Joel Reicher wrote:
The "discard packets if too many requests received" method only helps
against users caring about time syncronization, but using the wrong
software or configuration. If those people detect that they do not get
what they want, they will either change the ntp server they are using or
reconfigure/change their software.
Somebody's already suggested something much better to achieve this. I
forget who it was, but the suggestion was that abusive clients be given
the *wrong* time, rather than be ignored. Users will notice this much
more.
I remember the discussion and IIRC it was rejected because it could
cause damage to someone who is not aware that he/she misconfigured their
ntp client software (or using a broken software). The first thing that
comes to my mind is a missed scheduled backup or some cleanup scripts
deleting something that is x days/years old.
Of course all this could also happen to someone who does not get served
by a ntp server of his/her choice, but in that case he/she is the one
causing the damage, whereas you might be blamed because you indirectly
manipulated their system time. People were sued for smaller reasons.
IMHO not serving is better than serving the wrong time. Again, I do not
think it is ok to accept endangering those who simply do not know it
better (even if they should!).
For clients that refuse to be fixed, there is no point blocking
them. For clients that may care, there is something better. Either way,
there's no point not replying.
I disagree. At least some of the clients that refuse to be fixed will go
away if you do not answer their requests, just because their owners
detect that your server is not responding to them. A few of them maybe
wonder why it doesn't work and take a deeper look.
I agree that a blacklist doesn't seem worth the effort. Much better
would be to identify parties responsible (software and distribution
producers) and contact them.
That's always the best approach, but it may be impossible to do so
because even NTP pool server operators may run out of time :-)
If you manage to get something working that you think is effective,
you should probably post the config/script to this list.
As I said, there is a "restrict limited" configuration command existing
at least in the ntpd online documentation. This does exactly what I
proposed: It throws away requests that exceed certain limits. Those
limits can be configured using the "discard" configuration command.
I'll check if/how that feature works and let you know how to configure it.
Kind regards,
Heiko
--
------------------------------------------------------------------------
*MEINBERG Funkuhren*
Auf der Landwehr 22
D-31812 Bad Pyrmont, Germany
Tel.: ++49 (0)5281 9309-25
Fax: ++49 (0)5281 9309-30
eMail: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
Internet: www.meinberg.de <http://www.meinberg.de/>
------------------------------------------------------------------------
Meinberg radio clocks: 25 years of accurate time worldwide
_______________________________________________
timekeepers mailing list
[email protected]
https://fortytwo.ch/mailman/cgi-bin/listinfo/timekeepers
