[ntp:questions] project ntp.br
mayer at ntp.isc.org
Tue Oct 9 04:09:32 UTC 2007
Antonio M. Moreiras wrote:
> Dear Sirs:
> NIC.br is working on the project ntp.br, that has the goal of improving
> the quality of time synchronization in (brazilian) Internet hosts and
> networks and of provide legal brazilian time.
> Basically we intend to provide stratum 1 and stratum 2 servers,
> synchronized with legal brazilian time (that is kept by the observatorio
> nacional - www.on.br - and is, in last instance, UTC).
> We will have 3 of the following structure (at 3 different sites, at 3
> different cities: Sao Paulo, Rio de Janeiro, Brasilia):
Does that mean a cesium clock at each site? That would be the best
> Observatorio Nacional (Cesium clock)
> |(periodically assures the
> | accuracy with the official
> | brazilian time - that is
> | in last instance UTC)
> ** Rubidium clock **
> ** Stratum 0 **
> ** Stratum 1 Server **
> Appliance Spectracom ------------------
> or Appliance Symmetrycom |
> | |(Internet)
> |(Internet or LAN) |
> # #
> ** Stratum 2 Server ** (stratum 2 "clients")
> cluster with 2 Dell blade servers (autonomous systems)
> | (big networks)
> (stratum 3 "clients")
> (home users, small
> and medium networks)
> The Rubidium clocks and stratum 1 servers will be completely independent
> of each others, but each of the six stratum 2 servers will be
> synchronized by the three stratum 1 servers.
> The project will start with 2 complete sites (Sao Paulo, Rio de
> Janeiro). The third site (Brasilia) will have only the stratum 2
> servers, and in the next year the Rubidium clock and the stratum 1
> server will be added.
> The stratum 2 servers will be open to the Internet, intended to be used
> by home users, small and medium networks, to synchronize clients or
> stratum 3 servers..
> The stratum 1 servers will have their access restricted, intended to be
> used only by the Autonomous Systems and big networks to syncronize their
> own stratum 2 servers. We estimate about 600 clients for each stratum 1
> We need some help and advise in the following questions:
> 1 - Is that a good structure or it needs to be improved or corrected?
We generally recommend that at least 4 servers are used for each ntp
node because if one of the servers goes down or become unavailable you
only have two servers and ntpd has no way of deciding which server is
providing better time.
> 2 - The Stratum 1 Servers are appliances and do have some limitations at
> access control configuration. How can we provide access limitation by
> other means? We are studying the following possibilities:
> (a) A firewall between the Internet and the Stratum 1 servers, with a
> per client IP configuration.
> (b) A vpn (openvpn).
> What would be better? Is there any other alternative?
Don't use a vpn. There are multiple issues with vpn's including that
they don't work with autokey and you have additional overhead in
processing packets which leads to additional delays in sending and
receiving ntp packets.
Choose a firewall and make sure that you configure it to allow the ntp
packets in both directions on the 123/UDP port. Also, since you need a
firewall make sure it supports EDNS0 (for DNS) so that you don't have
DNS lookup delays as well, though that's a DNS issue rather than a NTP
> 3 - About cryptography:
> - We don´t fully understand the options and implications yet.
> - It seems to complicate a little the client side configuration. We
> fear that it will desincourage the potencial users.
Authentication is optional for the client. If they don't need to
authenticate the server they don't need to and they can still use the
server and get their time service.
> - It seems that the majority of the servers at public pool don´t uses it.
> (a) What are the real risks of not implementing the cryptography?
You cannot be assured that the packet is coming from the server that it
says it is. UDP packets are particularly easy to forge.
> (b) What is more recommended: Autokey, or symmetrical keys? Why?
Autokey. You have much greater control over usage, is less susceptible
to being broken and with the latest changes that Dave has implemented
you get even more flexibility.
> (c) Is it possible to implement cryptography as an optional feature:
> the server configuration accepts clients with and without cryptography?
Yes. See above. An added benefit is that you can then provide the
autokeys to paying clients who want to assure themselves that they are
talking to valid servers that are providing them time service.
> 4 - We are experiencing some degree of difficulty to fully understand
> Autokey. Is there any documentation with a working configuration example?
You need to explain what you are trying to understand. For practical
implementation I recommend that you visit:
http://support.ntp.org/bin/view/Support/ConfiguringAutokey which has a
lot of detail on how to set up and implement autokey.
> 5 - At the stratum 2 servers, what is the more advisable OS? FreeBSD?
> OpenBSD? Linux? Windows? We have read something about freebsd being the
> best choice, but without an explanation.
Don't use Windows. Apart from the cost of buying a license for the
software there's a great deal of overhead in running windows and it
frequently can lose interrupts. Linux has also been in this position
though I don't know if that's been fixed. FreeBSD is known to always
work well, as does Solaris. I'm less clear on the other OS's.
> 6 - Regarding monitoring, we intend to use basically adapted versions of
> the scripts found at http://www.schlitt.net/scripts/ntp/ and at
> http://saturn.dennishilberg.com/gathering_data.php. But we would also
> like to have some statistics about quality of the clients
> synchronization, specially of the stratum 2 servers at the autonomous
> systems. Maybe get a "ntpq -c pe" for each one from time to time. Any
> advise regarding this?
One possibility that you could use is to set up an ntp server which has
a server list of all the servers you want to monitor. Then use ntpq -p
against that server to get a list of the current status of each server
that you are interested in.
> Sorry for the long post, and thanks in advance.
> Antonio M. Moreiras
> Project Engineer at Brazilian Network Information Center - NIC.br
> moreiras at nic.br
More information about the questions