Expert Network Time Protocol An Experience in Time with NTP

eliable timeservers does not diminish that they need to be synchronized in time if the logging activ- ity on the network is going to have any integrity whatsoever. And network administrators are very conscious of how critical accurate logs are when there is a failure, security breach, or intermittent connectivity problem that needs to be resolved. From the network administra- tion perspective, it is thus critical that routers and switches be configured as NTP clients, regardless of whether they additionally act as secondary servers to other clients. Use of NTP in the Desktop Environment It seems natural that the desktop computing environment is on the receiving end of the NTP synchronization services, or basically represents the NTP clients. After all, the desk- top environment is a lot less stable than the network infrastructure (routers and switches) or server environments that tend to be isolated and protected from accidental shutdowns and user intrusion. And NTP server availability is a serious consideration in the process of choosing your NTP time source. Having said that, consider that with the addition of third-party software and GPS clocks, even common desktop operating systems such as Windows NT, 2000, or XP could turn into primary timeservers. ■Tip For more information about desktop timeservers, visit Galleon Systems’ website at While a workstation may not be optimal as a time source for other devices, if a work- station’s operational requirements are such that it cannot rely on securing accurate time over the network, then consider equipping such a workstation with its own reference clock and appropriate software to integrate the clock into the workstation’s operating system. Microsoft Windows Workstations and Servers Microsoft workstation and server software operating systems do not by default support primary reference clocks. However, in a similar manner to routers and switches, Microsoft servers are capable of operating at stratum level 2 or higher and offering time service to other devices throughout the network. It’s not unusual to configure the primary domain controller to obtain its time from a primary timeserver and then distribute it to clients throughout the domain. Time synchronization on Microsoft servers (Windows 2003, for example) is implemented via the Windows Time service (W32Time). Be mindful, though, that the Windows Time service does not support synchronization from broadcast or CHAPTER 5 ■ NTP DESIGN, CONFIGURATION, AND TROUBLESHOOTING132 multicast peers. Client devices with a more critical need for accurate time should be pointing to a local timeserver, even if it is a stratum 2 server. Other client devices with access to the Internet could point to for its time, which is the default configuration for workstations not configured to join a domain. Unix/Linux Workstations and Servers The various Unix/Linux OSs are probably the most flexible in terms of NTP support. They facilitate the configuration of primary timeservers, higher-stratum servers, and end-user clients. The primary NTP program remains the xntpd/ntpd daemon. The other commonly used programs in these environments are listed in Table 5-3 in the subsequent “NTP-Related Programs and Utilities” section. The xntpd/ntpd daemons support peering, client/server point-to-point (symmetric active mode), and client/server point-to-multipoint (broadcasting and multicasting) NTP operations. While the NTP configuration process and integration of reference clock drivers into the daemons might be more of a challenge in the Unix/Linux environments as com- pared to that of dedicated timeservers or third-party add-ons to Novell or Windows 2003 servers, the flexibility of configuration and opportunity for fine-tuning remain strong points in these environments. That’s provided you are able to allocate the necessary time to those tasks! Troubleshooting NTP Operations NTP is a TCP/IP application service. If you suspect a problem with NTP, consider that the lower layers on your TCP/IP network must be functional before you can get into trouble- shooting an application service. If an NTP client device is experiencing IP connectivity problems, then chances are its time will also begin to drift. A common approach to trou- bleshooting any network problem is to start at the physical layer and work your way up. But troubleshooting doesn’t have a silver-bullet formula. It takes both systems and experi- ence to be successful at it. Your approach to troubleshooting NTP will also vary greatly as a function of network management procedures and the type of network management sys- tem (NMS) that’s in place on your network. Assuming that the lower layers of the network are functioning well, here are specific tips for dealing with NTP problems: • Become familiar with the functions of all the NTP-related programs and utilities: The names of the NTP-related programs may vary from one vendor to another, but given the pervasiveness of NTP, a pattern emerges with respect to pro- gram/utility functionalities. • Use NTP configuration options to your advantage: Optional NTP parameters can be used to minimize NTP problems that might result from an underlying network problem. Additionally, specific NTP problems can be reported either to a central NMS or via e-mail if SNMP has been properly configured. CHAPTER 5 ■ NTP DESIGN, CONFIGURATION, AND TROUBLESHOOTING 133 NTP-Related Programs and Utilities In the network infrastructure environments (routers and switches), it’s the show and debug commands that allow for the monitoring of individual NTP devices following their config- uration. The show commands allow for the display of NTP status and associations, while the debug commands allow for identification of potential problems with synchronization, including those related to authentication. The Linux/Unix environments offer a series of programs and utilities, as defined in Table 5-3, that facilitate not only the operations but also the administration and management of NTP servers in those environments. CHAPTER 5 ■ NTP DESIGN, CONFIGURATION, AND TROUBLESHOOTING134 Table 5-3. Linux/Unix NTP-Related Programs and Utilities Program Name Program Description ntpd/xntpd The NTP daemon. This program relies on the configuration statements within the ntp.conf, ntp.drift, and ntp.keys files to keep the server on which it is installed synchronized and its communications secure with the configured time source(s). The daemon operates on a server that’s configured as a primary timeserver with a reference clock, or the daemon operates on an NTP client with the time source being a primary timeserver or even a high-level stratum server. ntpq The NTP query program. The use of the restrict command with the noquery flag within the ntp.conf file can prevent the local host from answering queries from another device that identifies the local host as a parameter (IP address or hostname) in this command. How- ever, this utility is useful when it comes to NTP troubleshooting if the target host permits it. When the command is executed with the name of a target host as a parameter, it allows for subsequent execution of subcommands for display of the peers, NTP associations, clock variables to determine what kind of a clock is used by the timeserver, and more. ntpdc A query utility on the order of ntpq but one that uses the mode field value of 7 (instead of 6 for ntpq) in the NTP message header. ntpdate A utility that allows the setting of date and time via NTP. This utility can be executed prior to starting the NTP daemon to perform a one-time synchronization with a target server, in case the time on the host machine is significantly off. In the event that an administrator determines that running the NTP daemon poses a potential security risk on a client (you don’t have much choice on a primary server!), the ntpdate utility can be periodically exe- cuted (run as a CRON job) to maintain the client synchronized with a target server. Don’t expect a microsecond accuracy of the host clock with UTC, however, if you decide to use ntpdate as your only time synchronization tool, especially if it’s run once a week! ntptrace A utility that allows for the tracing of the chain of NTP servers up to the primary time source. This is not unlike the Traceroute utility in TCP/IP that allows for the tracing of a full route to a target host. ntp-keygen A program for generating public and private keys that can be used with the Autokey protocol. The Novell NetWare environments offer programs similar to those of Unix but in the form of NetWare Loadable Modules (NLMs). For example, the NTPQ NLM, which corre- sponds to the ntpq Unix utility, can be executed to operate in an interactive mode (via the –i switch) with the prompts and then written to and the commands read from the standard output and input, respectively. Associations, peers, and numerous variables can be subse- quently displayed and monitored. If synchronization is not working at all, it’s advisable to execute the xtnpd/ntpd daemon with a –d flag to enable debugging and to redirect the debugging output to syslog or to standard output (STDOUT). NTP Configuration with Monitoring and Troubleshooting in Mind In the Unix/Linux environments, the logging of NTP events is configured by specifying the location of the statistic collection directory in the ntp.conf file and by enabling the writing of the statistics records, which relate to the clock driver, peers, and loop filter statistics. Loop filter is part of the time-server model as specified in RFC 1305’s “Determining Time and Frequency” section in Appendix F. Listing 5-14 shows a sample section of the ntp.conf file, illustrating the statistics collection configuration. Listing 5-14. Statistics Collection Configuration on ntp.conf #Define the location and enable the NTP statistics collection statsdir /var/ntp statistics loopstats peerstats clockstats filegen Apress_stats_set file Apress_NTP_stats type week The previous configuration identifies the /var/ntp directory for statistics collection related to the loop filter, the peers, and the clock driver. The filegen command further enables the management of the set of stat files, Apress_stats_set, and characterizes the individual files based on weekly collection intervals (use of the week variable with the type keyword). The reader is referred to each vendor’s specific documentation on the subject of configuring NTP statistics collection. In the Novell NetWare environments, the function of statistics collection that is comparable to that shown in Listing 5-14 is accomplished via the XNTPD NLM. The XNTPD NLM offers long-term collection capabilities related to the clock driver, peers, and filter loop statistics. Statistics collection is most likely to be imple- mented on stratum 1 and 2 servers. As the NTP hierarchy progresses toward higher stratum levels—from the primary timeservers through the networking infrastructure to the desktop environment—the level of monitoring of NTP operations is bound to diminish. It is critical, however, that as part of routine network management you always ensure the primary timeserver’s IP connectivity to the rest of the network. Subsequently, each NTP vendor will or should have management utilities that allow for monitoring the NTP health of the primary timeserver to verify that it continues to offer accurate synchronization service. CHAPTER 5 ■ NTP DESIGN, CONFIGURATION, AND TROUBLESHOOTING 135 Generally, the NTP configurations on secondary servers (whether they be routers, switches, or desktop devices with various OSs) tend to be simpler compared to those of the primary ones. The NTP management of those timeservers might thus be reduced to monitoring their operational (“up”) status. As a final configuration tip for routers that are acting as NTP servers, always consider the use of the ntp source command to define the IP address that will be used for forming NTP associations. Make the address that of a loopback interface if possible, and, if not, then make the address that of the interface that’s considered to be most reliable and least likely to go down. CHAPTER 5 ■ NTP DESIGN, CONFIGURATION, AND TROUBLESHOOTING136 NTP: A Journey in Time! Writing about NTP was a journey in time. Literally! It was a journey that scaled diverse computing environments, science, philosophy, history, and literature, all sharing a com- mon thread: time! On the surface, NTP is simple and almost inconspicuous, overshadowed by many giants inside the TCP/IP suite. As the examples in Chapter 5 reflect, basic config- urations involve no more than a few statements. But start digging into it! Before you know, it engulfs you, as it deals with that most fundamental and pervasive element of existence: time! And the science behind it is stunning: atomic clocks, GPS satellites, and complex clock selection and encryption algorithms. And this is all to support the accuracy and dis- tribution of this seeming pervasive and most elusive resource: time! This book could have been larger! It could have cataloged every NTP implementation on every conceivable networking device and operating system since the protocol’s incep- tion. But ironically, in that case the effort would have suffered the ravages of time and never reached the printed page. Thus, what’s behind you represents a compromise that time forces all writers to make. NTP’s importance is growing just as the NTP resources available on the Internet are increasing. Yet, it takes time to sift through all those resources and make sense of them all. Thus, the author’s hope is that the concentrated journey through NTP’s history, archi- tecture, design, and configuration that this publication represents—with pointers to areas that could take up the rest of your life if pursued to the nth degree—has been worth your time. That’s especially true if you are one of those network administrators—forward look- ing in time—who is recognizing the growing importance of maintaining accurate and synchronized time on your networks. 137 E P I L O G U E ■ ■ ■ Additional NTP Resources This appendix consists of references to websites and publications that offer additional resources for further studies on the subject of NTP. Some of these references are men- tioned in the main text, while others are not. The websites are categorized by topics related to • Public NTP servers and pools • Interplanetary Internet • NTP version 4 downloads • Select NTP vendors • Ongoing NTP research • Other sites of potential interest Dedicated publications on the subject of NTP are far and few between. In various networking books, the subject of NTP usually occupies anywhere from a few to a dozen pages. Network operating systems vendors usually have sections on NTP in their product manuals. Some vendors have published white papers on the subject of NTP. Thus, while the volume of publications that reference NTP at some level may be significant, the two key publications that warrant the greatest attention from NTP designers are the latest specifications for NTP version 3 and SNTP. They are listed at the end of the appendix. Websites The following are sites dedicated to public servers and pools: • • • 139 A P P E N D I X ■ ■ ■ APPENDIX ■ ADDITIONAL NTP RESOURCES140 The following are sites dedicated to the Interplanetary Internet: • • The following are sites dedicated to NTP version 4 source code and cryptographic libraries: • • The following are sites dedicated to select vendors: • • The following are sites dedicated to ongoing research: • • https://ntp.isc.org/bin/view/IETF/WebHome The following are sites dedicated to other miscellaneous NTP-related information: • • Publications The following are the two key publications of interest: • Mills, David L. RFC 1305, Network Time Protocol (Version 3) Specification, Imple- mentation and Analysis. Newark: University of Delaware, 1992. • Mills, David L. RFC 2030, Simple Network Time Protocol (SNTP) Version 4 for IPv4, IPv6 and OSI. Newark: University of Delaware, 1996. Bibliography Audi, Robert, general editor. The Cambridge Dictionary of Philosophy, pbk ed. Cambridge: Cambridge University Press, 1995. Barnes-Svarney, Patricia, editorial director. The New York Public Library Science Desk Reference. New York: Stonesong Press, 1995. Barnett, Mary. Gods and Myths of the Romans. New York: Smithmark Publishers, 1996. Bergmann, Peter Gabriel. Introduction to the Theory of Relativity. With a foreword by Albert Einstein. New York: Dover Publications, 1942. Cantor, Norman F. Medieval History: The Life and Death of a Civilization. New York: Macmillan, 1963. Corrick, James A. The Industrial Revolution. San Diego: Lucent Books, 1998. Couch, Malcolm. Greek and Roman Mythology. New York: Todtri Productions, 1997. Craig, Edward, editor. Concise Routledge Encyclopedia of Philosophy. London: Routledge, 2000. Durant, Will. The Life of Greece. The Story of Civilization: 2. New York: Simon and Schuster, 1939. Durant, Will. Caesar and Christ. The Story of Civilization: 3. New York: Simon and Schuster, 1944. Durant, Will. The Age of Faith. The Story of Civilization: 4. New York: MJF Books, 1950. Ford, Kenneth William. The Quantum World, Quantum Physics for Everyone. Cambridge, MA: Harvard University Press, 2004. Greene, Brian. The Elegant Universe: Superstrings, Hidden Dimensions, and the Quest for the Ultimate Theory, pbk ed. London: Vintage, 1999. Halliday, David, and Robert Resnick. Physics Parts I and II. New York: John Wiley & Sons, 1960. Harmon, William, editor. The Top 500 Poems. New York: Columbia University Press, 1992. 141 ■BIBLIOGRAPHY142 Homer. The Illiad, trans. Alston Hurd Chase and William G. Perry Jr. Boston: Little, Brown and Company, 1950. Past Worlds: Atlas of Archeology. New York: Borders Press, 2003. Roberts, Timothy R. Ancient Rome: Chronicles of the Roman World. n.p.: MetroBooks, 2000. Ross, Stewart. The Industrial Revolution. London: Evans Brothers Limited, 2000. Sale, Kirpatrick. Rebels Against the Future: The Luddites and Their War on the Industrial Revolution, Lessons for the Computer Age. Reading, MA: Addison-Wesley, 1995. Shakespeare, William. William Shakespeare: Complete Poems. New York: Gramercy Books, 1993. Whittier, John Greenleaf. Poems of Whittier. New York: Books, Inc., n.d. ■Numbers and Symbols 802.3i/10Base-T standard adopted by the IEEE, 31–32 ■A absolute clock source, planetary time represented by, 43 Advanced Research Projects Agency (ARPA), funding of Interplanetary Internet research by, 60–61 Algorithms, description of in NTP version 1, 56 ancient Greece, landscape similarity to NTP server farms, 29–32 ancient Rome founding of, 33 and the Roman Empire, 32–34 anycast mode advantage of, 73 in SNTP specification (RFC 2030), 72–73 Aphrodite, help given to Paris by, 31 Apple of Discord, use of by Eris as ploy masking a spoofing attack, 30 ARPA. See Advanced Research Projects Agency (ARPA) ARPAnet connection of first nodes for, 28 initial interconnection of, 33 asymmetric cryptography, public key cryptography referred to as, 84 ASs. See Autonomous Systems (ASs) astronomical timescale, keeping UTC synchronized with, 43 Atlantian calendar, 20–21 atomic second, definition of, 8–9 authentication, need for scalable and secure for NTP, 60 authenticator (96-bits) field, in NTP version 3 data messages, 53 Autokey protocol backward compatibility of, 87 Key ID and key lifetime duration of, 87 NTP packet modification of, 87 relevant characteristics from configuration and troubleshooting perspective, 86–87 RFC memo for published by David Mills, 86 security mechanisms incorporated in, 86–87 separate authentication for each NTP association, 87 variations (dances) of, 86 Autonomous Systems (ASs) interconnection of, 34 Aztec calendar, 20 ■B Babylonian calendar, 20 BARRnet, interconnection with NSFnet, 34 BGP. See Border Gateway Protocol (BGP) bibliography, 141–142 Big Bang, 27–29 Boggs, David, development of first Ethernet network by, 32 Border Gateway Protocol (BGP), preeminence of, 34 broadcast mode, function of, 71 business-to-business (B2B), 93 business-to-customer (B2C), 93 ■C calendars history of Gregorian, 19–20 history of Julian, 18–19 other earthly, 20–21 to measure time’s passage, 3 types of, 18–21 certificate services, availability of, 85 certification authorities (CAs), public keys maintained by, 85 Chinese calendar, 20 Chronological, defined by Webster, 17 Cisco Catalyst switch, NTP client authentication configuration on, 121–122 Index 143 Cisco client switch configured to receive NTP broadcast from a server, 115 configured with an IP address of a server, 115–116 Cisco router, NTP authentication configuration on, 122 Cisco router environment, symmetric passive mode association in, 68 Cisco router NTP configuration file, output from show ntp associations detail command for, 114 Cisco routers and switches, NTP security on, 119–122 classical mechanics, laws of, 7–10 client, terminology for in RFC 1305, 64 client mode, function of, 68–69 clock, definition of, 9–10 clock accuracy, 88 clock precision, 88 clock stability, 88 code example of access control granularity through use of restrict command, 117–118 of basic Cisco router (client mode) NTP configuration, 114 basic Juniper NTP configuration, 116 of a basic NTP configuration on a primary timeserver, 111 Cisco client switch configured to receive NTP broadcasts, 115 Cisco client switch configured with an IP address of a server, 115–116 NTP access control configuration on a Cisco router, 119–120 NTP authentication configuration on a Cisco router, 122 NTP client authentication configuration on a Cisco switch, 121–122 output for NTP variables’ analysis, 76 output for NTP variables’ analysis client and master synchronized, 77 output for NTP variables’ analysis no synchronization, 77 output from debug ntp packets command, 70 output from debug ntp packets command showing broadcast NTP mode, 71 output from NTP variables’ analysis (client and server are synchronized), 76 output from show ntp associations command on client, 70–71 output from show ntp associations command on server, 70 of receive message from peer to host, 69 showing contents of a basic npt.conf file, 109 showing NTP symmetric active mode exchanges, 66 showing symmetric passive NTP mode exchanges, 67 statistics collection configuration on ntp.conf, 135 of transmit message from host to peer, 69 of a typical ntp.conf file, 111–112 common variables, defined, 75 computer networking, time mechanism of choice for, 42 Concise Routledge Encyclopedia of Philosophy,time references from, 16 configurable variables, in NTP, 79 Coordinated Universal Time (UTC) represented by the absolute clock source, 43 as time mechanism of choice for networking and NTP, 42 core routers, configured as stratum 2 servers, 49 Corrick, James A., The Industrial Revolution by, 36 cryptographic authentication, as a security mechanism in NTP, 82–87 Cyber Block Chaining (CBC) operation mode, symmetric key cryptography based on, 83 ■D dances. See Autokey protocol, variations of DARPA, funding of Interplanetary Internet research by, 60–61 Data Encryption Standard (DES), Cyber Block Chaining (CBC) operation mode of, 83 dedicated private timeservers advantages of choosing for NTP deployment, 96–97 basic NTP configuration of, 107–108 disadvantage of, 98 ease of configuration and installation, 97 redundant, 124 security of, 97 ■INDEX144 default parameter, used with restrict command in ntp.conf file, 113 Defense Research Agency, splitting of original ARPAnet by, 33 deployment site deciding upon the NTP topology at, 104 deciding upon the number of NTP clients at, 104 level of network redundancy within, 104–105 desktop environment, use of NTP in, 132–133 desktop timeservers, website address for information about, 132 determinism vs. creative chaos (Sparta vs. Athens), as precursor to Token Ring LAN access method, 31–32 Digital Equipment Corporation (DEC), statements by founder Ken Olson, 37 distributed hierarchy of stratum 1 NTP servers, 30 distribution routers, configured as stratum 3 servers, 49 drift, 88 drift file, purpose of, 110 duration, defined, 8 ■E e-commerce, need for transactional integrity for, 93 edge routers, configured as stratum 4 servers, 49 Einstein’s theory of relativity vs. Newton’s theory of gravity, 9–10 Electronic Numerical Integrator and Computer (ENIAC), history of, 36–37 ENIAC. See also Electronic Numerical Integrator and Computer (ENIAC) Epilogue, NTP: a journey in time, 137 “Even Such Is Time” by Sir Walter Raleigh, 23 external reference sources, 44 ■F falseticker, 89 formula to protect you against on public servers, 102 some public servers as, 101 finite state machine, 89 fudge command, special case use of on client devices, 110 ■G general theory of relativity, 11–12 global Internet, creation and evolution of, 33 Global Positioning System (GPS) satellite, 43 Goddess of Discord and Strife (Eris), use of Apple of Discord by, 30 GPS satellite radio station, operated by U.S. National Institute of Standards and Technology, 43 GPS stratum 1 servers, 48 GPS timeserver, Symmetricom’s model NTS- 200, 98 Gregorian calendar, history of, 19–20 ■H Harrenstein, H., RFC 868 published by in May 1983, 42–43 Helen of Troy, kidnapping of by Paris, 31 Hindu calendar, 20 historical perspective of time, 16–23 history, defined, 17 host, terminology for in RFC 1305, 64 hub-and-spoke network infrastructure design, NTP topology, 105–106 ■I IANA. See Internet Assigned Numbers Authority (IANA) ignore parameter, used with restrict command in ntp.conf file, 113 Industrial Revolution (IR), changes ushered by, 36 Instantiation, defined, 64 Interface Message Processors (IMPs), birth of ARPAnet when first interconnected, 33 Internet drastic changes of from 1983 through 1995, 34 occasional setbacks since 1995, 34 Internet Assigned Numbers Authority (IANA), numbers assigned by, 71 Internet Engineering Steering Group (IESG), 50 Internet Engineering Task Force (IETF), 50 Internet Group Management Protocol (IGMP), as multicast management protocol, 72 Internet-era period vs. written history period, 28 ■INDEX 145 Interplanetary Internet (IPN) funding for, 60 website addresses for information about, 61 websites dedicated to, 140 IP addresses, panic about running out of, 34 IPN. See Interplanetary Internet (IPN) IPv6, for solving IP address shortages, 34 IPX/SPX suite, based on XNS protocol suite, 32 IR. See Industrial Revolution (IR) Iranian calendar, 20 IT trends, and network administration throughout history, 27–37 ■J Julian calendar, history of, 18–19 Juniper router, basic configuration, 116 JUNOS software, for Juniper Networks routers, 116 ■K key publications of interest, 140 ■L leap indicator (2-bit indicator) field, in NTP version 3 data messages, 50 leap second indicator, in NTP version 3 data messages, 50 leap year, the earthly time synchronizer, 22–23 light, speed of as a universal constant, 7–8 local device, labels applicable to, 64 local NTP “master” device, using and configuring an existing device as, 103 logical clock design, description of in NTP version 1, 56 ■M manycast/anycast mode, function of in SNTP and NTP version 4, 72–73 mass/energy equivalence principle, 11–12 Mayan calendar, 20 MD5. See Message Digest 5 (MD5) algorithm Mean Time Between Failures (MBTF) value, for dedicated private timeservers, 97 Menelaus, king of Sparta, 31 Message Digest 5 (MD5) algorithm, developed by Ronald L. Rivest, 83–85 Metcalf, Bob, development of first Ethernet network by, 32 MICHnet, interconnection with NSFnet, 34 Microsoft servers, time synchronization on, 132–133 Microsoft Windows workstations and servers, ability to offer time service to other network devices, 132–133 Middle (Dark) ages, comparison to Ethernet broadcast storms, 35 Mills, David L. RFC 1305, Network Time Protocol (Version 3) Specification, Implementation and Analysis (University of Delaware, 1992) by, 140 RFC 2030, Simple Network Protocol (SNTP) Version 4 for IPv4, IPv6 and OSI (University of Delaware, 1996) by, 140 “The Autokey Security Architecture, Protocols, and Algorithms” RFC memo by, 86 mode (3-bit integer) field, in NTP version 3 data messages, 51 modern times, Thomas Watson, Sr. importance to the Internet, 36–37 monitoring and managing NTP operations, 126–127 MOREnet, interconnection with NSFnet, 34 multicast mode function of, 71–72 security as key consideration for deployments of, 72 multicast traffic, limiting the propagation of to a designated domain, 73 multipoint-to-point mode, 74 ■N NAPs. See Network Access Points (NAPs) NAT. See Network Address Translation (NAT) National Institute of Standards and Technology. See U.S. National Institute of Standards and Technology National Science Foundation (NSF), timeframe of NFSnet dominance of Internet, 34 navigational timescale. See astronomical timescale Nereus (also know as the Old Man of the Sea), 29 NetWare Loadable Modules (NLMs), Novell NetWare environments, 134–135 Network, motivation for NTP deployment on, 93–94 ■INDEX146 Network Access Points (NAPs), decommissioning NSFnet in favor of, 34 Network Address Translation (NAT), 34 network administration and IT trends throughout history, 27–37 network infrastructure devices, main function of, 131–132 network infrastructure security, of an NTP security framework, 80 network security impact of public NTP servers’ use on, 102–103 importance of monitoring and periodic security audits, 81 importance of resource allocation, 81 importance of risk analysis to, 81 importance of threat identification to, 80 Network Time Protocol (NTP). See NTP (Network Time Protocol) network time synchronization project, areas of great concern, 59–60 networks effect of NTP operations on, 47 NTP deployment for small, medium, and large, 128–131 NTP deployment on with or without Internet access, 127–128 Newton’s theory of gravity vs. Einstein’s theory of relativity, 9–10 Next Generation Internet Initiative, Interplanetary Internet research as part of, 60–61 NIST. See U.S. National Institute of Standards and Technology nomodify parameter, used with restrict command in ntp.conf file, 112 nonconfigurable variables, in NTP, 79–80 nopeer parameter, used with restrict command in ntp.conf file, 112 noquery parameter, used with restrict command in ntp.conf file, 112 noserve parameter, used with restrict command in ntp.conf file, 113 notrap parameter, used with restrict command in ntp.conf file, 112 Novell NetWare environments, NetWare Loadable Modules (NLMs), 134–135 NSFnet, interconnection with regional networks, 34 NTP (Network Time Protocol) additonal resources, 139–140 additonal terms and definitions, 88–91 approach to design and configuration, 94–127 deployment concepts, 47–49 design, configuration, and troubleshooting, 93–136 determining features to configure for, 106–126 fundamental purpose of, 43 the hierarchical nature of, 48–49 how it operates, 47–54 a journey in time, 137 the key to time transcendence, 3–37 modes of operation and associations, 64–74 need for scalable and secure authentication, 60 network administrators absolute clock source, 44 operational, historical, and futuristic overview, 41–61 packet variables, 75 parameters variables, 75 peer variables, 75 port number assigned to, 43 reasons for using, 45–47 RFC 958 published in September 1985, 43 and routing, 48 security features, 116–122 servers, clients, hosts, and peers, 64–80 specification in NTP version 1, 56 story behind accuracy and synchronization of, 39–137 system variables, 75 time mechanism of choice for, 42 use of in the desktop environment, 132–133 use of within the network infrastructure, 131–132 variables and procedures, 74–80 websites dedicated to ongoing research, 140 websites dedicated to select vendors, 140 what it is, 43–44 What, Why, and How?, 42–54 NTP access control on Cisco router, 119–120 function of, 81–82 typical filtering mechanisms for, 82 ■INDEX 147 NTP architecture, 63–91 NTP associations defined, 89 modes of operation and, 64–74 NTP authentication, in Unix/Linux environments, 118 NTP authentication configuration, on a Cisco router, 122 NTP client, checking round-trip delays between servers and, 99 NTP client authentication configuration, on a Cisco Catalyst switch, 121–122 NTP clock-filter procedure, round-trip delay variable in, 72 NTP configuration additional options, 126 basic, 107–116 basic approach to, 95–96 basic for a Juniper router, 116 basic for Cisco router/switch, 113–116 basic for dedicated timeserver, 107–108 basic for Unix/Linux clients, 108–110 basic for Unix/Linux primary timeserver, 110–111 with monitoring and troubleshooting in mind, 135–136 need for scalability of, 59 typical for a Unix/Linux client, 111–113 NTP control messages, 51 functions of, 54 operation code values in, 54 NTP cryptographic authentication, as a security mechanism, 82–87 NTP daemon, ntpd/xntpd program for Linux/Unix, 134 NTP data message, structure of, 53 NTP deployment choosing your NTP time source, 94–95 deciding on the NTP topology design, 95 determining features to configure for, 95–96 guidelines for small, medium, and large networks, 128–131 importance of for businesses, 46–47 key steps for designing an effective, 94–96 monitoring and managing NTP operations, 96 motivation for on a network, 93–94 on networks with and without Internet access, 127–128 security considerations for, 80–87 NTP deployment concepts, 47–49 NTP design and configuration approach to, 94–127 choosing your NTP time source, 96–103 deciding upon NTP topology at deployment site, 104–106 determining NTP features to configure, 106–126 NTP devices, modes of operation and associations they form, 64–74 NTP features, determining what to configure, 106–126 NTP hierarchy, illustration of the concept of, 49 NTP messages, types and functions of, 50–54 NTP mode categories, 74 NTP modes of operation, and associations they form, 64–74 NTP networks configuration for large, 131 configuration for medium sized, 130 configuration for small, 129 large, 130–131 management of large, 131 management of medium sized, 130 management of small, 129 medium-size, 129–130 ratio of internal servers to end user devices for small, 129 time source for small, 129 time sources for large, 130 time sources for medium sized, 130 topology for large, 130 topology for medium sized, 130 topology for small, 129 NTP operational modes, 124–125 from the “Net Admin” perspective, 125 NTP operations monitoring and managing, 126–127 tips for dealing with problems, 133 troubleshooting, 133 NTP peer, used by many networking vendors, 107 NTP pool or public server(s) access policies, 100 availability consideration, 98–99 considerations for NTP deployment, 98–103 disadvantages of for NTP deployment, 99 NTP pool servers, website address for information about, 101 ■INDEX148 NTP proposal: RFC 958, 55 NTP query program, ntpq for Linux/Unix, 134 NTP sample analysis, components included in, 78 NTP sanity checks, 78–80 NTP security on Cisco routers and switches, 119–122 considerations for NTP deployment, 80–87 features of, 116–122 in Unix/Linux environments, 117–119 NTP server referred to as primary timeserver or a stratum 1 server, 44 viewed from a quantum perspective, 13–14 NTP service environment, described in NTP version 1, 56 NTP tests (sanity checks), relating to NTP message header and data validity, 78–79 NTP time sources choices for, 94–95 choices for networks with or without Internet access, 127–128 choosing for your NTP deployment, 94–95 consideration for public servers vs. NTP pool servers, 101 dedicated NTP servers, 87 factors involved in choosing, 96 local “masters” on the deployment network, 88 possible for NTP deployment, 87–88 public servers, 88 redundant, 123–124 summary of key features, 103 NTP topology deciding upon at the deployment site, 104 hub-and-spoke network infrastructure design, 105–106 impact of network physical topology and geography on, 106 level of network redundancy within, 104–105 NTP topology design, factors to consider in, 95 NTP variables configurable, 79 nonconfigurable, 79–80 NTP variables’ analysis first output from if client and server are synchronized, 76 fourth output for client and master again synchronized, 77 second output for time on the master advanced by 10-plus years, 76 third output for no synchronization, 77 NTP variables classes, sample analysis of, 75–80 NTP version 1: RFC 1059, key topics addressed by, 55–56 NTP version 2: RFC 1119, enhancements to over NTP version 1, 57 NTP version 3, modes specified in, 65–73 NTP version 3 data messages fields included in, 50–54 mode types and values for, 51 NTP version 3: RFC 1305, enhancements over NTP version 2, 57–58 NTP version 4 modes specified in, 65–73 utility for generating public and private keys, 85 NTP version 4 source code and cryptographic libraries, websites dedicated to, 140 NTP version 4 source files, website address for current release of, 85 NTP versions 1, 2, 3, and 4, 55–58 ntp.conf file parameters used with restrict command in, 112–113 statistics collection configuration on, 135 ntpdc utility a Linux/Unix query utility, 134 mode value normally used by, 51 ntp-genkeys utility, for generating public and private keys, 85 NTP-inherent security features, of an NTP security framework, 80 ntp-keygen program, for generating public and private keys, 134 ntp.keys file, structure of, 118–119 ntpq utility, mode value normally used by, 51 NTP-related information, websites dedicated to, 140 NTP-related programs and utilities, Linux/Unix, 134 ■INDEX 149 ntptrace utility, for tracing chain of NTP servers up to primary time source, 134 ntpupdate utility, for setting date and time via NTP, 134 ■O Offset, defined, 56, 89 Old Man of the Sea, Nereus known as, 29 Open System Interconnection (OSI) reference model, tracing basis of back to Troy, 33 OpenSSL library, website address, 85 operating system security, of an NTP security framework, 80 operation code values, in NTP control messages, 54 originate timestamp (64-bit unsigned fixed- point integer) field, in NTP version 3 data messages, 53 ■P packet variables, NTP (Network Time Protocol), 75 Palo Alto Research Center (PARC), employment of Bob Metcalf and David Boggs by, 32 parameters variables, NTP (Network Time Protocol), 75 Paris, son of King Priam of Troy, choice made by, 31 past, present, and future, as measures of time, 3 Past Worlds: Atlas of Archeology, quotation from, 28 Peer, terminology for in RFC 1305, 64 peer variables, NTP (Network Time Protocol), 75 Peleus, marriage to Thetis, 29–30 Period, defined, 8 per-VLAN spanning tree (PVST), 30 philosophical perspective, of time, 16 philosophy, defined, 16 physical network topology and geography, impact of on NTP topology, 106 point-to-multipoint modes, 74 point-to-point (unicast) modes, level of configuration needed by, 74 poll interval (8-bit signed integer) field, in NTP version 3 data messages, 51 Pope Gregory the XIII, calendar changes decreed by, 20 Postel, J., RFC 868 published by in May 1983, 42–43 precision (8-bit signed integer) field, in NTP version 3 data messages, 51–52 prehistoric times, 27–29 vs. written history period, 28 PREPnet, interconnection with NSFnet, 34 primary reference source, network administrators absolute clock source, 44 primary timeserver/stratum 1 server. See also dedicated private timeserver advantages of choosing for NTP deployment, 96–97 defined, 89 synchronization of time with UTC, 48 that sources time via GPS or NIST radio station, 44 private dedicated timeservers. See dedicated private timeservers private key cryptography, problem with key distribution in, 84 protocol machine, 89 public, defined in context of public key cryptography, 85 public key cryptography, advantage and disadvantage of, 84–85 public server(s) or NTP pool access policies, 100 administration of is on voluntary basis, 101 availability consideration, 98–99 considerations for NTP deployment, 98–103 disadvantages of for NTP deployment, 99 formula to protect you against falsetickers, 102 impact of on your network’s security, 102–103 security, accuracy, and load consideration, 100–102 websites dedicated to, 139 ■Q quantum mechanics, 12–14 ■R Raleigh, Sir Walter, “Even Such Is Time” by, 23 receive timestamp (64-bit unsigned fixed- point integer) field, in NTP version 3 data messages, 53 ■INDEX150 redundant NTP time sources redundancy between peers, 123 redundancy configuration on clients, 123–124 redundant secondary timeservers, 125 reference clock, 89, 90. See also primary reference source reference clock identifier (32-bit code) field, in NTP version 3 data messages, 52 reference clock IP addressing, 90 reference timestamp (64-bit unsigned fixed- point integer) field, in NTP version 3 data messages, 52 relative clock source, defined, 44 remote device, labels applicable to, 64 resource allocation, importance of for network security, 81 restrict command illustration of access control granularity through the use of, 117–118 meaning of parameters used with in ntp.conf file, 112–113 RFC 1059, NTP version 1, 55–56 RFC 1119, NTP version 2, 57 RFC 1305 mode value of 7 reserved by, 51 NTP version 3, 57–58 RFC 1305, Network Time Protocol (Version 3) Specification, Implementation and Analysis (University of Delaware, 1992) by David L. Mills, 140 RFC 1361, SNTP initially defined in, 58 RFC 1602, for information on the protocol standardization process, 51 RFC 1769, SNTP updated by, 58 RFC 1800, for information on the protocol standardization process, 51 RFC 2030 anycast mode in SNTP specification, 72–73 SNTP updated by, 58 RFC 2030, Simple Network Protocol (SNTP) Version 4 for IPv4, IPv6 and OSI (University of Delaware, 1996) by David L. Mills, 140 RFC 3228, IANA Considerations for IPv4 IGMP addressed in, 72 RFC 3376, IGMP version 3 specified in, 72 RFC 868, “Time Protocol” published in May 1983, 42–43 RFC 958, the initial NTP proposal, 55 risk analysis, importance of for network security, 81 Rivest, Ronald L., Message Digest 5 (MD5) algorithm developed by, 83 Roman Empire ancient Rome and, 32–34 beginning of, 33 Roman Republic, end of, 33 root delay (32-bit signed fixed-point number) field, in NTP version 3 data messages, 52 root dispersion (32-bit signed fixed-point number) field, in NTP version 3 data messages, 52 round-trip delay, defined, 72 routing protocols improved for Internet stabilization, 34 preeminence of Border Gateway Protocol (BGP), 34 rule-of-thumb formula, for ascribing a size to a business, 129 ■S sanity checks, 77. See also NTP sanity checks; NTP tests (sanity checks) scientific perspective of time, 6–16 seasons, as measures of time’s passage, 4 secure authentication, functions performed in the course of facilitating, 86 secure NTP, 58 security audits, importance of for network security, 81 security mechanisms, incorporated in the Autokey protocol, 86–87 server, terminology for in RFC 1305, 64 server mode and association, function of, 69–71 servers, checking round-trip delays between NTP client and, 99 Shakespeare, William Sonnet 123 by, 24 Sonnet 64 by, 24 show ntp associations detail command, sample outputs on a Cisco router, 75–80 Simple Network Time Protocol (SNTP), evolution of, 58–59 Skew, defined, 90 SNTP, multicast mode available in, 71–72 SNTP version 4, specified by RFC 2030, 58 Sonnet 123, by William Shakespeare, 24 ■INDEX 151 Sonnet 64, by William Shakespeare, 24 space, 3 Spanning Tree Protocol (STP), similarity to Apple of Discord, 30 Sparta vs. Athens (determinism vs. creative chaos), as precursor to Token Ring LAN access method, 31–32 special theory of relativity, 10–11 state machine, 90 state variables and parameters, categorized in NTP version 1, 56 stratum, defined, 91 stratum 0 server, defined, 91 stratum 1 server. See also primary timeserver/stratum 1 server reference clock identifier (32-bit code) field, 52 stratum 2 server, reference clock identifier (32-bit code) field, 52 stratum (8-bit integer) field, in NTP version 3 data messages, 51 stratum numbers, for identifying NTP servers, 48–49 string theory, 15–16. See also superstring theory superstring theory, 14–16 supersymmetry theories, 15–16 SURAnet, interconnection with NSFnet, 34 symmetric active mode function of, 65–68 redundant NTP servers operating in, 67 symmetric key cryptography, initial implementation of, 83 symmetric passive mode, function of, 68 Symmetricom’s GPS timeserver, model NTS- 200, illustration of, 98 Symmetricom’s SyncServer S100, TCP/IP configuration screen for, 109 system monitoring, importance of for network security, 81 system variables, NTP (Network Time Protocol), 75 ■T TCP/IP, replacement of Network Control Protocol (NCP) by, 33 TCP/IP configuration screen, for Symmetricom’s SyncServer S100, 109 TCP/IP suite, NTP as an application services protocol within, 43–44 “The Autokey Security Architecture, Protocols, and Algorithms” RFC memo, published by David Mills, 86 The Cambridge Dictionary of Philosophy, definition of time from, 16 The Industrial Revolution (James A. Corrick), World History Series for young readers, 36 The Life of Greece, from the Story of Civilization series (Will Durant), 17 “The New Year”, by John Greenleaf Whittier, 24–25 theory of relativity. See also Einstein’s theory of relativity general, 11–12 special, 10–11 Thetis, 29–30 threat identification, importance of for network security, 80 time definition from The Cambridge Dictionary of Philosophy, 16 the historical perspective, 16–23 importance of accurate and synchronized on a network, 94 leap year the earthly synchronizer, 22–23 the literary perspective, 23–25 multiple views of, 3–25 the mysteries of, 25 the philosophical perspective, 16 prehistoric, 27–29 reference to in The Life of Greece, 17–18 references from Concise Routledge Encyclopedia of Philosophy, 16 the scientific perspective, 6–16 time consumers, defined, 91 time dilation factor, derived from Hendrik Lorentz’s transformation equations, 10–11 “Time Protocol”, RFC 868 published in May 1983, 42–43 time providers, defined, 91 time reference source, in NTP version 3 data messages, 52 time sources, possible for NTP deployment, 87–88 time synchronization importance of for time-dependent operational activities, 46 tools, 21 time transcendence, the key to, 3–37 ■INDEX152 time-dependent operational activities, importance of time synchronization for, 46 timestamps, values of in data messages, 54 Token Ring LAN access method, Sparta vs. Athens as precursor of, 31–32 Token Ring LAN controllers, initial shipment of by IBM, 31 transactional integrity, need for as motivation for NTP deployment on a network, 93 transmit timestamp (64-bit unsigned fixed- point integer) field, in NTP version 3 data messages, 53 Trojan War, networking aspects of, 29–31 Troubleshooting, NTP operations, 133 Truechimer, defined, 91 ■U undisciplined local clock, 109 Universal Solvent (US), application of to the “past” energy states, 35 Unix/Linux clients, basic NTP configuration of, 108–110 Unix/Linux environments NTP authentication in, 118 NTP security in, 117–119 Unix/Linux primary timeserver, basic NTP configuration of, 110–111 Unix/Linux workstations and servers, NTP programs for these environments, 133 U.S. National Institute of Standards and Technology call letters for radio stations operated by, 43 GPS satellite radio station operated by, 43 UTC. See Coordinated Universal Time (UTC) utilities ntpdc utility, 51 ntp-genkeys utility, 85 ntpq utility, 51 ■V version number (3-bit integer) field, in NTP version 3 data messages, 50–51 Virgil (Roman poet), epic poem Aeneid by, 32 ■W W32Time. See Windows Time service (W32Time) Watson, Thomas, Sr., one-time chairman of IBM, 36 website address for current release of NTP version 4 source files, 85 dedicated to ongoing research for NTP, 140 dedicated to select vendors for NTP, 140 for information about IPN, 61 for information about NTP pool servers, 101 for information about Symmetricom’s timeservers, 107 for OpenSSL library, 85 for public NTP stratum 1 server information, 48 for sites dedicated to Interplanetary Internet, 140 for sites dedicated to NTP version 4 source code and cryptographic libraries, 140 for sites dedicated to public servers and pools, 139 Western Empire, fall of, 33 Whittier, John Greenleaf, “The New Year” by, 24–25 Windows Time service (W32Time), time synchronization on Microsoft servers with, 132–133 written history period vs. Internet-era period, 28 vs. prehistoric times, 28 ■X Xerox Networking Service (XNS) protocol suite, 32 xntpd/ntpd daemon, drift file maintained by, 110 ■Z Zeus, interest in Thetis daughter of Nereus, 29–30 ■INDEX 153