On Wed, May 01, 2019 at 02:35:58PM -0700, Harlan Stenn wrote:
- Why do folks want to have one or more NTP server masters that have at least 1 refclock on them in a data center, instead of having their data center NTP server masters that only get time over the internet?
Answers to that include: Keeping the Auditors happy Knowing that “everyone does it” - the vendor told them so Bragging rights (expensive hardware) Being unbothered by fighting with facilities for building penetrations and antenna mounts Misunderstanding the beauty and economy Dave Mills marvelous algorithms for consistent time based on multiple sources, even those connected via internet Unwillingness or inability to leverage other local resources capacity to run ntpd with minimal impact in order to have a good constellation of local NTP servers Willingness to farm out time service without doing a deep dive into why and how, just leaving the design to the appliance vendors This covers most of what I have encountered in providing enterprise time services for $dayjob+clients. I probably left out some significant points, but it has been a few years...
Harlan and Mehmet, I can expand on one important reason that James only alluded to with his “Kepping the Auditors happy” comment. Passing NTP through a firewall and then using that as a critical time reference source represents a huge security risk. Here’s one detailed explanation of that risk: https://insights.sei.cmu.edu/sei_blog/2017/04/best-practices-for-ntp-service... -mel On May 1, 2019, at 3:48 PM, James R Cutler <james.cutler@consultant.com<mailto:james.cutler@consultant.com>> wrote: On Wed, May 01, 2019 at 02:35:58PM -0700, Harlan Stenn wrote: - Why do folks want to have one or more NTP server masters that have at least 1 refclock on them in a data center, instead of having their data center NTP server masters that only get time over the internet? Answers to that include: * Keeping the Auditors happy * Knowing that “everyone does it” - the vendor told them so * Bragging rights (expensive hardware) * Being unbothered by fighting with facilities for building penetrations and antenna mounts * Misunderstanding the beauty and economy Dave Mills marvelous algorithms for consistent time based on multiple sources, even those connected via internet * Unwillingness or inability to leverage other local resources capacity to run ntpd with minimal impact in order to have a good constellation of local NTP servers * Willingness to farm out time service without doing a deep dive into why and how, just leaving the design to the appliance vendors This covers most of what I have encountered in providing enterprise time services for $dayjob+clients. I probably left out some significant points, but it has been a few years...
On 5/1/19 4:28 PM, Mel Beckman wrote:
Harlan and Mehmet,
I can expand on one important reason that James only alluded to with his “Kepping the Auditors happy” comment.
Passing NTP through a firewall and then using that as a critical time reference source represents a huge security risk. Here’s one detailed explanation of that risk:
https://insights.sei.cmu.edu/sei_blog/2017/04/best-practices-for-ntp-service...
I have some significant disagreements with some of the assumptions and positions in that posting, for whatever that's worth. And there are some good points in there, too. H --
-mel
On May 1, 2019, at 3:48 PM, James R Cutler <james.cutler@consultant.com<mailto:james.cutler@consultant.com>> wrote:
On Wed, May 01, 2019 at 02:35:58PM -0700, Harlan Stenn wrote: - Why do folks want to have one or more NTP server masters that have at least 1 refclock on them in a data center, instead of having their data center NTP server masters that only get time over the internet?
Answers to that include:
* Keeping the Auditors happy * Knowing that “everyone does it” - the vendor told them so * Bragging rights (expensive hardware) * Being unbothered by fighting with facilities for building penetrations and antenna mounts * Misunderstanding the beauty and economy Dave Mills marvelous algorithms for consistent time based on multiple sources, even those connected via internet * Unwillingness or inability to leverage other local resources capacity to run ntpd with minimal impact in order to have a good constellation of local NTP servers * Willingness to farm out time service without doing a deep dive into why and how, just leaving the design to the appliance vendors
This covers most of what I have encountered in providing enterprise time services for $dayjob+clients. I probably left out some significant points, but it has been a few years...
-- Harlan Stenn <stenn@nwtime.org> http://networktimefoundation.org - be a member!
participants (3)
-
Harlan Stenn -
James R Cutler -
Mel Beckman