[aklug] Re: How NTP Works

From: Mike Tibor <tibor@tibor.org>
Date: Mon Dec 06 2010 - 20:47:57 AKST

On Mon, 6 Dec 2010, Christopher Howard wrote:

> Okay, I'm probably going to sound like a dunce to some of you, but I am thinking that I am not the only person who has been confused on this subject. I knew that NTP was a time-sharing program/protocol. But I was always under the impression that the NTP Daemon program (ntpd) was something you were supposed to install /only/ if you wanted to /serve/ out time, whilst you needed a client program (like ntpdate) to receive time from an NTP server. I recently learned that this is a faulty (obsolete?) view of NTP.
>
> Actually, NTP is more of a peer-to-peer protocol (though there is a top-down stratum heirarchy) and the ntpd daemon /both/ receives time from other computers /and/ provides time to other computers. Everybody should have ntpd installed and running, in order to keep machine time constantly syncronized with external sources. And if you don't want other computers to be able to receive time from you (for whatever unlikely reason) you just edit your ntp.conf file to restrict the outside world from making use of your NTP server.
>
> There were two helpful commands I learned (both of which assume that ntpd is running):
>
> ntpq -c readvar | grep stratum
>
> This will tell you the NTP "stratum" of your system. The closer you are to 1, the better, because those are the official sources of time.
>
> ntpq -c peers
>
> This will tell you what external servers you are currently synchronizing with, as well as the stratum of those servers and a few other possibly relevant statistics.

Good summary. I would probably add that unless you manage a network with
lots and lots of hosts, don't sync against a stratum 1 server (unless you
run your own of course). The stratum 1 servers are already pretty heavily
loaded and for the vast majority of us, stratum 2 or higher does perfectly
fine.

One consideration with running ntpd is that it runs with root privs, and
can't drop them after binding to it's port the way Apache can. If it did,
it couldn't update the time on the system so it always has to run with
elevated privs. I haven't heard of any NTP implementations that have had
any security problems, but that's no guarantee it couldn't happen. For
these reasons I would suggest that if you do run the daemon, that you run
appropriate firewall rules to allow inbound NTP traffic only from hosts
you trust and block the rest.

Mike
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Mon Dec 6 20:48:16 2010

This archive was generated by hypermail 2.1.8 : Mon Dec 06 2010 - 20:48:16 AKST