460-4039 -Original Message- From: Roy [mailto:r.engehau...@gmail.com] Sent: Friday, February 7, 2014 10:23 AM To: nanog@nanog.org Subject: Re: Need trusted NTP Sources On 2/7/2014 3:35 AM, Saku Ytti wrote: On (2014-02-06 21:14 -0500), Jay Ashworth wrote: My usual practice is to set up two in house servers, each of which talks to: And then point everyone in house to both of them, assuming they accept multiple server names. Two is worst possible amount of NTP servers to have. Either one fails and your timing is wrong, because you cannot vote false ticker. And chance of either of two failing is higher than one specific of them. A man with a watch knows what time it is. A man with two watches is never sure. attachment: Matthew Huff.vcf
Re: Need trusted NTP Sources
On Feb 7, 2014, at 10:56 AM, Matthew Huff mh...@ox.com wrote: Working in the financial world, the best practices is to have 4 ntp servers (if not using PTP). 1) You need 3 to determine the correct time (and detect bad tickers) 2) If you lose 1 of the 3 above, then you no longer can determine the correct time 3) Therefore with 4, you have redundancy. We have two Symmetricom Stratum 1 time servers synced via GPS with Rubidium oscillators, and two RHEL 6 servers running ntpd for our 4 servers. Having a number of NTP servers will help you detect false tickers which may be critical. If you want something that is cheap as in you for your home, I can recommend this: ~$350 w/ antenna, etc.. http://www.netburnerstore.com/product_p/pk70ex-ntp.htm You can get the whole thing going quickly. Majdi has also had good luck with this unit (perhaps he wants to chime-in, heh pun unintended) regarding a few other devices. If you ask politely off-list, I will point you at where one of these is that you can talk to (in Dallas at the Infomart for your low-latency config). - Jared
Re: Need trusted NTP Sources
With a quick and easy mod, another option for $35 is a Sure Electronics GPS board. GPS: http://www.sureelectronics.net/goods.php?id=99 Mod: http://www.satsignal.eu/ntp/Sure-GPS.htm -Alby On 2/7/2014 1:14 PM, Jared Mauch wrote: Having a number of NTP servers will help you detect false tickers which may be critical. If you want something that is cheap as in you for your home, I can recommend this: ~$350 w/ antenna, etc..
You need a VLAN to the foot of NIST ITS services - no problem - we got you covered. Re: Need trusted NTP Sources
Raspberry Pi --- This unfortunately doest give you trusted time. It gives you David's Raspberry Pi with an Adafruit Ultimate GPS breakout board which is a waste of time if you need an evidence grade of time service. It also means you assemble it and run it yourself. If you need access to NTP - we can handle that --- As to how to get NTP into your networks - why screw around??? What do you need - your own VLAN into the back of the switch hosting the NIST ITS server... yeah no problem. Go to the source and join USTiming.ORG and use our landing switch to cross connect your network into a VLAN type management network bringing NIST ITS services to the perimeter of your network - poof - no DDoS, and hey you get to work with us to expand the availability of the services across the US so its a win-win. We have them spread out through the US under USTiming and are looking for more sites that are telco hotels in particular - so if you have space and want to host is in a balance-of-trade type deal let us know. Todd On 2/7/2014 12:32 PM, Anthony Williams wrote: With a quick and easy mod, another option for $35 is a Sure Electronics GPS board. GPS: http://www.sureelectronics.net/goods.php?id=99 Mod: http://www.satsignal.eu/ntp/Sure-GPS.htm -Alby On 2/7/2014 1:14 PM, Jared Mauch wrote: Having a number of NTP servers will help you detect false tickers which may be critical. If you want something that is cheap as in you for your home, I can recommend this: ~$350 w/ antenna, etc.. -- - Personal Email - Disclaimers Apply
Re: Need trusted NTP Sources
On Fri, Feb 07, 2014 at 03:32:22PM -0500, Anthony Williams wrote: With a quick and easy mod, another option for $35 is a Sure Electronics GPS board. GPS: http://www.sureelectronics.net/goods.php?id=99 Mod: http://www.satsignal.eu/ntp/Sure-GPS.htm -Alby On 2/7/2014 1:14 PM, Jared Mauch wrote: Having a number of NTP servers will help you detect false tickers which may be critical. If you want something that is cheap as in you for your home, I can recommend this: ~$350 w/ antenna, etc.. The SureGPS is decent fun but i've had this device lose sync / crap out randomly as well. I am using the Garmin 18X-LVC + a low power server with pretty good success. (Requires PPS soldering + USB pigtail for power, pretty easy mod) [seitz@ntp-gps ~]$ ntpq -p remote refid st t when poll reach delay offset jitter == clock.fmt.he.ne .CDMA. 1 u 53 64 377 76.6920.976 0.291 time-a.timefreq .ACTS. 1 u 39 64 377 48.140 -0.896 0.348 time-b.timefreq .ACTS. 1 u 56 64 377 48.800 -0.986 0.430 time-b.nist.gov .ACTS. 1 u 48 64 3777.3333.630 0.562 oGPS_NMEA(1) .PPS.0 l4 16 3770.0000.002 0.000 * GPS is on a http://us.shuttle.com/barebone/Models/XS36VL.html - chosen for the dual external serial ports. -- Bryan G. Seitz
Re: Need trusted NTP Sources
www.pool.ntp.org Oorspronkelijk bericht Van: Notify Me notify.s...@gmail.com Datum: Aan: nanog@nanog.org list nanog@nanog.org,af...@afnog.org Onderwerp: Need trusted NTP Sources Hi ! I'm trying to help a company I work for to pass an audit, and we've been told we need trusted NTP sources (RedHat doesn't cut it). Being located in Nigeria, Africa, I'm not very knowledgeable about trusted sources therein. Please can anyone help with sources that wouldn't mind letting us sync from them? Thanks a lot!
Re: Need trusted NTP Sources
On 06/02/2014 10:03, Notify Me wrote: I'm trying to help a company I work for to pass an audit, and we've been told we need trusted NTP sources (RedHat doesn't cut it). So presuming that your company is using RH or Fedora or CentOS something, the auditors are claiming that Red Hat, Inc is trusted enough to provide a precompiled based operating system with no feasible means of proving its reliability, but that they're not trustworthy enough to provide a clock synchronisation service? My head spins. Get new auditors. Your current ones are stupid. Nick
Re: Need trusted NTP Sources
We're a redhat shop, and we use redhat auth which by default uses redhat NTP sources. Sounds odd to me too. They claim this is what PCI DSS demands. On Feb 6, 2014 11:43 AM, Nick Hilliard n...@foobar.org wrote: On 06/02/2014 10:03, Notify Me wrote: I'm trying to help a company I work for to pass an audit, and we've been told we need trusted NTP sources (RedHat doesn't cut it). So presuming that your company is using RH or Fedora or CentOS something, the auditors are claiming that Red Hat, Inc is trusted enough to provide a precompiled based operating system with no feasible means of proving its reliability, but that they're not trustworthy enough to provide a clock synchronisation service? My head spins. Get new auditors. Your current ones are stupid. Nick
Re: Need trusted NTP Sources
According to the auditors, trusted means 1. Universities or Research facilities (nuclear/atomic facilities, space research (such as NASA) etc.) 2. Main country internet/telecom providers 3. Government departments 4. Satellites (using GPS module) Which is a bit of a tall order over here. On Thu, Feb 6, 2014 at 11:16 AM, Marc Storck msto...@voipgate.com wrote: You may start by checking who is providing NTP services in Africa via the NTP pool. In Africa there are 27 public servers (http://www.pool.ntp.org/zone/africa). But then all depends on your definition of trusted. Regards, Marc From: Notify Me [notify.s...@gmail.com] Sent: Thursday, February 06, 2014 11:03 To: nanog@nanog.org list; af...@afnog.org Subject: Need trusted NTP Sources Hi ! I'm trying to help a company I work for to pass an audit, and we've been told we need trusted NTP sources (RedHat doesn't cut it). Being located in Nigeria, Africa, I'm not very knowledgeable about trusted sources therein. Please can anyone help with sources that wouldn't mind letting us sync from them? Thanks a lot!
Re: Need trusted NTP Sources
On 06/02/2014 11:46, Notify Me wrote: We're a redhat shop, and we use redhat auth which by default uses redhat NTP sources. Sounds odd to me too. They claim this is what PCI DSS demands. PCI DSS states: 10.4.3 Time settings are received from industry-accepted time sources. The default RHEL time servers are defined as X.rhel.ntp.org. Many people would consider ntp.org as industry-accepted, and there are several PCI-DSS auditing companies out there who explicitly recommend using pool.ntp.org for this purpose. If that's not good enough, the PCI DSS standards explicitly state in the NTP interpretation section: More information on NTP can be found at www.ntp.org, including information about time, time standards, and servers. So, if PCI themselves view ntp.org as being authoritative about NTP I can't see any reason why the time servers they publish wouldn't pass an audit. Nick
Re: Need trusted NTP Sources
GPS time sources are pretty cheap ( US$500) and easy to set up nowadays. You could probably build your own for less that US$100: http://www.satsignal.eu/ntp/Raspberry-Pi-NTP.html Aled On 6 February 2014 11:51, Notify Me notify.s...@gmail.com wrote: According to the auditors, trusted means 1. Universities or Research facilities (nuclear/atomic facilities, space research (such as NASA) etc.) 2. Main country internet/telecom providers 3. Government departments 4. Satellites (using GPS module) Which is a bit of a tall order over here. On Thu, Feb 6, 2014 at 11:16 AM, Marc Storck msto...@voipgate.com wrote: You may start by checking who is providing NTP services in Africa via the NTP pool. In Africa there are 27 public servers ( http://www.pool.ntp.org/zone/africa). But then all depends on your definition of trusted. Regards, Marc From: Notify Me [notify.s...@gmail.com] Sent: Thursday, February 06, 2014 11:03 To: nanog@nanog.org list; af...@afnog.org Subject: Need trusted NTP Sources Hi ! I'm trying to help a company I work for to pass an audit, and we've been told we need trusted NTP sources (RedHat doesn't cut it). Being located in Nigeria, Africa, I'm not very knowledgeable about trusted sources therein. Please can anyone help with sources that wouldn't mind letting us sync from them? Thanks a lot!
RE: Need trusted NTP Sources
I'm trying to help a company I work for to pass an audit, and we've been told we need trusted NTP sources (RedHat doesn't cut it). Being located in Nigeria, Africa, I'm not very knowledgeable about trusted sources therein. Please can anyone help with sources that wouldn't mind letting us sync from them? given that you trust the US-government (well, ...) you might use your own stratum 1 server using a Raspberry Pi with GPS. here is a well done how-to: http://open.konspyre.org/blog/2012/10/18/raspberry-pi-time-server/ I still need some spare time to get it running, all parts are here, but within my office location I have a bad GPS signal reception, so I have to do it at home. So build your own stratum 1 server (maybe a second one with DCF77 or whatever you can use for redundancy), off from these servers build 2 or more stratum 2 timeservers for redistribution to offload your stratum 1 servers. http://clepsydratime.com/Products/Time-Server-NTS3000 is a cool alternative. They are located in Poland, IIRC. And this box sells for less than 2,000 euros (this price is 2 years old). And it gives you GPS (USA), Glonass (Russia) and DCF77 (land based). One of the best Timeservers are sold by meinberg.de just my 2 euro-cents. #m
Re: Need trusted NTP Sources
On 6 February 2014 12:30, Martin Hotze m.ho...@hotze.com wrote: I'm trying to help a company I work for to pass an audit, and we've been told we need trusted NTP sources (RedHat doesn't cut it). Being located in Nigeria, Africa, [...] So build your own stratum 1 server (maybe a second one with DCF77 or whatever you can use for redundancy), I don't think DCF77 is going to reach Nigeria. Aled
Re: Need trusted NTP Sources
On 06/02/2014 12:30, Martin Hotze wrote: here is a well done how-to: http://open.konspyre.org/blog/2012/10/18/raspberry-pi-time-server/ The OP had a question about standards compliance, not about something that made technical sense and would deliver a superior service. The two things aren't incompatible, but they're not especially closely related either. Nick
Re: Need trusted NTP Sources
Raspberries! Not common currency here either, but let's see! grateful for all the input and responses, this list is amazing as usual. On Thu, Feb 6, 2014 at 1:41 PM, Aled Morris al...@qix.co.uk wrote: On 6 February 2014 12:30, Martin Hotze m.ho...@hotze.com wrote: I'm trying to help a company I work for to pass an audit, and we've been told we need trusted NTP sources (RedHat doesn't cut it). Being located in Nigeria, Africa, [...] So build your own stratum 1 server (maybe a second one with DCF77 or whatever you can use for redundancy), I don't think DCF77 is going to reach Nigeria. Aled
Re: Need trusted NTP Sources
PCI DSS only requires that all clocks be synchronized; It doesn't /require/ how. If you have servers getting time from external sources (authenticated always a plus) and peering with each other internally, then you comply with PCI DSS 2.0 (3.0 has no changes to this that I'm aware of). OTOH, I'm surprised nobody has mentioned http://www.team-cymru.org/ReadingRoom/Templates/secure-ntp-template.html -j On Thu, Feb 6, 2014 at 6:53 AM, Notify Me notify.s...@gmail.com wrote: Raspberries! Not common currency here either, but let's see! grateful for all the input and responses, this list is amazing as usual. On Thu, Feb 6, 2014 at 1:41 PM, Aled Morris al...@qix.co.uk wrote: On 6 February 2014 12:30, Martin Hotze m.ho...@hotze.com wrote: I'm trying to help a company I work for to pass an audit, and we've been told we need trusted NTP sources (RedHat doesn't cut it). Being located in Nigeria, Africa, [...] So build your own stratum 1 server (maybe a second one with DCF77 or whatever you can use for redundancy), I don't think DCF77 is going to reach Nigeria. Aled -- jamie rishaw // .com.arpa@j - reverse it. ish. Reality defeats prejudice. - Rep. Barney Frank
Re: Need trusted NTP Sources
Once upon a time, Nick Hilliard n...@foobar.org said: So presuming that your company is using RH or Fedora or CentOS something, the auditors are claiming that Red Hat, Inc is trusted enough to provide a precompiled based operating system with no feasible means of proving its reliability, but that they're not trustworthy enough to provide a clock synchronisation service? Red Hat does not provide an NTP service themselves. The default NTP config on a Red Hat Enterprise Linux system uses rhel.pool.ntp.org. I suppose some auditor could dislike the openness of pool.ntp.org (basically anybody can join). If that is the case, your best bet is to do some combination of the following: - As others have suggested, set up your own stratum-1 clock (can be done for around $100). Ideally you'd set up more than one. - Set up several servers with a static set of NTP servers rather than the general pool servers. See the lists on www.pool.ntp.org; look under the docs for setting up a server to join the pool. You don't have to actually join the pool, but following those docs is a good way to set up a stable server. After that, point the rest of your servers at your master servers, rather than the public pool. -- Chris Adams c...@cmadams.net
Re: Need trusted NTP Sources
It has been a while since I have done anything with NTP, but I would start with ntp.org (which didn't exist when I WAS working with it) which I am led to believe has the stuff that used to be at U. Delaware, like the public servers lists: http://support.ntp.org/bin/view/Servers/WebHome Where I found http://support.ntp.org/bin/view/Servers/PublicTimeServer79 -- Requiescas in pace o email Two identifying characteristics of System Administrators: Ex turpi causa non oritur actio Infallibility, and the ability to learn from their mistakes. (Adapted from Stephen Pinker)
Re: Need trusted NTP Sources
After all these years I still can not get used to the non-standard NANOG response to reply. I wonder if there is a way for ne to fix that locally. On 2/6/2014 8:49 AM, Larry Sheldon wrote: On 2/6/2014 4:43 AM, Nick Hilliard wrote: On 06/02/2014 10:03, Notify Me wrote: I'm trying to help a company I work for to pass an audit, and we've been told we need trusted NTP sources (RedHat doesn't cut it). So presuming that your company is using RH or Fedora or CentOS something, the auditors are claiming that Red Hat, Inc is trusted enough to provide a precompiled based operating system with no feasible means of proving its reliability, but that they're not trustworthy enough to provide a clock synchronisation service? My head spins. Get new auditors. Your current ones are stupid. It has been a while since I have done anything with NTP, but I would start with ntp.org (which didn't exist when I WAS working with it) which I am led to believe has the stuff that used to be at U. Delaware, like the public servers lists: http://support.ntp.org/bin/view/Servers/WebHome -- Requiescas in pace o email Two identifying characteristics of System Administrators: Ex turpi causa non oritur actio Infallibility, and the ability to learn from their mistakes. (Adapted from Stephen Pinker)
Re: Need trusted NTP Sources
On 2/6/2014 9:02 AM, Nick Hilliard wrote: On 06/02/2014 14:57, Larry Sheldon wrote: http://support.ntp.org/bin/view/Servers/PublicTimeServer79 bear in mind that due to the vagaries of african peering weirdness, the actual path from there to the OP's network could be over multiple satellite links and peered in Asia, Europe or the US. The Internet in africa can be ... odd. If it was me (having made a living getting with auditors who had no idea what they were doing) I would look for some close-by reliable (my judgement) 1- and 2- level sources (including, usually) the router at the ISP that I talk-to to get good service then add one or two the auditor likes. Larry (long time responder-to-audits that demanded that my UNIVAC and HP hardware and software look like IBM) -- Requiescas in pace o email Two identifying characteristics of System Administrators: Ex turpi causa non oritur actio Infallibility, and the ability to learn from their mistakes. (Adapted from Stephen Pinker)
Re: Need trusted NTP Sources
Hi Alexander, I think you or your consultant may have an overly strict reading of the PCI documents. Looking at section 10.4 of PCI DSS 3.0, and from having gone through PCI a few times... If you have your PCI hosts directly going against ntp.org or similar, then you are not in compliance. My understanding is that you need to: A) Run a local set of NTP servers - these are your 'trusted' servers, under your control, properly managed/secured, fully meshed, etc. These in turn (section 10.4.3) can get their time from 'industry-accepted time sources'. B) The rest of your PCI infrastructure in turn uses these NTP servers and only these NTP servers. - Michael DeMan On Feb 6, 2014, at 2:27 AM, Alexander Maassen outsi...@scarynet.org wrote: www.pool.ntp.org Oorspronkelijk bericht Van: Notify Me notify.s...@gmail.com Datum: Aan: nanog@nanog.org list nanog@nanog.org,af...@afnog.org Onderwerp: Need trusted NTP Sources Hi ! I'm trying to help a company I work for to pass an audit, and we've been told we need trusted NTP sources (RedHat doesn't cut it). Being located in Nigeria, Africa, I'm not very knowledgeable about trusted sources therein. Please can anyone help with sources that wouldn't mind letting us sync from them? Thanks a lot!
Re: Need trusted NTP Sources
On (2014-02-06 07:24 -0800), Michael DeMan wrote: A) Run a local set of NTP servers - these are your 'trusted' servers, under your control, properly managed/secured, fully meshed, etc. I'm not sure if full-mesh is best practice, the external clients should have full view of as close to source data as possible. If in full-mesh you're already masking the data with inaccuracy, giving the clients less information to make decision? We used to have full-mesh in our meinbergs, until from their recommendation we removed it completely. It makes sense to me, but I don't understand the issue deeply. -- ++ytti
Re: Need trusted NTP Sources
On Thu, 6 Feb 2014, Notify Me wrote: According to the auditors, trusted means 1. Universities or Research facilities (nuclear/atomic facilities, space research (such as NASA) etc.) 2. Main country internet/telecom providers 3. Government departments 4. Satellites (using GPS module) Which is a bit of a tall order over here. In general you should probably be asking news:comp.protocols.time.ntp. You could run your own NTP server using GPS as its reference clock (#4), at least I don't think it would be impossible for you to obtain such a device. But not cheap either. But then RHEL and an audit suggest you have some money to spend. You might even build your own using ntpd and a receiver, e.g., GNSS. See http://www.eecis.udel.edu/~mills/ntp/index.html for more information. Some stratum 1 or 2 servers (which are generally run by entities 1 thru 3 from your list) may allow you to obtain time (perhaps using crypto), but of course you'd need to contact them directly. ntp.org has a list: http://support.ntp.org/bin/view/Servers/WebHome. Generally speaking, you'll need at least 3 sources if you want stablity. Mark
Re: Need trusted NTP Sources
On Thu, Feb 6, 2014 at 9:03 PM, Notify Me notify.s...@gmail.com wrote: I'm trying to help a company I work for to pass an audit, and we've been told we need trusted NTP sources (RedHat doesn't cut it). Being located in Nigeria, Africa, I'm not very knowledgeable about trusted sources therein. Obviously trusted time sources are important, but at the end of the day you have to trust someone who ultimately has the least risk (there is never no risk) you are able to achieve. I appreciate least level of risk is subjective to your auditors opinion (in this case) :-) Just wanted to mention, having a good number of servers (not blindly trusting = 3 unique sources) adds some additional protection against 'false-tickers'. Even trusted time-sources have their off-days due to a myriad of technical reasons. Configure multiple, relatively high stratum (taking into account how many stratum's you intend to serve downstream), low-jitter/rtt, good-quality, time-sources. Also, risk changes over time, so vigilant monitoring is important too! Regards, Chris.
Re: Need trusted NTP Sources
On Thu, Feb 6, 2014 at 8:28 AM, jamie rishaw j...@arpa.com wrote: PCI DSS only requires that all clocks be synchronized; It doesn't /require/ how. If you read requirement 10.4 more carefully, you will find that it Does require that time be synchronized from an INDUSTRY ACCEPTED external time source. The GPS reference clock, a radio timecode receiver, receiving NIST or USNO, Microsoft's time source (time.windows.com), Redhat's time source, various univerisities and other public time servers listed on NTP.org, the NIST time servers listed here: http://tf.nist.gov/tf-cgi/servers.cgi Are among the INDUSTRY ACCEPTED external time sources. This is not an exhaustive enumeration of industry-accepted external time sources. -- -JH
RE: Need trusted NTP Sources
-Original Message- From: Notify Me [mailto:notify.s...@gmail.com] Sent: Thursday, February 06, 2014 4:54 AM To: Aled Morris Cc: nanog@nanog.org; Martin Hotze Subject: Re: Need trusted NTP Sources Raspberries! Not common currency here either, but let's see! While I would be using a Pi if I were doing it now, a few years ago I put together a circuit that used a $100 outdoor mast-mount GPS receiver* with a PPS out, to feed an RS232 connection to 3 FreeBSD 8.1 systems compiled with: options PPS_SYNC# I don't know if that is still required in 10.0, and I understand Linux has since fixed the kernel time resolution issues it was having, so research into current OS configuration is required. To make the local time reference preferred over external references, in ntp conf: server 127.127.20.1 mode 8 minpoll 4 maxpoll 4 prefer The diagram is at http://tndh.net/~tony/GPS-PPS-5v-ttl_232-box.pdf While there is 'some assembly required', the components to feed existing servers may be easier to come by than a Pi, and an outdoor receiver will have better reception than the Adafruit one stuck inside a datacenter. As others have said, several external references help protect against any one source having a bad day, but you should also be aware that network asymmetry WILL impact your results so factor topology into your source selection. Using this setup and OWAMP** I was able to track down a ~20ms peering asymmetry between HE Comcast inside the Seattle Westin colo, which still persists.*** It would appear from the time delay that one of their intermediaries is not really present in the building, but using a fiber loop to a city about 400 miles away (Boise, or Medford ??). I am not aware of the specific topology, other than traceroute shows different intermediaries in each direction at one IP hop, with one taking 20ms longer than the other to move between the same HE Comcast routers inside that colo. What I can see is the impact it has of showing the IPv6 connected NTP peers as ~10ms off of the local IPv4 ones the GPS receiver. Good luck * MR-350P http://www.amazon.com/Globalsat-Waterproof-External-Receiver-without/dp/B001 ENYWJC/ref=sr_sp-atf_title_1_1?ie=UTF8qid=1391734470sr=8-1keywords=mr-350 p ** OWAMP http://software.internet2.edu/owamp/ *** ntpq -p remote refid st t when poll reach delay offset jitter == xPPS(1) .PPS.0 l7 16 3770.0000.001 0.002 oGPS_NMEA(1) .GPS.0 l7 16 3770.0000.001 0.002 *bigben.cac.wash .GPS.1 u 69 64 372 13.0581.638 36.654 +clock.fmt.he.ne .CDMA. 1 u 15 64 373 32.6411.938 28.828 -chronos6.es.net .CDMA. 1 u9 64 377 92.321 10.473 2.335 -2001:4f8:2:d::1 129.6.15.29 2 u 31 64 377 35.5459.912 43.519 -time0.apple.com 17.150.142.121 2 u2 64 377 44.922 -1.275 26.193 grateful for all the input and responses, this list is amazing as usual. On Thu, Feb 6, 2014 at 1:41 PM, Aled Morris al...@qix.co.uk wrote: On 6 February 2014 12:30, Martin Hotze m.ho...@hotze.com wrote: I'm trying to help a company I work for to pass an audit, and we've been told we need trusted NTP sources (RedHat doesn't cut it). Being located in Nigeria, Africa, [...] So build your own stratum 1 server (maybe a second one with DCF77 or whatever you can use for redundancy), I don't think DCF77 is going to reach Nigeria. Aled
Re: Need trusted NTP Sources
- Original Message - From: Mark Milhollan m...@pixelgate.net Generally speaking, you'll need at least 3 sources if you want stablity. My usual practice is to set up two in house servers, each of which talks to: time.windows.com time.apple.com and one of the NIST servers 0.us.pool.ntp.org 1.us.pool.ntp.org 2.us.pool.ntp.org and each other. And then point everyone in house to both of them, assuming they accept multiple server names. But I am young, and not much travelled. :-) Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
Re: Need trusted NTP Sources
On 2/6/2014 8:24 PM, Jay Ashworth wrote: Mailing lists aren't *supposed* to set Reply-To, Larry; your mail client is supposed to have a Reply To List command. It does. And does not light up for most of the lists I am on (including one I own). I am apparently not bright enough to notice when it does light up. Most consumer MUAs, of course, don't. Reply-All is a (usually) winked-upon subterfuge, or you can do like I do and just manually readjust the To header when you reply to the list. The later apparently requiring even more brain power than I able to bring to bear on the problem. A FB community I am part of has several people in it that work in the same company--much flapping about a message sent to all--including people on continents who have no capability of being interested. Much don't send replies to all--sent to all. Just don't do what I do and accidentally set it to NANOG when you're replying to a different list's message. :-) I was mildly chastised yesterday about a lengthy thread that I started about GPSs on MTRA when I could swear that I started on MTR. Old age has not been kind to me. Cheers, -- jra And I did consider sending this just to Jay, but decided the public humbling would be good. You need not bother everybody to tell me I was wrong. Again. It will get warm again someday. I'm pretty sure. -- Requiescas in pace o email Two identifying characteristics of System Administrators: Ex turpi causa non oritur actio Infallibility, and the ability to learn from their mistakes. (Adapted from Stephen Pinker)
Re: Need trusted NTP Sources
- Original Message - From: Larry Sheldon larryshel...@cox.net After all these years I still can not get used to the non-standard NANOG response to reply. I wonder if there is a way for ne to fix that. Noo!!! Everybody!!! Don't reply to that!!! :-) Mailing lists aren't *supposed* to set Reply-To, Larry; your mail client is supposed to have a Reply To List command. Most consumer MUAs, of course, don't. Reply-All is a (usually) winked-upon subterfuge, or you can do like I do and just manually readjust the To header when you reply to the list. Just don't do what I do and accidentally set it to NANOG when you're replying to a different list's message. :-) Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
RE: Need trusted NTP Sources
This doesn't address the full-mesh part, but this discussion suggests at least four servers, but better to have five. http://support.ntp.org/bin/view/Support/SelectingOffsiteNTPServers#Section_5 .3.3. Frank -Original Message- From: Saku Ytti [mailto:s...@ytti.fi] Sent: Thursday, February 06, 2014 10:34 AM To: nanog@nanog.org Subject: Re: Need trusted NTP Sources On (2014-02-06 07:24 -0800), Michael DeMan wrote: A) Run a local set of NTP servers - these are your 'trusted' servers, under your control, properly managed/secured, fully meshed, etc. I'm not sure if full-mesh is best practice, the external clients should have full view of as close to source data as possible. If in full-mesh you're already masking the data with inaccuracy, giving the clients less information to make decision? We used to have full-mesh in our meinbergs, until from their recommendation we removed it completely. It makes sense to me, but I don't understand the issue deeply. -- ++ytti
