[ntp:questions] Re: Latest changes to TWiki GettingStarted
brad.knowles at skynet.be
Mon Oct 6 10:09:47 UTC 2003
At 7:14 AM +0000 2003/10/06, Hal Murray wrote:
> I think we should be praising Apple for making it easy to get NTP
> going on their boxes, AND for providing ntp servers for their
> customers rather than adding to the load on the main public servers.
The version of NTP that Apple provides is ancient. I have done
work to get 4.1.80 to build and install on MacOS X, and contributed
that back to the project. I don't see anyone from Apple doing
anything similar -- if they have any patches, they keep them to
themselves. They also don't ship any NTP-related documentation at
all with the OS.
Since we haven't been able to provide man pages in the past, this
means that every MacOS X system ever shipped has a number of
ntp-related commands that have absolutely no documentation
whatsoever. Worse, because Dave is very insistent upon having only
the very latest version of the documentation available on the web, we
haven't been able to provide information on our website that would be
useful to anyone using the provided version of NTP on MacOS X.
This is a totally unacceptable state of affairs.
Moreover, everything I've read and heard indicates to me that you
really need at least three or four NTP servers that you communicate
with, before you can be reasonably sure that you really are getting a
decent time setting. To make things work reasonably well, you need
to combine multiple servers with things like "iburst" and the "-q"
option on the command line, before you can get a good quick
convergence to the correct time, and reasonable assurances that
you'll be able to keep it there and not be misled by falsetickers.
> Why isn't one server enough for a random home/office workstation?
> I know that's not a "real" NTP server, but is it good enough for
> most users? Why would they care about a ms as compared to a second?
> (The old way was to set the time by hand when it got bad enough
> to be noticed so this seems great to me.)
In a perfect world, that would be okay. But this is the real
world. We have people who are going out and actively poisoning the
DNS cache of people around the world, so that they can more easily
break into their systems. We have people who are actively spoofing
NTP servers so as to try to mess with the clock that people have on
their systems, so that they can use replay attacks which would
otherwise be prevented because of the passage of time.
We have a whole host of malicious types of activity going on, and
we should no longer apply the assumptions that we might have brought
with us from the time of "The network by the angels, of the angels,
and for the angels".
> I'm willing to put things like iburst and prefer into the wizard
> category and let people who need them edit their config file by
But Apple isn't. Whatever you put into your configuration file
will be wiped out the next time this GUI tool is run, and you make
Brad Knowles, <brad.knowles at skynet.be>
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-Benjamin Franklin, Historical Review of Pennsylvania.
GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E-(---) W+++(--) N+
!w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++)
tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)
More information about the questions