[ntp:questions] restrict source available from which version?

Charles Elliott elliott.ch at comcast.net
Mon Jan 2 15:17:03 UTC 2017


> And only use minpoll and/or maxpoll on local ref clocks.

Have you ever watched NTPD output when the polling interval reaches 10 (= 1024 seconds) or higher?  NTPD acts just like the integral term in PID control, i.e., the yo-yo effect: Over several hours the offset drops to between -2 and -3 milliseconds; then over a period of 10 hours, or so, it reaches about +2 milliseconds offset.  Then over the next 8 hours it slowly and fitfully drops to between -2 and -3 milliseconds again.  It that 8 hour decline from +2 to -2 to -3 millis, in each case when I looked at it (11/24-11/27/16), it made a sudden (2 hour) spurt at the midpoint of the 8 hours to zero offset, but then resumed its slow and fitful decline to between -2 and -3 millis.  Given that it is not hard to maintain sub-millisecond offsets (if the NTPD client is using stratum 1 timeservers and has a fast (over 20-25 Mbps) connection to the Internet), a constant swing of ~5 milliseconds in offset from the correct time is discouraging.  I would wager that the offsets are larger with pool servers.

Charles Elliott

-----Original Message-----
From: questions [mailto:questions-bounces+elliott.ch=comcast.net at lists.ntp.org] On Behalf Of Brian Inglis
Sent: Sunday, January 1, 2017 1:19 PM
To: questions at lists.ntp.org
Subject: Re: [ntp:questions] restrict source available from which version?

On 2016-12-31 01:09, Brian Inglis wrote:
> On 2016-12-30 16:32, Ask Bjørn Hansen wrote:
>> On Tuesday, September 6, 2016 at 1:41:10 AM UTC-7, Miroslav Lichvar wrote:
>>> On 2016-09-05, ask at ntppool.org <ask at ntppool.org> wrote:
>>>> My draft has the following as the recommendation for someone using 
>>>> the pool (on 4.2.8 or later):
>>>> driftfile /var/lib/ntp/ntp.drift
>>>> restrict default kod nomodify notrap nopeer noquery restrict -6 
>>>> default kod nomodify notrap nopeer noquery
>>> I think this line shouldn't be necessary as restrict default 
>>> specified without -4 and -6 should apply to both.
>> Ok, thank you. Is that the case for older versions of ntpd, too? 
>> There's obviously a bit of cargo cult going on here, I appreciate the 
>> help getting to an actual best practices recommendation. :-/ For 
>> Martin's comment about kod and limited:
>> I'm not sure if 'limited' works on a reasonably busy NTP server 
>> (hundreds to a few thousand queries a second) and I don't think 
>> anyone has shown that KoD packets does something useful for a 
>> meaningful number of the "bad clients", so I should probably just 
>> take 'kod' out.
> Works with typical bad clients but most ignore KoD packets anyway so 
> just avoid the MRU list overhead and sending KoD - see 
> http://doc.ntp.org/current-stable/rate.html for how it works.
>>>> restrict source notrap nomodify noquery
> restrict source added with pool in 4.2.7p22 2010/04/02, docs updated 
> in 4.2.7p24 2010/04/13.
>>>> restrict 127.0.0.1
>>>> restrict -6 ::1
>>>>
>>>> pool 0.pool.ntp.org
> Add preempt to pool statements to drop unselected servers and acquire 
> new servers to maintain a majority clique - see below.
>>> How many servers should the client use at the same time? The default 
>>> value of tos maxclock is 10, so it would use 10 servers.
>>> That seems a bit excessive. If it should be equivalent to the 
>>> current recommendation, the config would need to include
>>> 	tos maxclock 4
> Keep it odd - tos maxclock 5 - for sync, majority clique requires 
> truechimers *>* falsetickers - truechimers == falsetickers is
> *unsynced* - 5 allows 2 servers "off" in some way at the same time 
> (e.g. during weekend maintenance windows when servers often drop out
> - YMMV) see http://doc.ntp.org/current-stable/select.html .
>>> Also, how about adding the iburst option? Considering that a 
>>> significant part of NTP traffic is from ntpdate (which sends four 
>>> packets in 2s interval) and that most Linux distributions seem to 
>>> use iburst in their default ntp.conf, I think it could be 
>>> recommended to everyone.
>> Hmm, I could get convinced of that.
> Also add iburst to pool statements.
> And only use minpoll and/or maxpoll on local ref clocks.

May also want to unrestrict all LAN addresses - safe for small home or business LANs, not for e.g. campus situations - or add but comment out? 

restrict    10.0.0.0 mask 255.0.0.0   # private net allow all packets
restrict  172.16.0.0 mask 255.240.0.0 # private net allow all packets restrict 192.168.0.0 mask 255.255.0.0 # private net allow all packets

--
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada _______________________________________________
questions mailing list
questions at lists.ntp.org
http://lists.ntp.org/listinfo/questions



More information about the questions mailing list