[ntp:questions] restrict source available from which version?

Brian Inglis Brian.Inglis at SystematicSw.ab.ca
Sat Dec 31 08:09:46 UTC 2016


On 2016-12-30 16:32, Ask Bjørn Hansen wrote:
> On Tuesday, September 6, 2016 at 1:41:10 AM UTC-7, Miroslav Lichvar wrote:
>> On 2016-09-05, ask at ntppool.org <ask at ntppool.org> wrote:
>>> My draft has the following as the recommendation for someone using the
>>> pool (on 4.2.8 or later):
>>> driftfile /var/lib/ntp/ntp.drift
>>> restrict default kod nomodify notrap nopeer noquery
>>> restrict -6 default kod nomodify notrap nopeer noquery
>> I think this line shouldn't be necessary as restrict default specified
>> without -4 and -6 should apply to both.
> Ok, thank you. Is that the case for older versions of ntpd, too?
> There's obviously a bit of cargo cult going on here, I appreciate the
> help getting to an actual best practices recommendation. :-/
> For Martin's comment about kod and limited:
> I'm not sure if 'limited' works on a reasonably busy NTP server
> (hundreds to a few thousand queries a second) and I don't think
> anyone has shown that KoD packets does something useful for a
> meaningful number of the "bad clients", so I should probably just
> take 'kod' out.

Works with typical bad clients but most ignore KoD packets anyway 
so just avoid the MRU list overhead and sending KoD - see 
http://doc.ntp.org/current-stable/rate.html for how it works.

>>> restrict source notrap nomodify noquery

restrict source added with pool in 4.2.7p22 2010/04/02, 
docs updated in 4.2.7p24 2010/04/13.

>>> restrict 127.0.0.1
>>> restrict -6 ::1
>>>
>>> pool 0.pool.ntp.org

Add preempt to pool statements to drop unselected servers and 
acquire new servers to maintain a majority clique - see below.

>> How many servers should the client use at the same time? The
>> default value of tos maxclock is 10, so it would use 10 servers.
>> That seems a bit excessive. If it should be equivalent to the
>> current recommendation, the config would need to include
>>
>> 	tos maxclock 4

Keep it odd - tos maxclock 5 - for sync, majority clique requires 
truechimers *>* falsetickers - truechimers == falsetickers is 
*unsynced* - 5 allows 2 servers "off" in some way at the same time 
(e.g. during weekend maintenance windows when servers often drop 
out - YMMV) see http://doc.ntp.org/current-stable/select.html .

>> Also, how about adding the iburst option? Considering that a
>> significant part of NTP traffic is from ntpdate (which sends four
>> packets in 2s interval) and that most Linux distributions seem to
>> use iburst in their default ntp.conf, I think it could be
>> recommended to everyone.
> 
> Hmm, I could get convinced of that.

Also add iburst to pool statements.

And only use minpoll and/or maxpoll on local ref clocks.

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada


More information about the questions mailing list