[ntp:questions] Re: Latest changes to TWiki GettingStarted

Brad Knowles brad.knowles at skynet.be
Mon Oct 6 10:09:47 UTC 2003


At 7:14 AM +0000 2003/10/06, Hal Murray wrote:

>  I think we should be praising Apple for making it easy to get NTP
>  going on their boxes, AND for providing ntp servers for their
>  customers rather than adding to the load on the main public servers.

	The version of NTP that Apple provides is ancient.  I have done 
work to get 4.1.80 to build and install on MacOS X, and contributed 
that back to the project.  I don't see anyone from Apple doing 
anything similar -- if they have any patches, they keep them to 
themselves.  They also don't ship any NTP-related documentation at 
all with the OS.

	Since we haven't been able to provide man pages in the past, this 
means that every MacOS X system ever shipped has a number of 
ntp-related commands that have absolutely no documentation 
whatsoever.  Worse, because Dave is very insistent upon having only 
the very latest version of the documentation available on the web, we 
haven't been able to provide information on our website that would be 
useful to anyone using the provided version of NTP on MacOS X.

	This is a totally unacceptable state of affairs.


	Moreover, everything I've read and heard indicates to me that you 
really need at least three or four NTP servers that you communicate 
with, before you can be reasonably sure that you really are getting a 
decent time setting.  To make things work reasonably well, you need 
to combine multiple servers with things like "iburst" and the "-q" 
option on the command line, before you can get a good quick 
convergence to the correct time, and reasonable assurances that 
you'll be able to keep it there and not be misled by falsetickers.

>  Why isn't one server enough for a random home/office workstation?
>  I know that's not a "real" NTP server, but is it good enough for
>  most users?  Why would they care about a ms as compared to a second?
>  (The old way was to set the time by hand when it got bad enough
>  to be noticed so this seems great to me.)

	In a perfect world, that would be okay.  But this is the real 
world.  We have people who are going out and actively poisoning the 
DNS cache of people around the world, so that they can more easily 
break into their systems.  We have people who are actively spoofing 
NTP servers so as to try to mess with the clock that people have on 
their systems, so that they can use replay attacks which would 
otherwise be prevented because of the passage of time.

	We have a whole host of malicious types of activity going on, and 
we should no longer apply the assumptions that we might have brought 
with us from the time of "The network by the angels, of the angels, 
and for the angels".

>  I'm willing to put things like iburst and prefer into the wizard
>  category and let people who need them edit their config file by
>  hand.

	But Apple isn't.  Whatever you put into your configuration file 
will be wiped out the next time this GUI tool is run, and you make 
any changes.

-- 
Brad Knowles, <brad.knowles at skynet.be>

"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
     -Benjamin Franklin, Historical Review of Pennsylvania.

GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E-(---) W+++(--) N+
!w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++)
tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)



More information about the questions mailing list