[ntp:questions] Re: NTP sync
roger.neumann at web.de
Wed Oct 1 17:15:06 UTC 2003
"David L. Mills" <mills at udel.edu> wrote in message news:<3F6EF346.79227081 at udel.edu>...
> Your plan runs contrary to the NTP security model, which is designed to
> operate in the open and unencumbered by tunnel latencies. Security is
> maintained end-to-end by public key signatures, cryptographic identity
> schemes and crafted agreement algorithms. You don't need or want tunnels
> of any kind. See the design described on the NTP project page linked
> from www.ntp.org.
Do you expect that such IPsec tunnels do very negatively influence operation
of NTP or time accuracy?
Unfortunately there are many NTP client implementations that do not support
the NTP security model of public key signatures or cryptographic identity
In addition, the clients that I have to synchronize send and receive NTP
requests via their O&M interfaces, which need to be connected to a secure
The O&M network in our case (and I guess there are many similar other cases
as well) is only logically separated from normal traffic by means of VPN
When the O&M traffic has to traverse a provider backbone we use IPsec tunnels
to ensure secure traffic transfer. So, in our case, if server and clients
reside in separate sites, NTP will run through an IPsec tunnel, which is
terminated by firewalls at both tunnel ends.
In our case, most sites have a GPS controlled stratum-1 server. The clients
do not use tunnels to peer to the local NTP server within the site. But they
peer via IPsec tunnels to stratum 1 servers in other sites for redundancy
So, can this design be a problem for operation of NTP or time accuracy?
More information about the questions