[ntp:questions] Date Jumped

Brian Utterback brian.utterback at sun.com
Wed Jan 20 19:59:38 UTC 2010

Rob wrote:
> Richard B. Gilbert <rgilbert88 at comcast.net> wrote:
>> Better still to use at least four servers, whether from the pool or not.
>> Using only three servers leaves you vulnerable; if one of them fails you 
>> are left with two and no possibility of "voting one out" if one the 
>> remaining servers fails, for it is written that a man with two clocks 
>> can never be certain what time it is!
> I am not going to play the game "it is better to use 25 servers because
> if you use 24 and 23 of them fail it leaves you vulnerable".

Richard is correct, but for the wrong reason. The clock choosing
algorithm in NTP does not deal only in offsets, it also deals with
dispersion intervals. Because of this, having three servers does not
really give you two good votes voting the bad one out, it gives you
three possible intervals, with one of two scenarios: one of intervals
getting three votes and that interval contains the falseticker, or all
three of them get two votes each and the falseticker will be involved
in two of those intervals leaving it available to be chosen as the
system peer.

With 4 servers, however, there is always one interval that does not
contain the falseticker that will get 3 votes with all the intervals
involving the falseticker getting at most two votes.

So, if you want protection from a single falseticker, you must have at
least 4 servers.

Brian Utterback

More information about the questions mailing list