Re: Acqusition of time

["Martin Peikert" <Martin.Peikert () discon de>]

Ben Nagy wrote:
> If a firewall can't reach an NTP server because of some transient network
> condition the clock doesn't automatically go haywire - it will just start
> drifting as per the normal accuracy of the hardware clock, no?

Not necessarily. You could use clockspeed, see 
http://cr.yp.to/clockspeed.html
,-----------------------------------------------------------------------
| clockspeed uses a hardware tick counter to compensate for a
| persistently fast or slow system clock. Given a few time measurements
| from a reliable source, it computes and then eliminates the clock
| skew.
`-----------------------------------------------------------------------
and
,-----------------------------------------------------------------------
| Typical success story: I started clockspeed on one of my Pentium
| computers at home on 1998-05-05. I ran sntpclock (through a 28.8
| dialup line) once on 1998-05-05 and once on 1998-05-30. On 1998-08-22,
| after no network time input for nearly three months, the clock was
| just 0.21 seconds off.
`-----------------------------------------------------------------------

So, if a firewall can't reach an NTP server a longer time, I would think 
that you really have a problem ;-) But for a sufficient length of time 
clockspeed will do the job and keep the time from drifting too far...

GTi

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards