[aklug] Re: How NTP Works

On Mon, Dec 6, 2010 at 8:47 PM, Mike Tibor <tibor@tibor.org> wrote:
> On Mon, 6 Dec 2010, Christopher Howard wrote:
>
>> Okay, I'm probably going to sound like a dunce to some of you, but I am =
thinking that I am not the only person who has been confused on this subjec=
t. I knew that NTP was a time-sharing program/protocol. But I was always un=
der the impression that the NTP Daemon program (ntpd) was something you wer=
e supposed to install /only/ if you wanted to /serve/ out time, whilst you =
needed a client program (like ntpdate) to receive time from an NTP server. =
I recently learned that this is a faulty (obsolete?) view of NTP.
>>
>> Actually, NTP is more of a peer-to-peer protocol (though there is a top-=
down stratum heirarchy) and the ntpd daemon /both/ receives time from other=
 computers /and/ provides time to other computers. Everybody should have nt=
pd installed and running, in order to keep machine time constantly syncroni=
zed with external sources. And if you don't want other computers to be able=
 to receive time from you (for whatever unlikely reason) you just edit your=
 ntp.conf file to restrict the outside world from making use of your NTP se=
rver.
>>
>> There were two helpful commands I learned (both of which assume that ntp=
d is running):
>>
>> =A0ntpq -c readvar | grep stratum
>>
>> This will tell you the NTP "stratum" of your system. The closer you are =
to 1, the better, because those are the official sources of time.
>>
>> =A0ntpq -c peers
>>
>> This will tell you what external servers you are currently synchronizing=
 with, as well as the stratum of those servers and a few other possibly rel=
evant statistics.
>
> Good summary. =A0I would probably add that unless you manage a network wi=
th
> lots and lots of hosts, don't sync against a stratum 1 server (unless you
> run your own of course). =A0The stratum 1 servers are already pretty heav=
ily
> loaded and for the vast majority of us, stratum 2 or higher does perfectl=
y
> fine.
>
> One consideration with running ntpd is that it runs with root privs, and
> can't drop them after binding to it's port the way Apache can. =A0If it d=
id,
> it couldn't update the time on the system so it always has to run with
> elevated privs. =A0I haven't heard of any NTP implementations that have h=
ad
> any security problems, but that's no guarantee it couldn't happen. =A0For
> these reasons I would suggest that if you do run the daemon, that you run
> appropriate firewall rules to allow inbound NTP traffic only from hosts
> you trust and block the rest.
>
> Mike
> ---------

If you are looking for ntp servers to use, I would recommend using:

0.pool.ntp.org
1.pool.ntp.org
2.pool.ntp.org
3.pool.ntp.org

As for ntpd vs ntpdate, remember that ntpdate updates your system one
time when it is run. If you wanted to use it to keep your clock
correct, you would have to set up a cron job to run it regularly, and
if your computers clock runs particularly fast or slow, it will "jump"
to the correct time at each update.

ntpd, on the other hand, will keep your clock accurate, and can keep
track of drift in your clock and adjust its frequency as necessary.
The longer it runs, the better information it gets about your clock
with regard to the reference clock, and is able to continually improve
the accuracy of your clock, overcoming errors of the computer's
physical clock.

--=20
http://about.me/tedrathkopf
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Mon Dec 6 21:24:08 2010