On Wed, May 01, 2019 at 02:35:58PM -0700, Harlan Stenn wrote:
- Why do folks want to have one or more NTP server masters that have at least 1 refclock on them in a data center, instead of having their data center NTP server masters that only get time over the internet?
I had that discussion before with the QSA for a compliance audit, pointing to requirement "10.4.3 Time settings are received from industry-accepted time sources" and "verify that the time server(s) accept time updates from specific, industry-accepted external sources (to prevent a malicious individual from changing the clock)" in the PCI-DSS document. He non-jokingly suggested "why don't you use pool.ntp.org?", not really realizing how many servers are in fact just someone's PC behind a cable modem in their home, which negated the "do I trust the time I am receiving?". My immediate answer was "we could use NIST servers", but the easiest way out of this is "we operate our own NTP appliance with a GPS receiver" and provide that as evidence. Don't get me wrong, I support pool.ntp.org by operating and contributing servers to it, but it is not deemed good enough if you need traceability of your NTP time source(s), even though the pool will only admit members above a certain quality threshold.
- What % of data center operators provide time servers in their data centers for their tenants (or for the general public)?
My $employer does that in our datacenters and points of presence for our customers. -andreas -- Andreas Ott K6OTT +1.408.431.8727 andreas@naund.org