On 5/1/19 2:59 PM, Andreas Ott wrote:
On Wed, May 01, 2019 at 02:35:58PM -0700, Harlan Stenn wrote:
- Why do folks want to have one or more NTP server masters that have at least 1 refclock on them in a data center, instead of having their data center NTP server masters that only get time over the internet?
I had that discussion before with the QSA for a compliance audit, pointing to requirement "10.4.3 Time settings are received from industry-accepted time sources" and "verify that the time server(s) accept time updates from specific, industry-accepted external sources (to prevent a malicious individual from changing the clock)" in the PCI-DSS document. He non-jokingly suggested "why don't you use pool.ntp.org?", not really realizing how many servers are in fact just someone's PC behind a cable modem in their home, which negated the "do I trust the time I am receiving?". My immediate answer was "we could use NIST servers", but the easiest way out of this is "we operate our own NTP appliance with a GPS receiver" and provide that as evidence.
Don't get me wrong, I support pool.ntp.org by operating and contributing servers to it, but it is not deemed good enough if you need traceability of your NTP time source(s), even though the pool will only admit members above a certain quality threshold.
I have no immediate agenda here. My sole purpose is to get information about this, as I mostly work with people who a) believe accurate time is important, and b) at least have an appreciation for how unexpectedly difficult it is to synchronize time in a predictable and stable way across a large population of systems in a diverse set of environments. In my experience, people who don't fall in to either of those categories are pretty well invested in their opinions.
- What % of data center operators provide time servers in their data centers for their tenants (or for the general public)?
My $employer does that in our datacenters and points of presence for our customers.
Glad to hear it!
-andreas
-- Harlan Stenn <stenn@nwtime.org> http://networktimefoundation.org - be a member!