[ntp:questions] Sufficient # servers to sync to

John Sasso jsassojr at nycap.rr.com
Thu Mar 17 14:21:40 UTC 2005


 I am working on a design for the NTP infrastructure for our company.  We
purchased 6 Stratum-1, GPS-sync'd NTP servers, three for each of our two
data centers located at remote sites.  We have a number of subnets at each
of our secured sites, each secured by a firewall.

According to
http://ntp.isc.org/bin/view/Support/SelectingOffsiteNTPServers#Section_5.3.3.
 it suggests NTP clients should sync to a minimum of 4 NTP servers.
Specifically, it states:

"While the general rule is for 2n+1 to protect against "n" falsetickers,
this actually isn't true for the case where n=1. It actually takes 2 servers
to produce a "candidate" time, which is really an interval. The winner is
the shortest interval for which more than half (counting the two that define
the interval) have an offset (+/- the dispersion) that lies on the interval
and that contains the point of greatest overlap."

In the past, I've had NTP clients sync to up to 3 [out of 4] Stratum-2 NTP
servers.  The 4 NTP servers each sync'd to 4 off-site Stratum-1 NTP servers,
as well as off one-another for additional sanity checking.

For the design, is it overkill for me to require to NTP clients to sync to 4
NTP servers?  How about just 3?  The NTP clients consist of Cisco routers
and firewalls, Windows, Sun, and Linux systems.  Part of the environment
uses Windows AD w/ Kerberos as well as SSL, which I think require accurate
time.

--john





More information about the questions mailing list