How do you define best? What's your purpose? What are your constraints? What have you already looked up? And will ntp be sufficient or will you need higher precision? Which reference clock s do you have? Is it for one site or multi-site? Which operating systems in which version are you using on your infrastructure and for main users? There is no best way. There might be a most appropriate way. If you lookup Microsofts ntp docu, it's good and incomplete.
You'll find complementary info in Internet, partially based on info of the Microsoft team in charge of time implementation, partially based on expert knowledge of network time standards. Of course there exists also much of less trustful info in Internet.
If you have high precision time needs, then ntp is no longer recommended for those usages. But you may have a dual time configuration, one for high precision needs and ntp for the remainder. However, the accuracy of timekeeping is marginally reduced because the information flow is one-way only.
The time kept on a machine is a critical resource and it is strongly recommend that you use the security features of NTP to avoid the accidental or malicious setting of incorrect time. The two security features available are an access list-based restriction scheme and an encrypted authentication mechanism. If a release supports the ntp refclock command, it is possible to connect a radio or atomic clock. If the network uses the public time servers on the Internet and the network is isolated from the Internet, Cisco's implementation of NTP allows a machine to be configured so that it acts as though it is synchronized through NTP, when in fact it has determined the time using other means.
Other machines then synchronize to that machine through NTP. Each client in the synchronization subnet, which may also be a server for higher stratum clients, chooses one of the available servers to synchronize to. This is usually from among the lowest stratum servers it has access to.
However, this is not always an optimal configuration, because NTP also operates under the premise that each server's time should be viewed with a certain amount of distrust. NTP prefers to have access to several sources of lower stratum time at least three since it can then apply an agreement algorithm to detect insanity on the part of any one of these. Normally, when all servers are in agreement, NTP chooses the best server in terms of lowest stratum, closest in terms of network delay , and claimed precision.
The implication is that, while one should aim to provide each client with three or more sources of lower stratum time, several of these will only be providing backup service and may be of lesser quality in terms of network delay and stratum. For example, a same-stratum peer that receives time from lower stratum sources the local server doesn't access directly, can also provide good backup service.
NTP generally prefers lower stratum servers to higher stratum servers unless the lower stratum server's time is significantly different. The algorithm is able to detect when a time source is likely to be extremely inaccurate, or insane, and to prevent synchronization in these cases, even if the inaccurate clock is at a lower stratum level.
And it will never synchronize a device to another server that is not synchronized itself. Implementations should include sanity timeouts which prevent trap transmissions if the monitoring program does not renew this information after a lengthy interval.
Additional sanity checks are included for authentication, range bounds, and to avoid use of very old data. Checks have been added to warn that the oscillator has gone too long without update from a reference source. The peer. The following sections describe the associating modes used by NTP servers to associate with each other. This provides protection against malfunctions or protocol attacks. It operates in the classic remote-procedure-call RPC paradigm with stateless servers.
In this mode, a client sends a request to the server and expects a reply at some future time. In some contexts, this would be described as a poll operation, in that the client polls the time and authentication data from the server. A client is configured in client mode by using the server command and specifying the domain name server DNS name or address.
The server requires no prior configuration. The server interchanges addresses and ports, overwrites certain fields in the message, recalculates the checksum, and returns the message immediately.
Information included in the NTP message allows the client to determine the server time with respect to local time and adjust the local clock accordingly. In addition, the message includes information to calculate the expected timekeeping accuracy and reliability, as well as select the best server. This provides protection against malfunctions in which one or more servers fail to operate or provide incorrect time. The NTP algorithms are engineered to resist attacks when some fraction of the configured synchronization sources accidentally or purposely provide incorrect time.
In these cases, a special voting procedure is used to identify spurious sources and discard their data. Configuring an association in client mode, usually indicated by a server declaration in the configuration file, indicates that one wishes to obtain time from the remote server, but that one is not willing to provide time to the remote server. Each peer operates with one or more primary reference sources, such as a radio clock, or a subset of reliable secondary servers. Should one of the peers lose all reference sources or simply cease operation, the other peers automatically reconfigure so that time values can flow from the surviving peers to all the others in the clique.
In some contexts this is described as a push-pull operation, in that the peer either pulls or pushes the time and values depending on the particular configuration.
Configuring an association in symmetric-active mode, usually indicated by a peer declaration in the configuration file, indicates to the remote server that one wishes to obtain time from the remote server and that one is also willing to supply time to the remote server if necessary.
This mode is appropriate in configurations involving a number of redundant time servers interconnected through diverse network paths, which is presently the case for most stratum 1 and stratum 2 servers on the Internet today. Symmetric modes are most often used between two or more servers operating as a mutually redundant group. In these modes, the servers in the group members arrange the synchronization paths for maximum performance, depending on network jitter and propagation delay.
If one or more of the group members fail, the remaining members automatically reconfigure as required. A peer is configured in symmetric active mode by using the peer command and specifying the DNS name or address of the other peer. The other peer is also configured in symmetric active mode in this way. Note: If the other peer is not specifically configured in this way, a symmetric passive association is activated upon arrival of a symmetric active message. Since an intruder can impersonate a symmetric active peer and inject false time values, symmetric mode should always be authenticated.
Normally, these modes are not utilized by servers with dependent clients. The advantage is that clients do not need to be configured for a specific server, allowing all operating clients to use the same configuration file. Broadcast mode requires a broadcast server on the same subnet.
Since broadcast messages are not propagated by routers, only broadcast servers on the same subnet are used. Broadcast mode is intended for configurations involving one or a few servers and a potentially large client population. A broadcast server is configured using the broadcast command and a local subnet address. A broadcast client is configured using the broadcastclient command, allowing the broadcast client to respond to broadcast messages received on any interface.
Since an intruder can impersonate a broadcast server and inject false time values, this mode should always be authenticated. There are options for adding and deleting leap seconds. There are two constraints for this to occur:. The command is accepted only within the month before the leap is to happen. It will not set leap if the current time is before 1 month of the occurrence of the leap.
In a flat peer structure, all the routers peer with each other, with a few geographically separate routers configured to point to external systems. The convergence of time becomes longer with each new member of the NTP mesh. In a hierarchical structure, the routing hierarchy is copied for the NTP hierarchy.
These relationships are called hierarchy scales. A hierarchical structure is the preferred technique because it provides consistency, stability, and scalability. The dedicated time servers are the center of the star and are usually UNIX systems synchronized with external time sources, or their own GPS receiver. Normally, client workstations and servers with a relatively small number of clients do not synchronize to primary servers. Approximately public secondary servers are synchronized to the primary servers, providing synchronization to a total in excess of , clients and servers on the Internet.
There are also numerous private primary and secondary servers not normally available to the public. In certain cases, where highly accurate time services are required on the private enterprise, such as one-way metrics for Voice over IP VoIP measurements, network designers may choose to deploy private external time sources. The diagram below shows a comparative graph of the relative accuracy of the current technologies. Until recently, the use of external time sources have not been widely deployed in enterprise networks due to the high cost of quality external time sources.
Sign up using Email and Password. Post as a guest Name. Email Required, but never shown. The Overflow Blog. Podcast Making Agile work for data science. Stack Gives Back Featured on Meta. New post summary designs on greatest hits now, everywhere else eventually. Related Hot Network Questions. Ideally, NTP servers would be located in three geographically disparate locations. This group of primary masters would be the source for time for the enterprise.
They would be considered hidden masters because they would only provide services to the secondary stratum servers. This configuration would allow those servers to provide time to collocated secondary masters that are actually providing services to an organization. The primary masters remain hidden and are only accessed by the NTP infrastructure that provides services elsewhere.
That supply chain should allow you to provide accurate time across your organization and have multiple sources corroborating an accurate time source. Locations that have more devices needing to have their time synchronized can add additional Stratum 2 or Stratum 3 servers and have them rely on the secondary masters as well as each other to further distribute the load on a system and providing services to a larger group of NTP clients.
By setting up an internal NTP service on the latest revision of stable code and standardizing its use, the viability of time-based network attacks or processes that are dependent on time are harder to co-opt. The identification of the order of events in a compromise becomes easier because the times in the logs can now be systems of record.
For law enforcement and other investigative agencies, accurate NTP services can be very constructive in evaluating evidence and sequencing a chain of events. As attacks become more sophisticated, our team of network analysts at CERT increasingly finds Internet-facing services that aren't well deployed within a network. As Mark Langston wrote in his recent post on DNS Best Practices , many of these services make up the foundation for the security and operation of internal and external network applications.
This is the latest in a series of blog posts offering best practices on these foundational structures to help government agencies and other enterprises address hidden sources of vulnerabilities within their networks. Get our RSS feed. Each week, our researchers write about the latest in software engineering, cybersecurity and artificial intelligence. Sign up to get the latest post sent to your inbox the day it's published. Software Engineering Institute.
SEI Blog. A man with two watches is never sure. If you do decide to configure you own, please consider the following best practices: Standardize to UTC time. Within an enterprise, standardize all systems to coordinated universal time UTC.
Standardizing to UTC simplifies log correlation within the organization and with external parties no matter what time zone the device being synchronized is located in.
0コメント