nanog mailing list archives
Re: NTP Server
From: Matthew Petach <mpetach () netflight com>
Date: Sun, 24 Oct 2010 13:48:35 -0700
On Sun, Oct 24, 2010 at 8:34 AM, Brandon Kim <brandon.kim () brandontek com> wrote:
Hey guys: I wanted to open up this question regarding NTP server. I recalled someone had created a posting of this quite awhile back.From a service provider/ISP standpoint, does anyone think that having a local NTP server is really necessary?I've asked some of my fellow engineers at work and many of them gives me the same response, "Can't we just use free ones out on the internet?"
Depends on how much you trust other people. NTP can potentially be used as a DoS vector by your upstream clocks, if you're not running your own. I've seen 50,000 servers panic in the blink of an eye when the NTP source issued a leap second, and the kernel wasn't patched to handle it properly; and that's a forward leap second. Nobody's tested reverse leap seconds yet; who knows what would happen to your hosts if your upstream NTP servers decided to issue a reverse leap second towards you? Granted, if you choose enough diverse upstream clocks, that becomes more difficult for someone to exploit; but it's not impossible, and you can't count on keeping your upstream clock sources secret, given the bidirectional communication that can take place between NTP servers. *shrug* It's cheap enough to run your own clock sources, once you're above a certain size, and it's one less potential attack vector from the outside; why wouldn't you want to secure your edge against it? Matt
Current thread:
- Re: NTP Server, (continued)
- Re: NTP Server Leo Bicknell (Oct 24)
- Re: NTP Server Robert E. Seastrom (Oct 25)
- Re: NTP Server William F. Maton Sotomayor (Oct 26)
- Re: NTP Server Robert E. Seastrom (Oct 25)
- Re: NTP Server John Kristoff (Oct 24)
- Re: NTP Server Joel Jaeggli (Oct 24)
- Re: NTP Server Sean Donelan (Oct 24)
- RE: NTP Server Brandon Kim (Oct 24)
- Re: NTP Server Cutler James R (Oct 24)
- RE: NTP Server Sean Donelan (Oct 24)
- Re: NTP Server John Kristoff (Oct 25)
- RE: NTP Server Brandon Kim (Oct 24)
- Re: NTP Server Matthew Petach (Oct 24)
- Re: NTP Server Marshall Eubanks (Oct 24)
- Re: NTP Server Dobbins, Roland (Oct 24)
- Re: NTP Server Jorge Amodio (Oct 24)
- Re: NTP Server Sean Donelan (Oct 24)
- RE: NTP Server Brandon Kim (Oct 24)
- Re: NTP Server Seth Mattinen (Oct 24)
- Re: NTP Server Marcus Reid (Oct 25)
- Re: NTP Server Seth Mattinen (Oct 24)
- Re: NTP Server Cutler James R (Oct 24)
- Re: NTP Server Sean Donelan (Oct 24)
- Re: NTP Server Martin Hotze (Oct 24)
- Re: NTP Server Leo Bicknell (Oct 24)