[ntp:questions] Re: Estimate of the number of people using the pool system

Adrian 'Dagurashibanipal' von Bidder grazdan at fortytwo.ch
Wed Oct 22 06:54:47 UTC 2003

Clinging to sanity, David L. Mills mumbled in his beard:

> Adrian,
> The NTP clock discipline increases the poll interval until reaching
> maxpoll when incidental jitter and wander, justify. However, there is no
> reliable correlation between poll interval and nominal accuracy. In
> other words, you can't pick a maxpoll out of the air and expect the
> incidental jitter and wander to prevail less than any particular value.

Ok. That tells me that if I recommend an increased maxpoll value, I
basically recommend a higher target jitter/wander of the client using the
pool. This is fine with me so far.

> In fact, if the incidental jitter and wander of the pool population is
> truly in the tens of milliseconds, the poll interval will probably not
> ramp up beyond the default anyway.

I've not seen this happen. All servers either properly go up to maxpoll, or
they are discarded as falsetickers (but still are at maxpoll after some

ntpq -pn on one of the monitoring servers tells me:
 - the big majority is within +/-10ms offset
 - of the 93 servers, 11 servers are outside of +/-50ms
   and of these, 10 are detected as falsetickers or have been unreachable
   until recently.

This is with network delays of 50 to more than 100ms, and with jitter values
varying widely between 0.someting up to around 50.

So I guess the conclusion is that ntp really does what it should do even on
a bad network with big delay and jitter.

> New subject to swim the pool: What do you want to do about
> authentication in case a terrorist hijacks one or more servers? I offer
> the (optional) Autokey public-key scheme as candidate, which is now in
> use here and in evaluation elsewhere. I'm not sure the servers and

I'm not sure who would here be authenticating with whom.

If our terrorist hijacks the database/nameserver, all is lost anyway.
If our terrorist hijacks one of the timeservers in the pool, doesn't he
automatically get the secret key of that timeserver, too?

And if we detect the hijacking, we just throw that timeserver out of the
pool - no new clients will be syncing with that timeserver.

Disclaimer: So far, I never studied how the autokey authentication works, so
I am probably just not seeing 'it'.

-- vbi

>> Clinging to sanity, David L. Mills mumbled in his beard:
> [While my cling to sanity certainly is tenuous, our fascist news server
> won't let me include your message.]


Lack of money is the root of all evil.
                -- George Bernard Shaw

More information about the questions mailing list