[ntp:questions] Re: synch clock using SNTP on embedded system

Brad Knowles brad.knowles at skynet.be
Thu Oct 16 02:22:46 UTC 2003

At 11:42 PM +0000 2003/10/15, Kenneth Porter wrote:

>  Another idea: (I don't know what downsides there are to this. NTP gurus?)
>  If the above ideas fail, as a last resort, traceroute to a well-known
>  public server and look for NTP service on each router along the way,
>  using that of the closest router.

	Bad idea.  From 

Some routers run ntpd and can be used to distribute time to the 
subnets that connect to them.

However, keep in mind that routers are primarily designed to route 
packets in one interface and out another, and they usually have lots 
of custom silicon chips to help them perform this role very well and 
very quickly.  They are not typically well-suited to the role of 
providing general-purpose services.

In many cases, these kinds of functions are handed off to an internal 
shared CPU which is asked to perform all sorts of less common tasks 
on the router, and doing excessive amounts of work with NTP may cause 
it to be less able to do "real work" as a router, or may cause it to 
perform poorly as an NTP server.

If you wish to configure your routers as an NTP client, we suggest 
that you use information on this subject from the vendor, or from 
documentation written specifically for that vendor.  In the case of 
cisco routers, you can see the O'Reilly books Hardening Cisco Routers 
by Thomas Akin or Cisco Cookbook by Kevin Dooley and Ian J. Brown. 
Both have chapters on NTP, but the former has a chapter on NTP that 
is available online at 
http://www.oreilly.com/catalog/hardcisco/chapter/ch10.html .

>                                    It's also not uncommon to run NTP on
>  DNS servers, so you could look for it on your configured DNS server.

	Same deal.

configure your machine or your clients to use an NTP server that you 
do not control yourself, or that you have not explicitly confirmed 
that it is okay for you to use them in the way you are planning.

	Advertising a machine in pool.ntp.org is generally taken to be an 
indication that the machine is open for public use, but if you will 
be configuring this address in clients that will be sold to the 
public, you should contact the pool.ntp.org coordinator and confirm 
that your plans are within acceptable limits.

	The machines listed at 
<http://www.eecis.udel.edu/~mills/ntp/servers.html> are also 
generally open to the public, but again you should always get 
explicit permission to use them if you are going to be putting them 
into use on more than just a small handful of clients.

	Otherwise, you risk re-creating yet another UWisc/Netgear 
debacle.  See <http://www.cs.wisc.edu/~plonka/netgear-sntp/> for more 

Brad Knowles, <brad.knowles at skynet.be>

"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
     -Benjamin Franklin, Historical Review of Pennsylvania.

GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E-(---) W+++(--) N+
!w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++)
tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)

More information about the questions mailing list