r14 - 2005-12-15 - 09:02:10 - BradKnowlesYou are here: NTP >  Support Web > DesigningYourNTPNetwork
NTP users are strongly urged to take immediate action to ensure that their NTP daemons are not susceptible to being used in distributed denial-of-service (DDoS) attacks. Please also take this opportunity to defeat denial-of-service attacks by implementing Ingress and Egress filtering through BCP38.

ntp-4.2.8p7 was released on 26 April 2016. It addresses 11 low- and medium-severity security issues, 16 bugfixes, and contains other improvements over 4.2.8p6.

Please see the NTP Security Notice for vulnerability and mitigation details.

Are you using Autokey in production? If so, please contact Harlan - he's got some questions for you.
REFACTOR See DesigningYourNTPNetworkDev for discussion of this topic.

5. Designing Your NTP Network

The design of your NTP network depends on:

  • your reliability goals
  • your physical network layout
  • the number of machines that need to be synchronized
  • the precision to which you need your machines to be synchronized

If your NTP servers will be visible on the internet, you should see NTPAccessPolicy.

5.4. Place your reference clocks

If you won't be using any reference clocks, skip to the next section.

Decide how many reference clocks you want to have. If you plan on having more than one (perhaps at different locations), consider using different types of reference clocks and using clocks from different vendors. See ChoosingReferenceClocks for more information.

Your reference clocks will be attached to what I will call your "Tier One" machines. It is usually a good idea for your tier one machines to peer with each other, your tier two machines, and perhaps with some offsite machines as well. See SelectingOffsiteNTPServers for more information.

5.5. Your core NTP server machines

You will distribute time to your network from your "Tier Two" core NTP server machines. These machines should peer with each other, any tier one machines, and perhaps with some offsite machines as well. See SelectingOffsiteNTPServers for more information.

Redundancy can be important. Consider using multiple physical networks both internally and when connecting to external servers.

There should be at least 4 machines in the peering set of tier one and tier two machines. This will allow for the detection of a single point of failure. More machines will allow for proper behavior with more failures.

5.6. Distributing time from your routers

Some routers run ntpd and can be used to distribute time to the subnets that connect to them.

However, keep in mind that routers are primarily designed to route packets in one interface and out another, and they usually have lots of custom silicon chips to help them perform this role very well and very quickly. They are not typically well-suited to the role of providing general-purpose services.

In many cases, these kinds of functions are handed off to an internal shared CPU which is asked to perform all sorts of less common tasks on the router, and doing excessive amounts of work with NTP may cause it to be less able to do "real work" as a router, or may cause it to perform poorly as an NTP server.

If you wish to configure your routers as an NTP client, we suggest that you use information on this subject from the vendor, or from documentation written specifically for that vendor. In the case of cisco routers, you can see the O'Reilly books Hardening Cisco Routers by Thomas Akin or Cisco Cookbook by Kevin Dooley and Ian J. Brown. Both have chapters on NTP, but the former has a chapter on NTP that is available online at http://www.oreilly.com/catalog/hardcisco/chapter/ch10.html.

5.7. Distributing time to your machines

The rest of your machines should get the time from your tier two computers.

This can be done using:

  • unicast
  • broadcast
  • multicast
  • manycast

Read the documentation about authentication, and see ConfiguringNTP for more information.

-- HarlanStenn - 31 Jul 2003
-- BradKnowles - 08 Oct 2003

Edit | WYSIWYG | Attach | Printable | Raw View | Backlinks: Web, All Webs | History: r14 < r13 < r12 < r11 < r10 | More topic actions
NTP.DesigningYourNTPNetwork moved from NTP.DesigningYourNtpNetwork on 2003-07-30 - 20:32 by HarlanStenn
SSL security by CAcert
Get the CAcert Root Certificate
This site is powered by the TWiki collaboration platform
IPv6 Ready
Copyright & 1999-2016 by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding the site? Send feedback