nanog mailing list archives

RE: OpenNTPProject.org

From: Mike Walter <mwalter () 3z net>
Date: Tue, 18 Feb 2014 15:15:47 +0000

For knowledge on the list.  We found that our Cisco Nexus 7000s had NTP enabled on our public facing VDCs, even when 
the command "feature ntp" was not present.  I had to explicitly enter "no feature ntp" to prevent the NTP server 
service from existing on our public facing 7K interfaces.

Thanks,

Mike

-----Original Message-----
From: Blake Dunlap [mailto:ikiris () gmail com] 
Sent: Monday, February 17, 2014 11:03 AM
To: nanog () nanog org
Subject: Re: OpenNTPProject.org

If you're trying to actually run a ntp server setup as opposed to just
trusting the world, I strongly suggest reading the documentation for the
service, as most people don't deploy it correctly while they think they
have.

At minimum, you want a cluster of 3 - 4 servers internally, configured as
peers of each other, and listening to some source of time, preferably
multiple like a few on the internet from the big public pool, and if you
really care about time, set up a GPS receiver or two.

You can definitely go farther than the above, but that's the start to doing
it right. Anything short of the above is just trusting the world at large,
and you'll likely happily follow along with any time skew like that thing a
few months/year ago with either tick or tock.

Without the above, you don't have enough sane sources to discredit bad
advisers (you need 3 for a time lock).

-Blake


On Mon, Feb 17, 2014 at 9:38 AM, Anthony Williams <alby.williams () verizon com

wrote:


Blake:

 Just to make sure I've got this down, listing a device as a "peer" in
the ntp.conf file will create a situation where both devices are saying,
"I know what time it is" and splitting the difference?  Whereas when you
list a device as a "server", it's using that as the authority on the
correct time?

Example:
--

#
peer    192.168.1.1 iburst
peer    192.168.1.2 iburst


#
server  ntp.colby.edu           minpoll 6 maxpoll 10 iburst
server  bonehed.lcs.mit.edu     minpoll 6 maxpoll 10 iburst





On 2/17/2014 10:28 AM, Blake Dunlap wrote:

Peer means it considers the other side an equal and they will mutually

skew

time together. If you have peer on for devices you don't consider your

time

servers, you're opening yourself up to problems.

-Blake

Current thread:

Re: OpenNTPProject.org, (continued)
- Re: OpenNTPProject.org Pete Ashdown (Feb 16)
- Re: OpenNTPProject.org Brian Rak (Feb 16)
  - RE: OpenNTPProject.org Kate Gerry (Feb 16)
    - Re: OpenNTPProject.org James R Cutler (Feb 16)
    - Re: OpenNTPProject.org George, Wes (Feb 17)
    - Re: OpenNTPProject.org Pete Ashdown (Feb 17)
    - Re: OpenNTPProject.org Blake Dunlap (Feb 17)
    - Re: OpenNTPProject.org Anthony Williams (Feb 17)
    - Re: OpenNTPProject.org James R Cutler (Feb 17)
    - Re: OpenNTPProject.org Blake Dunlap (Feb 17)
    - RE: OpenNTPProject.org Mike Walter (Feb 18)
    - Re: OpenNTPProject.org Dobbins, Roland (Feb 17)
    - Re: OpenNTPProject.org Paul S. (Feb 17)
    - Re: OpenNTPProject.org Harlan Stenn (Feb 17)
  - Re: OpenNTPProject.org Mark Tinka (Feb 16)
    - Re: OpenNTPProject.org Lyndon Nerenberg (Feb 16)
    - Re: OpenNTPProject.org Christopher Morrow (Feb 16)
    - Re: OpenNTPProject.org Lyndon Nerenberg (Feb 16)
    - Re: OpenNTPProject.org Mark Tinka (Feb 16)
    - Re: OpenNTPProject.org Christopher Morrow (Feb 16)
    - Re: OpenNTPProject.org Yucong Sun (Feb 17)

(Thread continues...)