[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

NIST NTP servers

Subject: NIST NTP servers
From: hardenrm at uchicago.edu (Ryan Harden)
Date: Tue, 10 May 2016 13:28:14 +0000
In-reply-to: <CACkP6k=2+18oY7HNH2cByJhyD0z=U-SX7CCo6GAR6zG3YV8mdQ@mail.gmail.com>
References: <CAKdv5965qRG_Qe=xL+=7dcZzeaU2y8xcYXfr7EAAEFnRJ7nnyw@mail.gmail.com> <[email protected]> <[email protected]> <CACkP6k=2+18oY7HNH2cByJhyD0z=U-SX7CCo6GAR6zG3YV8mdQ@mail.gmail.com>

_Everything_ has vulnerabilities and using _any_ external source opens your network and infrastructure to disruptions. NTP has been used for DDoS amplification attacks recently, but so has DNS and other well known/heavily used protocols.

With the right protections, syncing with an external NTP source is perfectly acceptable and safe.
Further, it?s generally a good idea to ?peer? (not just sync) your NTP servers with a few external sources. This removes the dependence on a single source and helps ensure that your time source agrees with the rest of the world. Peering requires interaction with the owners of the remote site, which establishes a basic level of trust that they?ll provide an accurate and stable service.

I?ve attached a diagram (sanitized) of what our NTP service will look like after an upcoming refresh.
All external sources are trusted and will be peered. All time devices peer with four other sources to ensure there is always a live source to sync/peer with.
A DNS record with round-robin is used for local clients to connect to the local Stratum 2 devices. The Stratum 1 GPS will not be directly accessible by users.

/Ryan

[cid:5676FF89-CBC8-42F7-84CE-69F431C23E48 at int.ancker.net]

Ryan Harden
Research and Advanced Networking Architect
University of Chicago - ASN160
P: 773.834.5441

On May 10, 2016, at 5:48 AM, Steven Miano <mianosm at gmail.com<mailto:mianosm at gmail.com>> wrote:

NTP has vulnerabilities, so using an external source opens your networks
and infrastructure to disruptions.

Going with an internal GPS/GLONASS/RADIO based S1 allows you to restrict
incoming traffic and not rely on volunteers or external entities (which may
undergo maintenance or budget issues).

My preference is more so something akin to the GLN180PEX (I am not
affiliated or paid to endorse this product). It allows you to use commodity
hardware (like a decommissioned 1U or several preferably) and creation of
ones own reliable internal time source(s). Introducing black boxes into a
production (revenue generation or expected services by paying customers)
environment is undesirable.

References:
- NIST NTP servers
  - From: freetexwatson at gmail.com (b f)
- NIST NTP servers
  - From: mel at beckman.org (Mel Beckman)
- NIST NTP servers
  - From: msa at latt.net (Majdi S. Abbas)
- NIST NTP servers
  - From: mianosm at gmail.com (Steven Miano)

Prev by Date: VirginMedia AS5089
Next by Date: NIST NTP servers
Previous by thread: NIST NTP servers
Next by thread: NIST NTP servers
Index(es):
- Date
- Thread