[ntp:questions] Quickstart

Brad Knowles brad.knowles at skynet.be
Wed Aug 27 21:46:02 UTC 2003


At 7:48 PM +0000 2003/08/22, worley at theworld.com wrote:

>                                                               Sometimes
>  these can be discovered because many routers contain an NTP server,
>  and "ntpq -p <your-default-gateway>" or "ntptrace
>  <your-default-gateway>" will reveal them.  Another method is to use
>  the service at http://www.abnormal.com/cgi-bin/findntp.

	I just noticed this part.  I would use the strongest possible 
terms to encourage you to stop recommending this kind of behaviour.


	Routers are designed to take packets in on one interface and pass 
them to another, as quickly as possible (using specially designed 
hard-coded circuits).  Routers are *NOT* designed to terminate 
packets and serve them locally.

	In the case of most routers, services like NTP are shunted to a a 
separate general-purpose processor, which is usually underpowered and 
overloaded with other services.  Either your NTP packets get delayed 
or dropped or some other service suffers while you get your time 
reference correctly (well, at least more correctly).

	Tim Hogard, owner of the web page at 
<http://www.abnormal.com/cgi-bin/findntp> has acknowledged this 
problem, although he has not yet found a better solution, and has 
chosen to leave this page up until he does.


	Unless the owner of the router explicitly tells you to use it as 
your time server, you should not do so.  Even if the owner does 
explicitly tell you to use it as your time server, you should 
seriously consider whether or not you should do so.

>  Third, you also need to determine which IP addresses will be permitted
>  to examine the status of your NTP daemon, and which will be permitted
>  to remotely modify its configuration.  We assume that you will allow
>  anybody to examine its status and nobody on another computer to alter
>  its configuration, as that is normally a safe policy.

	I would recommend restricting this to the IP addresses on the 
local network.  Otherwise, you risk putting yourself in a UWisc-type 
position (see 
<http://developers.slashdot.org/article.pl?sid=03/08/22/1454233&mode=thread&tid=126&tid=128&tid=156&tid=95>).

-- 
Brad Knowles, <brad.knowles at skynet.be>

"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
     -Benjamin Franklin, Historical Review of Pennsylvania.

GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E-(---) W+++(--) N+
!w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++)
tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)



More information about the questions mailing list