On 2/9/2014 7:04 PM, Larry Sheldon wrote:
In the 1990s I found myself administering a campus network for a
University--the only people less prepared than I as everybody else.
In the 1990s I found myself administering a campus network for a
University--the only people less prepared than I Was ev
On 2/9/2014 6:42 PM, James R Cutler wrote:
On Feb 9, 2014, at 3:50 PM, Larry Sheldon
wrote:
On 2/9/2014 2:45 PM, Jay Ashworth wrote:
Or do I understand NTP less well than I think?
I am of the private opinion that if your name is not "David Mill"
(and MAYBE if it IS) the answer is either "4
On Feb 9, 2014, at 3:50 PM, Larry Sheldon wrote:
> On 2/9/2014 2:45 PM, Jay Ashworth wrote:
>
>> Or do I understand NTP less well than I think?
>
> I am of the private opinion that if your name is not "David Mill" (and MAYBE
> if it IS) the answer is either "42" or "yes".
> — ...
From http://
Unfortunately I don't have the book handy. May be I am wrong too. Just
checked and 4 looks to be a valid solution for 1 falseticker according to
Byzantine Generals' Problem.
On Sun, Feb 9, 2014 at 10:03 PM, Saku Ytti wrote:
> On (2014-02-09 21:08 +0100), Andriy Bilous wrote:
>
> > Best practice
On Sun, Feb 09, 2014 at 03:45:19PM -0500, Jay Ashworth wrote:
> - Original Message -
> > From: "Saku Ytti"
>
> > > That's only true if the two devices have common failure modes,
> > > though, is it not?
> >
> > No, we can assume arbitrary fault which causes NTP to output bad time. With
>
Look back in the archives and see the problems that erupted when one of
the big guys rebooted and came on line with bad time(tock.usno.navy.mil
in Nov of 2012). It was talked about in Outages and other lists at the
time it happened.
On 02/09/14 14:56, Saku Ytti wrote:
On (2014-02-09 15:45 -
On (2014-02-09 21:08 +0100), Andriy Bilous wrote:
> Best practice is five. =) I don't remember if it's in FAQ on ntp.org or in
> David Mills' book. Your local clock is kind of gullible "push-over" which
> will "vote" for the "party" providing most reasonable data. The algorithm
> would filter out
On Sun, Feb 9, 2014 at 2:45 PM, Jay Ashworth wrote:
[snip]
> If I'm locked to 2 coherent upstreams and one goes insane, I'm going to
> know which one it is, because the other one will still match what I already
> have running, no?
The question should be how assured is the reliability of the clo
On (2014-02-09 15:45 -0500), Jay Ashworth wrote:
> If I'm locked to 2 coherent upstreams and one goes insane, I'm going to
> know which one it is, because the other one will still match what I already
> have running, no?
>
> Or do I understand NTP less well than I think?
I don't think you can re
On 2/9/2014 2:45 PM, Jay Ashworth wrote:
Or do I understand NTP less well than I think?
I am of the private opinion that if your name is not "David Mill" (and
MAYBE if it IS) the answer is either "42" or "yes".
--
Requiescas in pace o email Two identifying characteristics
- Original Message -
> From: "Saku Ytti"
> > That's only true if the two devices have common failure modes,
> > though, is it not?
>
> No, we can assume arbitrary fault which causes NTP to output bad time. With
> two NTP servers it's more likely that any one of them will start doing
> th
On (2014-02-09 15:16 -0500), Jay Ashworth wrote:
> > Then either of two servers not giving incorrect time is 0.99**2 i.e. 98%, so
> > two NTP servers would be 1% point more likely to give incorrect time than
> > one
> > over 1 year time.
>
> That's only true if the two devices have common failur
- Original Message -
> From: "Saku Ytti"
> > In the architecture I described, though, is it really true that the
> > odds of the common types of failure are higher than with only one?
>
> I think so, lets assume arbitrarily that probability of NTP server not
> starting to give incorrect
Best practice is five. =) I don't remember if it's in FAQ on ntp.org or in
David Mills' book. Your local clock is kind of gullible "push-over" which
will "vote" for the "party" providing most reasonable data. The algorithm
would filter out insane sources which run too far from the rest and then
gro
On (2014-02-08 19:43 -0500), Jay Ashworth wrote:
> In the architecture I described, though, is it really true that the odds
> of the common types of failure are higher than with only one?
I think so, lets assume arbitrarily that probability of NTP server not
starting to give incorrect time is 99%
Original Message -
> From: "Matthew Huff"
> Working in the financial world, the best practices is to have 4 ntp
> servers (if not using PTP).
>
> 1) You need 3 to determine the correct time (and detect bad tickers)
> 2) If you lose 1 of the 3 above, then you no longer can determine the
- Original Message -
> From: "Jimmy Hess"
> Don't forget poor performance due to high latency, or
> Server X emitting corrupted or inaccurate data
My two internal servers were my two uplink firewalls, and were pretty
thoroughly monitored. Had NTP gone insane, I've had heard about it.
R
- Original Message -
> From: "Saku Ytti"
> On (2014-02-06 21:14 -0500), Jay Ashworth wrote:
> > My usual practice is to set up two in house servers, each of which
> > talks to:
> >
> > And then point everyone in house to both of them, assuming they
> > accept multiple server names.
>
> T
On Fri, Feb 07, 2014 at 01:14:09PM -0500, Jared Mauch wrote:
> If you want something that is "cheap" as in you for your home, I can
> recommend this: ~$350 w/ antenna, etc..
>
> http://www.netburnerstore.com/product_p/pk70ex-ntp.htm
>
> You can get the whole thing going quickly. Majdi has also
On Fri, Feb 07, 2014 at 03:32:22PM -0500, Anthony Williams wrote:
>
> With a quick and easy mod, another option for $35 is a Sure Electronics
> GPS board.
>
> GPS: http://www.sureelectronics.net/goods.php?id=99
>
> Mod: http://www.satsignal.eu/ntp/Sure-GPS.htm
>
> -Alby
>
>
> On 2/7/2014 1:1
Raspberry Pi
---
This unfortunately doest give you trusted time. It gives you David's
Raspberry Pi with an Adafruit Ultimate GPS breakout board which is a
waste of time if you need an evidence grade of time service. It also
means you assemble it and run it yourself.
If you ne
With a quick and easy mod, another option for $35 is a Sure Electronics
GPS board.
GPS: http://www.sureelectronics.net/goods.php?id=99
Mod: http://www.satsignal.eu/ntp/Sure-GPS.htm
-Alby
On 2/7/2014 1:14 PM, Jared Mauch wrote:
> Having a number of NTP servers will help you detect false tick
On Feb 7, 2014, at 10:56 AM, Matthew Huff wrote:
> Working in the financial world, the best practices is to have 4 ntp servers
> (if not using PTP).
>
> 1) You need 3 to determine the correct time (and detect bad tickers)
> 2) If you lose 1 of the 3 above, then you no longer can determine the
-Original Message-
From: Roy [mailto:r.engehau...@gmail.com]
Sent: Friday, February 7, 2014 10:23 AM
To: nanog@nanog.org
Subject: Re: Need trusted NTP Sources
On 2/7/2014 3:35 AM, Saku Ytti wrote:
> On (2014-02-06 21:14 -0500), Jay Ashworth wrote:
>
>> My usual practice is to set up
On 2/7/2014 3:35 AM, Saku Ytti wrote:
On (2014-02-06 21:14 -0500), Jay Ashworth wrote:
My usual practice is to set up two in house servers, each of which
talks to:
And then point everyone in house to both of them, assuming they accept
multiple server names.
Two is worst possible amount of NTP
On Fri, Feb 7, 2014 at 5:35 AM, Saku Ytti wrote:
> On (2014-02-06 21:14 -0500), Jay Ashworth wrote:
>
> > My usual practice is to set up two in house servers, each of which
> > talks to:
> Two is worst possible amount of NTP servers to have. Either one fails and
> your timing is wrong, because yo
On (2014-02-06 21:14 -0500), Jay Ashworth wrote:
> My usual practice is to set up two in house servers, each of which
> talks to:
>
> And then point everyone in house to both of them, assuming they accept
> multiple server names.
Two is worst possible amount of NTP servers to have. Either one f
On 2/6/2014 8:24 PM, Jay Ashworth wrote:
Mailing lists aren't *supposed* to set Reply-To, Larry; your mail client is
supposed to have a Reply To List command.
It does. And does not light up for most of the lists I am on (including
one I "own"). I am apparently not bright enough to notice wh
- Original Message -
> From: "Mark Milhollan"
> Generally speaking, you'll need at least 3 sources if you want
> stablity.
My usual practice is to set up two in house servers, each of which
talks to:
time.windows.com
time.apple.com
and one of the NIST servers
0.us.pool.ntp.org
1.us.po
> -Original Message-
> From: Notify Me [mailto:notify.s...@gmail.com]
> Sent: Thursday, February 06, 2014 4:54 AM
> To: Aled Morris
> Cc: nanog@nanog.org; Martin Hotze
> Subject: Re: Need trusted NTP Sources
>
> Raspberries! Not common currency here either, but l
- Original Message -
> From: "Larry Sheldon"
> After all these years I still can not get used to the non-standard NANOG
> response to "reply". I wonder if there is a way for ne to fix that.
Noo!!! Everybody!!! Don't reply to that!!!
:-)
Mailing lists aren't *supposed* to set Reply-
rsday, February 06, 2014 10:34 AM
To: nanog@nanog.org
Subject: Re: Need trusted NTP Sources
On (2014-02-06 07:24 -0800), Michael DeMan wrote:
> A) Run a local set of NTP servers - these are your 'trusted' servers,
under your control, properly managed/secured, fully meshed, etc.
I'm n
On Thu, Feb 6, 2014 at 8:28 AM, jamie rishaw wrote:
> PCI DSS only requires that all clocks be synchronized; It doesn't
> /require/ "how".
>
If you read requirement 10.4 more carefully, you will find that it Does
require that time
be synchronized from an INDUSTRY ACCEPTED external time sourc
On Thu, Feb 6, 2014 at 9:03 PM, Notify Me wrote:
I'm trying to help a company I work for to pass an audit, and we've
> been told we need trusted NTP sources (RedHat doesn't cut it). Being
> located in Nigeria, Africa, I'm not very knowledgeable about trusted
> sources therein.
>
Obviously "trust
On Thu, 6 Feb 2014, Notify Me wrote:
>According to the auditors, "trusted" means
>
>1. Universities or Research facilities (nuclear/atomic facilities,
>space research (such as NASA) etc.)
>2. Main country internet/telecom providers
>3. Government departments
>4. Satellites (using GPS module)
>
>Wh
On (2014-02-06 07:24 -0800), Michael DeMan wrote:
> A) Run a local set of NTP servers - these are your 'trusted' servers, under
> your control, properly managed/secured, fully meshed, etc.
I'm not sure if full-mesh is best practice, the external clients should have
full view of as close to sourc
Hi Alexander,
I think you or your consultant may have an overly strict reading of the PCI
documents.
Looking at section 10.4 of PCI DSS 3.0, and from having gone through PCI a few
times...
If you have your PCI hosts directly going against ntp.org or similar, then you
are not in compliance.
My
On 2/6/2014 9:02 AM, Nick Hilliard wrote:
On 06/02/2014 14:57, Larry Sheldon wrote:
http://support.ntp.org/bin/view/Servers/PublicTimeServer79
bear in mind that due to the vagaries of african peering weirdness, the
actual path from there to the OP's network could be over multiple satellite
After all these years I still can not get used to the non-standard NANOG
response to "reply". I wonder if there is a way for ne to fix that locally.
On 2/6/2014 8:49 AM, Larry Sheldon wrote:
On 2/6/2014 4:43 AM, Nick Hilliard wrote:
On 06/02/2014 10:03, Notify Me wrote:
I'm trying to help a
It has been a while since I have done anything with NTP, but I would start
with ntp.org (which didn't exist when I WAS working with it) which I am led
to believe has the stuff that used to be at U. Delaware, like the public
servers lists:
http://support.ntp.org/bin/view/Servers/WebHome
Where
Once upon a time, Nick Hilliard said:
> So presuming that your company is using RH or Fedora or CentOS something,
> the auditors are claiming that Red Hat, Inc is trusted enough to provide a
> precompiled based operating system with no feasible means of proving its
> reliability, but that they're
PCI DSS only requires that all clocks be synchronized; It doesn't
/require/ "how".
If you have servers getting time from external sources (authenticated
always a plus) and peering with each other internally, then you comply
with PCI DSS 2.0 (3.0 has no changes to this that I'm aware of).
OTOH, I'
Raspberries! Not common currency here either, but let's see!
grateful for all the input and responses, this list is amazing as usual.
On Thu, Feb 6, 2014 at 1:41 PM, Aled Morris wrote:
> On 6 February 2014 12:30, Martin Hotze wrote:
>
>> > I'm trying to help a company I work for to pass an audit
On 06/02/2014 12:30, Martin Hotze wrote:
> here is a well done how-to:
> http://open.konspyre.org/blog/2012/10/18/raspberry-pi-time-server/
The OP had a question about standards compliance, not about something that
made technical sense and would deliver a superior service. The two things
aren't i
On 6 February 2014 12:30, Martin Hotze wrote:
> > I'm trying to help a company I work for to pass an audit, and we've
> > been told we need trusted NTP sources (RedHat doesn't cut it). Being
> > located in Nigeria, Africa,
>
[...]
> So build your own stratum 1 server (maybe a second one with DC
> I'm trying to help a company I work for to pass an audit, and we've
> been told we need trusted NTP sources (RedHat doesn't cut it). Being
> located in Nigeria, Africa, I'm not very knowledgeable about trusted
> sources therein.
>
> Please can anyone help with sources that wouldn't mind letting
GPS time sources are pretty cheap (< US$500) and easy to set up nowadays.
You could probably build your own for less that US$100:
http://www.satsignal.eu/ntp/Raspberry-Pi-NTP.html
Aled
On 6 February 2014 11:51, Notify Me wrote:
> According to the auditors, "trusted" means
>
> 1. Universities
On 06/02/2014 11:46, Notify Me wrote:
> We're a redhat shop, and we use redhat auth which by default uses redhat
> NTP sources. Sounds odd to me too. They claim this is what PCI DSS demands.
PCI DSS states:
> 10.4.3 Time settings are received from industry-accepted time sources.
The default RHE
According to the auditors, "trusted" means
1. Universities or Research facilities (nuclear/atomic facilities,
space research (such as NASA) etc.)
2. Main country internet/telecom providers
3. Government departments
4. Satellites (using GPS module)
Which is a bit of a tall order over here.
On Thu
We're a redhat shop, and we use redhat auth which by default uses redhat
NTP sources. Sounds odd to me too. They claim this is what PCI DSS demands.
On Feb 6, 2014 11:43 AM, "Nick Hilliard" wrote:
> On 06/02/2014 10:03, Notify Me wrote:
> > I'm trying to help a company I work for to pass an audi
On 06/02/2014 10:03, Notify Me wrote:
> I'm trying to help a company I work for to pass an audit, and we've
> been told we need trusted NTP sources (RedHat doesn't cut it).
So presuming that your company is using RH or Fedora or CentOS something,
the auditors are claiming that Red Hat, Inc is trus
www.pool.ntp.org
Oorspronkelijk bericht
Van: Notify Me
Datum:
Aan: "nanog@nanog.org list" ,af...@afnog.org
Onderwerp: Need trusted NTP Sources
Hi !
I'm trying to help a company I work for to pass an audit, and we've
been told we need trusted NTP sources (RedHat doesn't c
52 matches
Mail list logo
