On Mon, 12 Apr 2010 07:09:12 -0700 todd glassey <tglassey@earthlink.net> wrote:
Alex there are many email systems out there - but make sure that whatever you buy can support NTPv4 and not SNTP or unauthenticated NTP since this is how the GW is going to be able to put time-marks on receipts which must have legal authority.
Hi Todd, I think this is the first I've heard that only authenticated NTP (and maybe even NTPv4?) is sufficient for legal authority. Can you say a bit more about this? Perhaps, what sorts of issues you've run into or seen when this is not implemented?
So that means any appliance system provider must have at least NTPv4 tested with both Autokey and symmetric-key and the new interface specific ACL's in the 4.2.6 versions of NTP. Further the issues of the ECC/Parity memory become important here because time is moved over UDP and is subject to single-bit errors all over the place.
Authentication support for SNTP does exist in the protocol and I've seen documentation where some gear supports it, though I suspect its very rarely used in practice. And 4.2.6p1 was released 3 days ago and 4.2.6 in December. Might be a tall order if you want it now. :-) I haven't work out the math, but I would have thought the UDP checksum, coupled with a rigorous implementation (e.g. validates the originate and transmit timestamps) and the various robustness mechanisms built into the protocol should limit the effect of single-bit errors significantly. I'd be interested in hearing or reading about experience that says otherwise. Nevertheless there are no doubt incorrect clocks all over the place. As a simple example, for the open NTP servers we know about, here is the top five most popular stratums by percent: stratum % 3 43 4 18 2 16 16 14 5 5 The overall accuracy of all those stratum 16 clocks is likely going to be poor. John