Security and standalone Stratum 1.

[Hal Murray]

esr at thyrsus.com said:
> Gary E. Miller <gem at rellim.com>:
>> 5. Disallow internal system to seek NTP from other sources
>> beyond your edge routers.
> But now I learn that we apparently can't do that, because (according to
> Gary) a Stratum 1 requires a minimum of three good chimers for the
> source-selection algoritms to stay sane. 

Welcome to the real world.  It's a complicated mess.

The idea that you need to keep in mind is that clocks lie.  Not often, but 
often enough to be interesting.  Firmware bugs are a typical source.

There are also quirks like asymmetric routing and/or packets taking a nap in 
routers.   From here (Silicon Valley), the NIST servers on the east coast are 
off by 30 ns.

I have many examples of NTP packets getting delayed by seconds.  Bufferbloat 
on my DSL line often gets over 3 seconds.  I've seen 8 second round trip 
times from SV to NIST east.  The NIST server at WWV, Ft Collins gets 
occasional round trip times over 60 seconds.

If you are using 3 clocks, the other 2 can outvote a falseticker.  There is a 
recurring discussion of how many clocks you need.  If you are using 3 clocks 
but one of them stops responding, what happens if one of the remaining 2 
lies?  ...

On top of all that, you get to consider forged packets.  They can be used for 
DDoS activity as well as poisioning your clock.  I think the only solution to 
that is crypto authentication.

The NANOG discussion starts here:
  http://mailman.nanog.org/pipermail/nanog/2016-May/085655.html

It's good reading, but more for background on how NANOG thinks about time 
rather than for solutions.  Be sure you have your skeptics hat on.


esr at thyrsus.com said:
> Note to self: investigate orphan mode.

That's an interesting area, but it's a different problem.  It's for keeping 
local systems in sync with each other when the connection to outside NTP 
servers is down and you don't have a local S1 setup.




-- 
These are my opinions.  I hate spam.