[ntp:hackers] Re: NTP and leap-seconds

David L. Mills mills at udel.edu
Mon Jul 3 05:38:34 UTC 2006


This is an interesting discussion. Consider the case where the NIST 
advertises a DUT1 change or a DST update or a leapsecond change. This is 
no a Byzantine agenda as the selection algorithm is designed to handle, 
but an arbitrary bit decision. See the WWV/H driver for an excursion in 
that direction. The algorithm is properly descirbed as 
maximum-likelihood from a mathematical point of analysis. Are we 
prepared to go to those extremes>


David J Taylor wrote:

> David L. Mills wrote:
>> David J Taylor wrote:
> []
>>> - is there some sort of sanity check in NTP about leap-seconds, such
>>> as requiring a majority of servers to say that a leap second is due
>>> before a client actually inserts the leap second?
> []
>> David,
>> The usual behavior is that servers do not realize a leapsecond is
>> pending, either because they have not been told using ntpdc or the
>> radios or drivers do not implement the warning. So the code sifts from
>> among the (usually) three survivors of the mitigation algorithms and
>> sets the leap if one or more show leap. You suggestion would change
>> that to require two out of the three to set the leap. What if there
>> are only two survivors?
>> The most reliable and secure solution to the false alarm problem is to
>> run Autokey and use the leapsecond table as distributed from the
>> primary servers.
>> Dave
> From your response, I seem to have identified a weakness in the 
> otherwise excellent hands-off, automated operation of NTP!  Something 
> which requires manual intervention is error prone, as we have now seen 
> twice this year.
> I don't know much about the Autokey method you mention - it sounds as 
> if it may be too complex for the average end-use client software.  I 
> am unsure if it is the Windows port.
> Considering your comments on the basic algorithm, I would consider 
> requiring a majority of servers, and if you are down to just two then 
> I guess you have to decide between requiring one or both servers to be 
> showing a leap-second.  I would go for two, personally.  Can you 
> anything before mitigation like noting that a majority of servers 
> suggested the leap second, to aid the after-mitigation decision?
> One other thing I an unsure of - if four weeks ago a server says leap, 
> but on June 30 it does not, does ntp recognise the change, or does the 
> erroneous "leap" command get kept?
> David

More information about the hackers mailing list