Re: NTP, possible solutions, and best implementation
Assuming one wanted to provide a high profile (say, at the TLD level) NTP service, how would you go about it ?
The possibilities I encountered are diverse, the problem is not the back-end device (be it a GPS based NTP source + atomic clock backup,
First of all, NTP should be done at the geographical level, not the TLD level. Generally, unless political reasons prevent it, you should try to implement an NTP service that covers a region roughly as large as Europe to avoid too much fate sharing caused by proximity. based on
cesium or similar),
Beware the single point of failure. If all your clocks come from GPS, then GPS is the SPOF. If they all come fram brand X manufacturer then that is the SPOF. A commercial service should be robust and use a combination of atomic clocks, GPS, radio time services, CDMA/GSM clocks combined with a sanity checker to watch all the clocks and detect bad timekeepers.
However, when you put such a device on a network, you want to have some kind of clue about the investment made in that product when security comes to mind,
Indeed. Hide this clock behind a packet filtering firewall or else use udprelay and an application layer gateway on UNIX to block everything except NTP. In fact, if this is a commercial service you should hack udprelay so that it knows about the NTP protocol and can block non-customer traffic or malformed traffic or high volumes of traffic. That way, the UNIX server/firewall in between the NTP device and the net protects it from abuse, but since this UNIX server is a pass-through device from the point of view of NTP, it does not change the stratum level of the service any more than an IP router does. --Michael Dillon
On Thu, 2 Oct 2003 Michael.Dillon@radianz.com wrote:
Beware the single point of failure. If all your clocks come from GPS, then GPS is the SPOF. If they all come fram brand X manufacturer then that is the SPOF. A commercial service should be robust and use a combination of atomic clocks, GPS, radio time services, CDMA/GSM clocks combined with a sanity checker to watch all the clocks and detect bad timekeepers.
Yes, this is definetly an issue, and thus the clocks are at least one cesium, and the other two are different vendors.
Indeed. Hide this clock behind a packet filtering firewall or else use udprelay and an application layer gateway on UNIX to block everythingexcept NTP. In fact, if this is a commercial service you should hack udprelay so that it knows about the NTP protocol and can block non-customer traffic or malformed traffic or high volumes of traffic. That way, the UNIX
So what you are suggesting basically is to add an application layer sanity checker and DoS preventer, am I right ? --Ariel -- Ariel Biener e-mail: ariel@post.tau.ac.il PGP(6.5.8) public key http://www.tau.ac.il/~ariel/pgp.html
Michael.Dillon@radianz.com wrote:
Beware the single point of failure. If all your clocks come from GPS, then GPS is the SPOF.
Can you describe what would be involved to cause this sort of single point of failure to fail? Eliot
On Thu, 2 Oct 2003, Eliot Lear wrote: Michael.Dillon@radianz.com wrote:
Beware the single point of failure. If all your clocks come from GPS, then GPS is the SPOF.
Can you describe what would be involved to cause this sort of single point of failure to fail? Eliot - Antenna failure - Radio failure - Unforseen GPS protocol issues see: http://www.colorado.edu/geography/gcraft/notes/gps/gpseow.htm http://www.sustainableworld.com/y2kgps/gpseng/ The basic idea is that putting all your eggs in one basket is rarely a good plan. --mghali@snark.net------------------------------------------<darwin>< Flowers on the razor wire/I know you're here/We are few/And far between/I was thinking about her skin/Love is a many splintered thing/Don't be afraid now/Just walk on in. #include <disclaim.h>
Yo Elliot! The Defense Department sometimes runs jamming tests on GPS just to see what would happen. They did this in Phoenix last year. They also have been known to do this in LA and San Diego for up to 15 minutes at a time. AOPA (Airplane Owners and Pilots Association) has written on this topis a few times. Needless to say this really gets pilots agitated.... Lot's of GPSes also failed on Y2K and the GPS epoch rollover. RGDS GARY --------------------------------------------------------------------------- Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701 gem@rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676 On Thu, 2 Oct 2003, Eliot Lear wrote:
Michael.Dillon@radianz.com wrote:
Beware the single point of failure. If all your clocks come from GPS, then GPS is the SPOF.
Can you describe what would be involved to cause this sort of single point of failure to fail?
okay. two valid cases to be concerned about: The most valid case is when we all go and buy GPS receivers from the same vendor who turns out to have a bug or a vulnerability of some form. The other valid case is if the defense department brought down the sattelite system for some odd reason. And they seem to not have a shortage of odd reasons. Some sort of a backup, such as PPS, or WWV* is nice, but so long as there are a few of these in the network somewhere, life should go on. Many enterprise networks run with 0 stratum 1s. Eliot
Eliot Lear writes:
Michael.Dillon@radianz.com wrote:
Beware the single point of failure. If all your clocks come from GPS, then GPS is the SPOF.
Can you describe what would be involved to cause this sort of single point of failure to fail?
It depends upon how low a probability failure you're willing to consider and how paranoid you are. For one thing, the U.S. National Command Authority could decide that GPS represents a threat to national security and disable or derate GPS temporarily or indefinitely over a limited or unlimited area. It is well known that GPS is vulnerable to deliberate attacks in limited areas, perhaps even over large areas (see Presidential Decision Directive 63). Backup systems are officially recommended for "safety-critical applications" and the US government is actively intersted in developing low-cost backup systems (presumably because they're concerned about GPS as a SPOF too). The US government, and other entities, do perform "GPS interference testing". This basically means they interfere with GPS. The government is also actively investigating "phase-over to private operation", which could mean changes to operation, fee system, or reliability of the GPS system. One could also imagine conditions that would result in concurrent failures of large numbers of satellites. Remember what happened to Anik E-1 and E-2 (space weather caused them to spin out of control). If you do develop a system with GPS as a SPOF, you should certainly be aware of these risks and monitor any changes to the political and technical climate surrounding GPS. I do believe that it is currently reasonable to have GPS as a SPOF for a timing application that is not life critical (that is, where people won't die if it fails). Aviators try very, very hard not to trust their lives to GPS. DS
It depends upon how low a probability failure you're willing to consider and how paranoid you are. For one thing, the U.S. National Command Authority could decide that GPS represents a threat to national security and disable or derate GPS temporarily or indefinitely over a limited or unlimited area.
Derating GPS wouldn't affect the time reference functionality. Turning off GPS entirely would seriously affect military aviation operations.
It is well known that GPS is vulnerable to deliberate attacks in limited areas, perhaps even over large areas (see Presidential Decision Directive 63). Backup systems are officially recommended for "safety-critical applications" and the US government is actively intersted in developing low-cost backup systems (presumably because they're concerned about GPS as a SPOF too).
The US government, and other entities, do perform "GPS interference testing". This basically means they interfere with GPS. The government is also actively investigating "phase-over to private operation", which could mean changes to operation, fee system, or reliability of the GPS system.
One could also imagine conditions that would result in concurrent failures of large numbers of satellites. Remember what happened to Anik E-1 and E-2 (space weather caused them to spin out of control).
If you do develop a system with GPS as a SPOF, you should certainly be aware of these risks and monitor any changes to the political and technical climate surrounding GPS. I do believe that it is currently reasonable to have GPS as a SPOF for a timing application that is not life critical (that is, where people won't die if it fails).
Aviators try very, very hard not to trust their lives to GPS.
As opposed to LORAN ?
It depends upon how low a probability failure you're willing to consider and how paranoid you are. For one thing, the U.S. National Command Authority could decide that GPS represents a threat to national security and disable or derate GPS temporarily or indefinitely over a limited or unlimited area.
Derating GPS wouldn't affect the time reference functionality. Turning off GPS entirely would seriously affect military aviation operations.
Not so: "Selective Availability (SA) is the deliberate introduction of error by either altering the precise timekeeping of GPS satellites or the position of the satellites in space, through the on-board software, thereby reducing both positioning and timing accuracy for civilian users." GPS accuracy is generally reduced by adding noise to the timing. Now you would have to derate GPS pretty significantly before timing accuracy would be significantly affected. But it's possible that some time references would refuse to lock on at all with sufficient derating. The affects of more extreme derating than SA are, at least to some extent, unknown.
Aviators try very, very hard not to trust their lives to GPS.
As opposed to LORAN ?
Generally, aviators don't like SPOFs. So they try very hard not to trust their life to any one thing. GPS is used in conjunction with VORs, pilotage (navigation by reference to fixed objects), and dead reckoning. GPS is used for instrument approaches, but only under extremely controlled conditions by very experienced pilots. A significant fraction of instrument training is how to cross-check instruments and detect failures. GPS approaches are individually approved by the FAA and factors such as runway lighting are critical. FAA approved GPS units must be used and one of the things these GPS units must do is monitor signal integrity (RAIM). From time to time, you will read FAA accident reports of people who attempted to perform GPS approaches with just a handheld GPS. DS
Derating GPS wouldn't affect the time reference functionality. Turning off GPS entirely would seriously affect military aviation operations.
Not so:
"Selective Availability (SA) is the deliberate introduction of error by either altering the precise timekeeping of GPS satellites or the position of the satellites in space, through the on-board software, thereby reducing both positioning and timing accuracy for civilian users."
GPS accuracy is generally reduced by adding noise to the timing. Now you would have to derate GPS pretty significantly before timing accuracy would be significantly affected. But it's possible that some time references would refuse to lock on at all with sufficient derating. The affects of more extreme derating than SA are, at least to some extent, unknown.
While this is true, the derating in common practice for SA when it was turned on actually turned out to be somewhat less inaccurate than the combination of atmospheric error and other issues in most GPS-based time sources. For NTP, network jitter would exceed SA jitter in most implementations.
Aviators try very, very hard not to trust their lives to GPS.
As opposed to LORAN ?
Generally, aviators don't like SPOFs. So they try very hard not to trust their life to any one thing. GPS is used in conjunction with VORs, pilotage (navigation by reference to fixed objects), and dead reckoning.
Pilotage is _VERY_ difficult in IMC. Most IFR pilots don't rely much on pilotage most of the time, and almost never attempt pilotage in IMC. It is true that most of them use VORs and RADAR as their primary navigational backups under IFR in IMC.
GPS is used for instrument approaches, but only under extremely controlled conditions by very experienced pilots. A significant fraction of instrument training is how to cross-check instruments and detect failures. GPS approaches are individually approved by the FAA and factors such as runway lighting are critical. FAA approved GPS units must be used and one of the things these GPS units must do is monitor signal integrity (RAIM). From time to time, you will read FAA accident reports of people who attempted to perform GPS approaches with just a handheld GPS.
Excuse me? GPS is used for instrument approaches by virtually any instrument rated pilot. A pilot can conduct a GPS approach solo with as little as 75 hours of PIC experience (35 hours part 141 private course and 40 hours instrument training) (14CFR parts 61 and 141). I would not consider a pilot with 75 hours or even 100 hours "very experienced". Heck, I have over 650 hours and I don't consider myself "very experienced". I haven't looked back at my logbook to be sure, but, if memory serves, I got my instrument rating at about 225 hours, and, shot my first solo GPS approach with around 250 hours of PIC experience. You are right that a significant portion of instrument training is how to cross-check instruments and detect failures. Mostly, however, this focuses on failures of instruments related to keeping the airplane right-side up. Some cursory coverage is given to detecting navigational failurres, but, as much as I try to behave differently, and, as much as I wish this weren't true, the primary mode of navigational failure detection employed by most IFR pilots I've met is when the controller says "Where the heck are you going?" (no, this isn't from the Pilot Controller glossary, nor is it how they usually convey that message). It is true that to begin a GPS approach, you must have an approach certified (TSO'd) unit in an installation that the FAA FSDO has signed off as an approach capable installation. It's also true that you need RAIM, and, RAIM provides a certain amount of integrity more than standard GPS and more than ILS. (Actually ILS glide-slope only failues are the ones that scare me the most as an IFR pilot). I'm not saying the system is unsafe. I think it's very safe. I also agree about the accident reports regarding handhelds, however, I will say that with a safety pilot on board, I occasionally do make sure that I can do a panel-out (yes, that means put the sectional over the entire panel) approach using my Garmin 195. I would never do this in actual IMC, and, I would never do it without a safety pilot looking out the window and watching what I was doing. However, I feel safer knowing that I can, if evertyhing else goes to heck, get the plane down a GPS approach using the handheld. It is a _VERY_ challenging approach. Owen
On Fri, 03 Oct 2003 09:59:59 -0700 Owen DeLong <owen@delong.com> wrote:
I used to work with GPS navigation / calibration. The entire system is designed to "free wheel" for at least a month, and probably many months, giving adequate performance even if all the ground control stations were destroyed. The only thing I would worry about (besides failures of my own equipment) would be that roof access might be blocked (say if debris fell on the roof), and thus the signal could not be acquired, for some period of time. Selective availability (SA, the jittering of the clocks on the public signal) introduced timing errors only at the level of 100 nanoseconds. If you need timing better than that, you should worry (a little) about having a backup time source, in case SA gets turned back on in a dire national emergency. Regards Marshall Eubanks
Derating GPS wouldn't affect the time reference functionality. Turning off GPS entirely would seriously affect military aviation operations.
Not so:
"Selective Availability (SA) is the deliberate introduction of error by either altering the precise timekeeping of GPS satellites or the position of the satellites in space, through the on-board software, thereby reducing both positioning and timing accuracy for civilian users."
GPS accuracy is generally reduced by adding noise to the timing. Now you would have to derate GPS pretty significantly before timing accuracy would be significantly affected. But it's possible that some time references would refuse to lock on at all with sufficient derating. The affects of more extreme derating than SA are, at least to some extent, unknown.
While this is true, the derating in common practice for SA when it was turned on actually turned out to be somewhat less inaccurate than the combination of atmospheric error and other issues in most GPS-based time sources. For NTP, network jitter would exceed SA jitter in most implementations.
Aviators try very, very hard not to trust their lives to GPS.
As opposed to LORAN ?
Generally, aviators don't like SPOFs. So they try very hard not to trust their life to any one thing. GPS is used in conjunction with VORs, pilotage (navigation by reference to fixed objects), and dead reckoning.
Pilotage is _VERY_ difficult in IMC. Most IFR pilots don't rely much on pilotage most of the time, and almost never attempt pilotage in IMC. It is true that most of them use VORs and RADAR as their primary navigational backups under IFR in IMC.
GPS is used for instrument approaches, but only under extremely controlled conditions by very experienced pilots. A significant fraction of instrument training is how to cross-check instruments and detect failures. GPS approaches are individually approved by the FAA and factors such as runway lighting are critical. FAA approved GPS units must be used and one of the things these GPS units must do is monitor signal integrity (RAIM). From time to time, you will read FAA accident reports of people who attempted to perform GPS approaches with just a handheld GPS.
Excuse me? GPS is used for instrument approaches by virtually any instrument rated pilot. A pilot can conduct a GPS approach solo with as little as 75 hours of PIC experience (35 hours part 141 private course and 40 hours instrument training) (14CFR parts 61 and 141). I would not consider a pilot with 75 hours or even 100 hours "very experienced". Heck, I have over 650 hours and I don't consider myself "very experienced". I haven't looked back at my logbook to be sure, but, if memory serves, I got my instrument rating at about 225 hours, and, shot my first solo GPS approach with around 250 hours of PIC experience.
You are right that a significant portion of instrument training is how to cross-check instruments and detect failures. Mostly, however, this focuses on failures of instruments related to keeping the airplane right-side up. Some cursory coverage is given to detecting navigational failurres, but, as much as I try to behave differently, and, as much as I wish this weren't true, the primary mode of navigational failure detection employed by most IFR pilots I've met is when the controller says "Where the heck are you going?" (no, this isn't from the Pilot Controller glossary, nor is it how they usually convey that message).
It is true that to begin a GPS approach, you must have an approach certified (TSO'd) unit in an installation that the FAA FSDO has signed off as an approach capable installation. It's also true that you need RAIM, and, RAIM provides a certain amount of integrity more than standard GPS and more than ILS. (Actually ILS glide-slope only failues are the ones that scare me the most as an IFR pilot).
I'm not saying the system is unsafe. I think it's very safe. I also agree about the accident reports regarding handhelds, however, I will say that with a safety pilot on board, I occasionally do make sure that I can do a panel-out (yes, that means put the sectional over the entire panel) approach using my Garmin 195. I would never do this in actual IMC, and, I would never do it without a safety pilot looking out the window and watching what I was doing. However, I feel safer knowing that I can, if evertyhing else goes to heck, get the plane down a GPS approach using the handheld. It is a _VERY_ challenging approach.
Owen
Two relevant points on GPS/LORAN 1 - GPS has two positioning systems 1 - SPS Standard Positioning Service which is what all civillian uses of GPS utilize for positioning and timing uses and this can be degraded or disabled with no notice to the user community by the National Command Authority. 2 - PPS Precision Positioning Service this is the military GPS system which uses encrypted signals on a different frequency to provide location services accurate to 30 cm. SPS can be disabled with no effect on PPS. I have no knowledge of why there are two systems since the system was initially designed for military use only but as a guess the SPS system was designed as a test system so GPS system functionality could be checked without the need to disclose keys. 2 - GPS is more accurate than LORAN however the SPS is much less repeatable by design than LORAN. A LORAN may not give you as accurate a Fix as the GPS but the LORAN will always bring you back to the same spot +/- a few feet which is why Aviators and Sailors like LORAN better than GPS. 2.5 - Both systems use atomic clocks for their time reference systems. Scott C. McGrath On Thu, 2 Oct 2003, joe mcguckin wrote:
It depends upon how low a probability failure you're willing to consider and how paranoid you are. For one thing, the U.S. National Command Authority could decide that GPS represents a threat to national security and disable or derate GPS temporarily or indefinitely over a limited or unlimited area.
Derating GPS wouldn't affect the time reference functionality. Turning off GPS entirely would seriously affect military aviation operations.
It is well known that GPS is vulnerable to deliberate attacks in limited areas, perhaps even over large areas (see Presidential Decision Directive 63). Backup systems are officially recommended for "safety-critical applications" and the US government is actively intersted in developing low-cost backup systems (presumably because they're concerned about GPS as a SPOF too).
The US government, and other entities, do perform "GPS interference testing". This basically means they interfere with GPS. The government is also actively investigating "phase-over to private operation", which could mean changes to operation, fee system, or reliability of the GPS system.
One could also imagine conditions that would result in concurrent failures of large numbers of satellites. Remember what happened to Anik E-1 and E-2 (space weather caused them to spin out of control).
If you do develop a system with GPS as a SPOF, you should certainly be aware of these risks and monitor any changes to the political and technical climate surrounding GPS. I do believe that it is currently reasonable to have GPS as a SPOF for a timing application that is not life critical (that is, where people won't die if it fails).
Aviators try very, very hard not to trust their lives to GPS.
As opposed to LORAN ?
Speaking on Deep Background, the Press Secretary whispered:
Two relevant points on GPS/LORAN
1 - GPS has two positioning systems
1 - SPS Standard Positioning Service which is what all civillian uses of GPS utilize for positioning and timing uses and this can be degraded or disabled with no notice to the user community by the National Command Authority.
I do not believe this is still true. To get ICAO approval for using GPS as a intl. standard; DoD had to sign a MOU to maintain the service. They did this because they figured how easy it was to jam locally, vs take down an entire region. -- A host is a host from coast to coast.................wb8foz@nrk.com & no one will talk to a host that's close........[v].(301) 56-LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433
On Thu, 2 Oct 2003, Eliot Lear wrote:
Michael.Dillon@radianz.com wrote:
Beware the single point of failure. If all your clocks come from GPS, then GPS is the SPOF.
Can you describe what would be involved to cause this sort of single point of failure to fail?
A military repositioning of the GPS sats for their own purposes, perhaps? Or adjustment of the time being broadcast? I know that a coworker of mine experienced this with a GPS-based tracking system. The boat he was tracking moved from the middle of the atlantic, to the middle of europe, then eventually back the middle of the atlantic. (this was around the time of Desert Storm) Or, of course, a more general failure of the GPS time system, for whatever reason. ...david --- david raistrick drais@atlasta.net http://www.expita.com/nomime.html
Beware the single point of failure. If all your clocks come from GPS, then GPS is the SPOF. Can you describe what would be involved to cause this sort of single point of failure to fail?
please don't! i smell my kill-subkject key coming
participants (13)
-
Ariel Biener -
David Lesher -
David Raistrick -
David Schwartz -
Eliot Lear -
Gary E. Miller -
joe mcguckin -
just me -
Marshall Eubanks -
Michael.Dillon@radianz.com -
Owen DeLong -
Randy Bush -
Scott McGrath