[ntp:questions] Reliable SNTP server for commercial use

Brad Knowles brad at stop.mail-abuse.org
Sat Nov 20 01:12:46 UTC 2004

At 9:35 AM -0800 2004-11-19, Karapetkov, Stefan H wrote:

>  		The SIP telephones support Simple Network Time Protocol and
>  provide options to configure an IP address or DNS name of the SNTP server as
>  well as time offset. Based on this configuration, the SIP telephone will
>  contact the time server periodically and synchronize its internal Date and
>  Time which is displayed in idle state.

	In this kind of environment, one thing I'd want to be very 
careful of is making sure that all the NTP servers for the SNTP 
clients have very good time sync between them (consistency between 
the servers is more important than getting absolute best accuracy for 
only some servers and having others that are way out of whack), and 
making sure that you've got a good number of servers behind each time 
server name published in the DNS.

	This isn't NTPv3 or NTPv4, so there are a lot of issues that 
would normally affect NTP operations that won't be of concern.  But 
there are some implementation details that will be important to good 
long-term operations.

>  		The time server should preferably send GMT time and the SIP
>  phone user will be able to set the time offset.

	NTP always works exclusively in UTC, and leaves timezone 
representation up to the applications responsible for displaying the 
information to the user.

>  		Any suggestions will be appreciated.

	I think that consistency is going to end up being your most 
important long-term operational issue.  So, you're going to want 
someone who can sell you a hundred or a thousand (or however many) 
guaranteed identical boxes.

>  		Since the time server is on the Internet while the SIP
>  telephones can be installed in enterprise networks, please comment on the
>  SNTP ability to traverse firewalls.

	I think that's going to be an issue.  Port 123 will need to be 
open on the firewalls going out, and the firewalls will need to be 
configured to allow replies to outgoing packets to come back through 
on the appropriate ports.

	Ideally, the time servers for the SNTP clients would actually be 
located inside their network, and the time servers themselves would 
then be able to talk to other time servers outside the network.

	Having all this SNTP traffic cross the firewall is likely to be a 
scalability issue, as well as a performance and reliability issue 
(especially with noisy networks and networks otherwise suffering from 
bottlenecks that could cause collisions or drops of the UDP query or 
response packets).  It might also be considered a security issue, 
since SNTP is subject to trivial man-in-the-middle attacks (among 
other things).

	You really, really want to put your time servers inside the 
networks and keep all that traffic local, and then be able to have 
more robust/secure time server traffic between those boxes and their 
upstream servers.  If you're concerned about this traffic being able 
to cross the firewall, then set those machines up with Stratum 1 
refclocks (GPS, DCF77, or whatever) so that they don't need to cross 
the firewall.  Of course, in that case you'd want to set up a few 
extra boxes inside the network for redundancy/reliability/accuracy 
purposes and have them all peer together.

	I think you want to go back and take another look at your network 
and application design on this issue, and try to make sure that you 
fully understand what it is that you truly need and where that will 
go, before you try to start buying hardware for undefined 

Brad Knowles, <brad at stop.mail-abuse.org>

"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."

     -- Benjamin Franklin (1706-1790), reply of the Pennsylvania
     Assembly to the Governor, November 11, 1755

   SAGE member since 1995.  See <http://www.sage.org/> for more info.

More information about the questions mailing list