[ntp:questions] project ntp.br

Rob pse at nospam.com
Fri Oct 5 02:02:17 UTC 2007

On Thu, 04 Oct 2007 12:59:22 -0300, Antonio M. Moreiras wrote:

Hi Antonio.  I am a relative newbie to ntp but I will give you some
pointers where I can.

> Dear Sirs:
> NIC.br is working on the project ntp.br, that has the goal of improving 
> the quality of time synchronization in (brazilian) Internet hosts and 
> networks and of provide legal brazilian time.


> Basically we intend to provide stratum 1 and stratum 2 servers, 
> synchronized with legal brazilian time (that is kept by the observatorio 
> nacional - www.on.br - and is, in last instance, UTC).
> We will have 3 of the following structure (at 3 different sites, at 3
> different cities: Sao Paulo, Rio de Janeiro, Brasilia):
> -----------------------------------------------------------
>   Observatorio Nacional (Cesium clock)
>                  |
>                  |(periodically assures the
>                  | accuracy with the official
>                  | brazilian time - that is
> 		| in last instance UTC)
> 		#
>        ** Rubidium clock **
>          ** Stratum 0 **
>            Symmetrycom
> 		|
> 		|(IRIG)
> 		#
>       ** Stratum 1 Server **
>        Appliance Spectracom ------------------
>      or Appliance Symmetrycom                |
> 		|                           |(Internet)
> 		|(Internet or LAN)          |
>                  #                           #
>        ** Stratum 2 Server **            (stratum 2 "clients")
>   cluster with 2 Dell blade servers      (autonomous systems)
>                  |                       (big networks)
>                  |(Internet)
>                  #
>          (stratum 3 "clients")
> 	(home users, small
> 	 and medium networks)
> -----------------------------------------------------------
> The Rubidium clocks and stratum 1 servers will be completely independent
> of each others, but each of the six stratum 2 servers will be 
> synchronized by the three stratum 1 servers.
> The project will start with 2 complete sites (Sao Paulo, Rio de
> Janeiro). The third site (Brasilia) will have only the stratum 2
> servers, and in the next year the Rubidium clock and the stratum 1
> server will be added.
> The stratum 2 servers will be open to the Internet, intended to be used
> by home users, small and medium networks, to synchronize clients or 
> stratum 3 servers..
> The stratum 1 servers will have their access restricted, intended to be
> used only by the Autonomous Systems and big networks to syncronize their
> own stratum 2 servers. We estimate about 600 clients for each stratum 1
> server.
> We need some help and advise in the following questions:
> 1 - Is that a good structure or it needs to be improved or corrected?

I will let the real experts answer this one.

> 2 - The Stratum 1 Servers are appliances and do have some limitations at 
> access control configuration. How can we provide access limitation by 
> other means? We are studying the following possibilities:
>    (a) A firewall between the Internet and the Stratum 1 servers, with a 
> per client IP configuration.
>    (b) A vpn (openvpn).
> What would be better? Is there any other alternative?

I would thik either one would work just fine and give you the needed
security. I would prefer (a) using a firewall since it will easily give
you the flexibility to allow some of your citizens to use the
Stratum 1 servers.  

e.g.  In Canada, NRC provides official Canadian time.  NRC does allow
certain citizens / companies to use the stratum 1 servers but you must
make a special request.  See the NRC website.

> 3 - About cryptography:
>    - We don´t fully understand the options and implications yet.

Cryptography in ntp is ONLY used for authentication purposes.
It does NOT encrypt the time or an other data.  
(Why would one want to make the time secret! :-) )

>    - It seems to complicate a little the client side configuration.  We 
> fear that it will desincourage the potencial users.

Yes, authentication would make life overly complicated for most of your
citizens and it would be burdensome for the Brazilian government.  You
would need to issue NEW authentication certificates to your users EACH

In Canada, I think the NRC has a good policy.  If users want the comfort
and assurance that you are getting time from NRC (and not from some rogue
impersonating NRC), the user should pay for it.  I think NRC charges $110
for the initial certificate and $50 each year to replace the expired

For links between your Stratum 1 and Stratum 2 servers, I WOULD use
authentication as a extra layer of security.

>    - It seems that the majority of the servers at public pool don´t uses it.
> Then:
>    (a) What are the real risks of not implementing the cryptography?

For the servers exposed to the public, I don't see any major downsides. 
But a rogue might be able to impersonate your ntp servers and give the
wrong time.  (Very unlikely in my view).  But if your users want the
assurance and comfort that they are getting the time from the Brazil
government, you will need the use authentication.  (But it will be a
burden to issue new certificates each year.  You may want to consider
charging users who want to use authentication).

>    (b) What is more recommended: Autokey, or symmetrical keys? Why?

The symmetrical keys approach is weak.  There are middleman attacks.

Autokey is better.  (Within autokey, there are various options -- IFF, GQ,
MV etc.  I would aks the experts which is better (assuming there is one
which is better)).

>    (c) Is it possible to implement cryptography as an optional feature: 
> the server configuration accepts clients with and without cryptography?

I believe the answer to this is yes.  I believe NRC does it with its
stratum 2 servers (and maybe even its stratum 1 servers).

I have also set up a ntpd server on a LAN where both authenticated users
and unauthenticated users can access the ntpd server.

> 4 - We are experiencing some degree of difficulty to fully understand 
> Autokey. Is there any documentation with a working configuration example?

Yes.  See http://support.ntp.org/bin/view/Support/ConfiguringAutokey
This is a great resource. Until I read it, I could never figure out

> 5 - At the stratum 2 servers, what is the more advisable OS? FreeBSD? 
> OpenBSD? Linux? Windows? We have read something about freebsd being the 
> best choice, but without an explanation.

NOT windows.  Windows does not use NTP.  Instead windows uses w32time.
In my experience, w32time does a POOR job at keeping time. NTP is better.
You can get a NTP port to run on windows.  Even then the NTP port is not
as good in my view.  (I suspect the reason for the poor perforance lies
with the Windows kernel.  It likely does not have mods needed to keep good
time. Apparently, most, if not all, of the modern Linux and BSD kernel do
have the needed patches).

I would think that either Linux or BSD will do equally well at keeping
time.  But I hope the real experts here will answer this question for you.

If you are really concerned with security, I would go with OpenBSD.

P.S.  I tend to use Linux since I am more comfortable with it. 

> 6 - Regarding monitoring, we intend to use basically adapted versions of 
> the scripts found at http://www.schlitt.net/scripts/ntp/ and at 
> http://saturn.dennishilberg.com/gathering_data.php. But we would also 
> like to have some statistics about quality of the clients 
> synchronization, specially of the stratum 2 servers at the autonomous 
> systems. Maybe get a "ntpq -c pe" for each one from time to time. Any 
> advise regarding this?

I will let the experts answer this one as well. 

I hope you found my comments uselful -- Rob

> Sorry for the long post, and thanks in advance.
> --
> Antonio M. Moreiras
> Project Engineer at Brazilian Network Information Center - NIC.br
> moreiras at nic.br
> http://www.nic.br
>  Posted Via Usenet.com Premium Usenet Newsgroup Services
> ----------------------------------------------------------
> ----------------------------------------------------------        
>                 http://www.usenet.com

More information about the questions mailing list