[ntp:questions] Re: NTP sync

Roger roger.neumann at web.de
Wed Oct 1 17:15:06 UTC 2003


"David L. Mills" <mills at udel.edu> wrote in message news:<3F6EF346.79227081 at udel.edu>...
> Rajkumar,
> 
> Your plan runs contrary to the NTP security model, which is designed to
> operate in the open and unencumbered by tunnel latencies. Security is
> maintained end-to-end by public key signatures, cryptographic identity
> schemes and crafted agreement algorithms. You don't need or want tunnels
> of any kind. See the design described on the NTP project page linked
> from www.ntp.org.
> 
> Dave

Hello,

Do you expect that such IPsec tunnels do very negatively influence operation 
of NTP or time accuracy?

Unfortunately there are many NTP client implementations that do not support
the NTP security model of public key signatures or cryptographic identity 
schemes.

In addition, the clients that I have to synchronize send and receive NTP 
requests via their O&M interfaces, which need to be connected to a secure 
O&M network.
The O&M network in our case (and I guess there are many similar other cases 
as well) is only logically separated from normal traffic by means of VPN 
technologies. 
When the O&M traffic has to traverse a provider backbone we use IPsec tunnels
to ensure secure traffic transfer. So, in our case, if server and clients 
reside in separate sites, NTP will run through an IPsec tunnel, which is 
terminated by firewalls at both tunnel ends.

In our case, most sites have a GPS controlled stratum-1 server. The clients 
do not use tunnels to peer to the local NTP server within the site. But they 
peer via IPsec tunnels to stratum 1 servers in other sites for redundancy 
reasons. 

So, can this design be a problem for operation of NTP or time accuracy?

BR
Roger



More information about the questions mailing list