[ntp:questions] Reliable SNTP server for commercial use
Brad Knowles
brad at stop.mail-abuse.org
Sat Nov 20 01:12:46 UTC 2004
At 9:35 AM -0800 2004-11-19, Karapetkov, Stefan H wrote:
> The SIP telephones support Simple Network Time Protocol and
> provide options to configure an IP address or DNS name of the SNTP server as
> well as time offset. Based on this configuration, the SIP telephone will
> contact the time server periodically and synchronize its internal Date and
> Time which is displayed in idle state.
In this kind of environment, one thing I'd want to be very
careful of is making sure that all the NTP servers for the SNTP
clients have very good time sync between them (consistency between
the servers is more important than getting absolute best accuracy for
only some servers and having others that are way out of whack), and
making sure that you've got a good number of servers behind each time
server name published in the DNS.
This isn't NTPv3 or NTPv4, so there are a lot of issues that
would normally affect NTP operations that won't be of concern. But
there are some implementation details that will be important to good
long-term operations.
> The time server should preferably send GMT time and the SIP
> phone user will be able to set the time offset.
NTP always works exclusively in UTC, and leaves timezone
representation up to the applications responsible for displaying the
information to the user.
> Any suggestions will be appreciated.
I think that consistency is going to end up being your most
important long-term operational issue. So, you're going to want
someone who can sell you a hundred or a thousand (or however many)
guaranteed identical boxes.
> Since the time server is on the Internet while the SIP
> telephones can be installed in enterprise networks, please comment on the
> SNTP ability to traverse firewalls.
I think that's going to be an issue. Port 123 will need to be
open on the firewalls going out, and the firewalls will need to be
configured to allow replies to outgoing packets to come back through
on the appropriate ports.
Ideally, the time servers for the SNTP clients would actually be
located inside their network, and the time servers themselves would
then be able to talk to other time servers outside the network.
Having all this SNTP traffic cross the firewall is likely to be a
scalability issue, as well as a performance and reliability issue
(especially with noisy networks and networks otherwise suffering from
bottlenecks that could cause collisions or drops of the UDP query or
response packets). It might also be considered a security issue,
since SNTP is subject to trivial man-in-the-middle attacks (among
other things).
You really, really want to put your time servers inside the
networks and keep all that traffic local, and then be able to have
more robust/secure time server traffic between those boxes and their
upstream servers. If you're concerned about this traffic being able
to cross the firewall, then set those machines up with Stratum 1
refclocks (GPS, DCF77, or whatever) so that they don't need to cross
the firewall. Of course, in that case you'd want to set up a few
extra boxes inside the network for redundancy/reliability/accuracy
purposes and have them all peer together.
I think you want to go back and take another look at your network
and application design on this issue, and try to make sure that you
fully understand what it is that you truly need and where that will
go, before you try to start buying hardware for undefined
requirements.
--
Brad Knowles, <brad at stop.mail-abuse.org>
"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."
-- Benjamin Franklin (1706-1790), reply of the Pennsylvania
Assembly to the Governor, November 11, 1755
SAGE member since 1995. See <http://www.sage.org/> for more info.
More information about the questions
mailing list