[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

NTP Issues Today



After some private replies, I'm going to reply to my own post with
some information here.

It appears many people don't understand how the NTP protocol works.
I suspect many people have configured a "primary" and a "backup"
NTP server on many of their devices.  It turns out this is the
_WORST_ possible configuration if you want accurate time:

http://support.ntp.org/bin/view/Support/SelectingOffsiteNTPServers#Section_5.3.3.

To protect against two falseticking servers (tick and tock, as we saw on
the 19th) you need _FIVE_ servers minimum configured if they are both in
the list.  More importantly, if you want to protect against a source
(GPS, CDMA, IRIG, WWIV, ACTS, etc) false ticking, you need a minimum of
_FOUR_ different source technologies in the list as well.

It's not hard, my box that I posted the logs from peers with 18 servers
using 8 source technologies, all freely available on the Internet...

-- 
       Leo Bicknell - bicknell at ufp.org - CCIE 3440
        PGP keys at http://www.ufp.org/~bicknell/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 826 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20121120/b33c5714/attachment.bin>