nanog mailing list archives
Re: NIST NTP servers
From: Ryan Harden <hardenrm () uchicago edu>
Date: Tue, 10 May 2016 13:28:14 +0000
_Everything_ has vulnerabilities and using _any_ external source opens your network and infrastructure to disruptions. NTP has been used for DDoS amplification attacks recently, but so has DNS and other well known/heavily used protocols. With the right protections, syncing with an external NTP source is perfectly acceptable and safe. Further, it’s generally a good idea to ‘peer’ (not just sync) your NTP servers with a few external sources. This removes the dependence on a single source and helps ensure that your time source agrees with the rest of the world. Peering requires interaction with the owners of the remote site, which establishes a basic level of trust that they’ll provide an accurate and stable service. I’ve attached a diagram (sanitized) of what our NTP service will look like after an upcoming refresh. All external sources are trusted and will be peered. All time devices peer with four other sources to ensure there is always a live source to sync/peer with. A DNS record with round-robin is used for local clients to connect to the local Stratum 2 devices. The Stratum 1 GPS will not be directly accessible by users. /Ryan [cid:5676FF89-CBC8-42F7-84CE-69F431C23E48@int.ancker.net] Ryan Harden Research and Advanced Networking Architect University of Chicago - ASN160 P: 773.834.5441 On May 10, 2016, at 5:48 AM, Steven Miano <mianosm () gmail com<mailto:mianosm () gmail com>> wrote: NTP has vulnerabilities, so using an external source opens your networks and infrastructure to disruptions. Going with an internal GPS/GLONASS/RADIO based S1 allows you to restrict incoming traffic and not rely on volunteers or external entities (which may undergo maintenance or budget issues). My preference is more so something akin to the GLN180PEX (I am not affiliated or paid to endorse this product). It allows you to use commodity hardware (like a decommissioned 1U or several preferably) and creation of ones own reliable internal time source(s). Introducing black boxes into a production (revenue generation or expected services by paying customers) environment is undesirable. From there setting up NTPd, Chronyd, and PTPd is up to you. Relying on satellites may seem like just another external reliance, but the next life is proposing a design life of 12 years..... On Mon, May 9, 2016 at 11:12 PM, Majdi S. Abbas <msa () latt net<mailto:msa () latt net>> wrote: On Tue, May 10, 2016 at 03:08:16AM +0000, Mel Beckman wrote: NTP has vulnerabilities that make it generally unsuitable for provider networks. I strongly recommend getting a GPS-based time server. These are as cheap as $300. Here is one I use quite a bit: So how does this stop from distributing time to their customers via NTP? GPS doesn't save the protocol, in particular where the S1 clocks involved are embedded devices with rather coarse clocks and timestamping. --msa -- Miano, Steven M. http://stevenmiano.com
Current thread:
- Re: NIST NTP servers, (continued)
- Re: NIST NTP servers Majdi S. Abbas (May 09)
- Re: NIST NTP servers Steven Miano (May 10)
- Re: NIST NTP servers Stephane Bortzmeyer (May 10)
- Re: NIST NTP servers Valdis . Kletnieks (May 10)
- Re: NIST NTP servers Stephane Bortzmeyer (May 10)
- Re: NIST NTP servers Josh Reynolds (May 10)
- Message not available
- Re: NIST NTP servers Valdis . Kletnieks (May 10)
- Re: NIST NTP servers Eygene Ryabinkin (May 11)
- Re: NIST NTP servers Jean-Francois Mezei (May 12)
- Re: NIST NTP servers Tony Finch (May 13)
- Re: NIST NTP servers Majdi S. Abbas (May 09)
- Re: NIST NTP servers Ryan Harden (May 11)
- RE: NIST NTP servers Chuck Church (May 10)
- Re: NIST NTP servers Gary E. Miller (May 10)
- Re: NIST NTP servers Jared Mauch (May 10)
- RE: NIST NTP servers Chuck Church (May 10)
- Re: NIST NTP servers Gary E. Miller (May 10)
- Re: NIST NTP servers Mel Beckman (May 10)
- Re: NIST NTP servers Leo Bicknell (May 11)
- Re: NIST NTP servers Josh Reynolds (May 11)
- Re: NIST NTP servers Mel Beckman (May 11)
- Re: NIST NTP servers Jay R. Ashworth (May 11)