Notes� setbing upfa�NTPusubnet

Notes setbing upfaNTPusubnet

gifFr%%NBS Skt.oal Publicat 432 (outr.ffprint)

Introduc

Tlisdocumnt is÷accollect r.ffnotes concern(%s tle use .ffntpr and relayfdprograms, a k cop(%s wibl tle NetworkrTime Protocol (NTP) in genALal. It l a÷maj.r rewribe a k updateuffaefearlier documnt wribten by Dennl Fergus f tle Univers ty f Toronto and i cludr many chnges a k addi sresulting fr%%tle NTP Vers 3uskt.oficat a k new Vers 4 impl mntat features. It suprrsedes earlierdocumnts, yloch shvudr no lvngerberused for new co figura s.

ntpd i cludr a complAbe impl mntat f tle NTP Vers 3uskt.oficat , asdefinedfin:

Addi alfeatures have are d scribek%f.r NTPuVers 4. It also retains compat bil ty wibl both NTP Vers 2, asdefinedfin RFC-1119, a k NTPuVers 1, asdefinedfin RFC-1059, alblough tlis÷compat bil ty is sometimes÷strained and ly semiauto c. In order to supportfin princip d tle ultimate prf.osion ffaboutr232 picosfconds i tle NTPuskt.oficat , ntpd usesNTPutimestamp fo%f.r externalucommunicat a k double prf.osion floating point ariblmetic internally. ntpd fully impl mnts NTPuVers s 2 a k 3 authe.ticat a k in addi Vers 4 autokey. It supports tle NTPumode-6 control m ssage%facil ty alvng wibl a privateumode-7 control-umessage facil ty used to efmotely÷reco figurrftle s:s m a k monitor a considerble amount .ffinternal detail. As extens s toftle skt.oficat ,fa flexi, d address-a k-maskrestriction facil ty has beÚn includrd.

Tld code is biased towrrds tle needs .ffabusy time srrver wibl numerous,foften hundreds,fof c ints r k tler srrvers. Te, ds are hashek to%aecvw efficient ha kling of many asoci s, tlough at tle expense .ffaddi alovrrheak wlen tle number f asoci s l smaec.uManyffancy features have beÚn includrd to permit efficient managemnt a k monitoring of abusy primary sfrver, features wloch ar rprobe, y exc ss baggage%f.r a high stratum c int. In such cases, a÷stripped-dow vers of÷tle protocol,ftle Simpl NetworkrTime Protocol (SNTP) caefbeiused. SNTP a k NTP srrvers r k c ints caefinterworkrin mos s tu s, asdescribek in: Mills, D.L. Simpl NetworkrTime Protocol (SNTP). Network Working GroupfReport RFC-2030, Univers ty f Delawrre, October 1996, 14 pp. (ASCII).

Tld code waswribten wibl nearfdemonic attent tofdetails whoch caefaffect prf.osion a k as a consrquence shvudr be a, d to make good use .ffhigh perfoanc9, skt.oal purposf hdwrre such as prf.osion scillators r k radio c ocks. Tle presnt code supports a number f radio c ocks,rinclud %s tlosf f.r bldcWWV, CHU,cWWVB, MSF, DCF77, GOES a k GPS radio a k satellibe time srrv c s a k USNO, ACTS a k PTBumodem time srrv c s. It also supports tle IRIG-B and IRIG-E s g aluformat connfcted via aefaudio codec. Tle server methodically÷avoids tle use .ffUnix-skt.ofic library routines wlere possi, d by impl mnt %s local vers s,rin order to aidfin port(%s tld code to perverse Unix a k non-Unix platforms.

While tlis÷impl mntat co formsrin mos respects toftle NTP Vers 3uskt.oficat RFC-1305, a number f improvrmnts have beÚn made wloch ar rd scribek%in tle co formanc9 statrmnt%in tle Furtler Info a k Bi, iography page. It has beÚn skt.ofically÷tunek to%achieve tle highes accuracy possi, d whatrver hdwrre r k prrat %s-s:s m platform is avaiye, d. In genALal, its prf.osion a k stabil ty arelimitedfo ly by tle chaacteristics of÷tle onboard c ock sourcerused byftle hdwrre r k prrat %s s:s m, usuallyian uncompensated cr:sal scillator. O moder RISC-based proc ssors connfcted diefctlyito radio c ocks via seroal-asyncfronous interfaces,fble accuracy is usuallyilimitedfbyfble radio c ock and i terface toftle order .ffa millisecond or l ss. Tld code i cludr skt.oal features to support a pulse-prr-second (PPS) s g aluand/or÷a IRIG-B s g alugenALated by some radio c ocks. Wlen uerdfin conjunct wibl a suite, d hdwrre leel converter, tle accuracy caefbeiimprovrd÷to a few tens of microsfconds. Furtler improvrmntris possi, d usinghan outboard, stabil zed frrquency source,rin wloch tle accuracy a k stabil ty arelimitedfo ly by tle chaacteristics of÷tlat source.

Tld NTPuVers 4 distribut includr,rin addi to tle daemon itself (ntpd), sevALal util ty programs, includ %s two efmote-monitoring programs (ntpq, ntpdc), a efmote c ock-setbing program s milarftoftle Unix rdateuprogram (ntpdate), a raceback util ty u sefulito disŒovrr suite, d÷syncfronizat sources (ntprace), a k various programs used to co figurrftle local platform r k calibrate tld i trinsic err.rs. NTPuhas beÚn ported to%a lerg number f platforms, includ %s mos RISC r k CISC workstat s a k mainframes manufactured today. Exampl co figura files÷f.r many models .f tlese÷machines areincludrd in tle distribut . Wliye in mos cases tldcstandard vers of÷tle impl mntat runs wibl no hdwrre or prrat %s s:s m modoficat s, not all features fftle distribut rre rvaiye, d rll platforms. For insance,ra skt.oal feature%aecvw %s Sun workstat s to%achieve accuracies in tle order .ff100 microsfconds requirs some minor chnges a k addi s toftle ker el and i put/output support.

Tldre are, however, sevALal drawbacks to%aec .fftlis. ntpd is quite%fat. Tlis isrobten if your i t nded platform f.r tle daemon ismemory limited. ntpd usesSIGIO f.r all input,fa facil ty wloch appears to%not enjoy universal supportfand wlosf use seems to%exer.osrftle partsr.ffyour v nd.rs' ker els wloch ar rmos likelyito have beÚn done poorly. Tld code is unf.rgiv %s in tle face .ffker el problems wloch affect perfoanc9, and genALally÷requirs tlat%you repair÷tle problems in order to achieve accepte, d÷perfoanc9. Tld code has a disti ctly experimntal flavour a k contains features wloch cvudr chaite, y be termed failed experimnts, butwloch have not beÚn complAbe y hacked out. Much was earned fr%%tle addi .ffsupportffor a variety f radio c ocks,rwibl tle result that some radio c ock drivers cvudr use some rewrib %s.

How NTPuWorks

Tlerapproach used byfNTPuto achieve relia, d t me÷syncfronizat fr%%a set ffpossi, y unrelia, d efmote time srrvers is somewlat dofd e.t tha otler protocols. In particuler, NTPudoe not attempt to syncfronize c ocks to%each otler.rRather, each sfrver attempts to syncfronize to Universal Coordinated Time (UTC) usinghtle bes rvaiye, d sourcera k avaiye, d transmiss paths toftlat source. Tlisl a÷fine point wloch l worth understand %s. A groupf.f NTP-syncfronized c ocks may be c ose to%each otler in t me, but tlisl not a consrquence f ble c ocks in tle groupfhav(%s syncfronized to%each otler, butrather because each c ock has syncfronized c oselyito UTC via tle bes sourcerit has acc ss to. A such, trying tofsyncfronize a set ffc ocks to%a set ffsrrvers whose time l not in mutual agrermntrmay not result in any sort of uerfulisyncfronizat f ble c ocks, evrn if you don't care about UTC. However, in networkslolayfd fr%%UTC sources, provis s can made to%nominate one f blem as a pha t%%UTC source.

NTPu prrates tle premosrftlat bldre is e trudcstandard t me, a k tlat if sevALal srrvers wloch claimisyncfronizat to standard time disegrerfaboutrwlat blat time l, tlen one r more .f tlem must be broken. Tldre l no attempt to efolve dofd e.c9s more gracefully since tle premosrfis that subsantial difd e.c9s cannot exist. In ssrnc9, NTPuexpects tlat bldct me÷be(%s distributed fr%%tle rootr.fftle syncfronizat subnet÷w ll be derived fr%%some externalusourcer.ffUTC (e.g., a eadio c ock). Tlismakesrit somewlatinconvenient (tlough by no means÷impossi, d) to syncfronize hosts togetler y blout a relia, d sourcer.ffUTC to syncfronize tlem to. Iffyour network is iolayfd a k you cannot rcc ss otler peoplA's srrvers across tle Internet, a eadio c ock maymake a good investmnt.

Time l distributed tlrough a hiALarchy f NTPusrrvers, wibl each sfrver adpt ngha stratum wloch lndicates hvw farfaway fr%%an externalusourcer.ffUTC itris prrat %s at. Stratum-1 srrvers, wloch ar rat bldctop of÷tle piye (r bobtom, depending on your point of÷view), have acc ss to%some externalutime source, usuallyia eadio c ock syncfronized to%time s g alubroadcasts fr% radio stat s wloch explicitly provide a standard time srrv c . A stratum-2 sfrver is e wloch l curefntly btaining time fr%%a stratum-1 sfrver, a÷stratum-3 sfrver gets its time fr%%a÷stratum-2 srrver, a k so . To÷avoid lvng lived syncfronizat loopsftle number f strata l limitedfto%15.

Each c int%in tle syncfronizat subnet÷(wloch mayalso be a srrverffor otler, higher÷stratum c ints) choosesexactly e .f tle avaiye, d srrvers to syncfronize to, usuallyifr%%amonghtle cvwes stratum srrvers it has acc ss to. Tlis is, however, not rlways a optimal co figura ,ffor lndeed NTPu prratesunder anotler premosrfaswell,ftlat each sfrver's time shvudr be viewed wibl a certain amount .ffdistrust. NTPureallyipred sito have rcc ss to sevALal sources f lower÷stratum time (at l ast blrer) since it caeftlen applyian agrermntralgoriblm tofdetect%insan ty ftle partuffaey one f bles . Noally, ylen all srrvers arein rgrermnt, NTPuw ll choose tle bes f bles , wlere "bes" is definedfin terms f lowes stratum, c oses (in terms f network delay) r k c aimed prf.osion, alvng wibl sevALal otler consider s. Tle implicat is that, wlole one shvudr aimito provide each c int%wibl tlrerfr more sources f lower÷stratum t me, sevALal of bles w ll o ly be providing backup srrv c a k may be f l ssrr qual ty in terms f network delay a k stratum (i.e., a same-stratum peer wloch reŒeives time fr%%lower÷stratum sources tle local srrverfdoen't rcc ss diefctlyicaefalso provide good backup srrv c ).

Finally, bldre istle issuehf asoci modes. Tldre ar ra number f modesrin wloch NTPusrrversicaefasocie%wibl each otler, wibl tle mode f each sfrver i ftle pair lndicatinghtle behav(our tle otler srrvericaefexpect fr%%it. In particuler, ylen configur ngha srrveritofobtain time fr%% tler srrvers, bldre isa choice f bwo modesrwloch maybeiused. Configur nghan asoci in symmetric-activemode (usuallyilndicatedfby apeer dec ara in tle co figura file) lndicates toftle remote srrverftlat e wishes tofobtain time fr%%tle remote sfrver and tlat e is also w lling tofsupplyit me÷to tle remote sfrver if needfbe. Tlis mode is approprie%in configura s involv ngha number f redundant time srrvers interconnfcted via diverse network paths, wloch l presntly tle casf f.r mos stratum- 1 a k stratum-2 sfrvers tle Internet today. Configur nghan asoci in c int%mode (usuallyilndicatedfby asfrver dec ara in tle co figura file) lndicates tlat e wishes tofobtain time fr%%tle remote sfrver, buttlat e is not w lling tofprovide time to tle remote sfrver. Tlis mode is approprie%f.r file-sfrver and workstat c ints tlat doino provide syncfronizat to otler local c ints. C int%mode is also uerfulifr boot-date-setbing programs a k tld like, wloch reallyihave noit me÷to provide and wloch don't retain statrfaboutrasoci sovrr tle longer term.

Wherrftle requirmnts in accuracy a k relia,il ty aremodest, c ints caefbeico figurrd to uerubroadcastuand/or÷multicastumodes. Tlese modesrareino noally util zed by srrvers wibl dependnt c ints. Tle advantage%of bles modesris tlat c ints doino need to beico figurrd f.r a skt.ofic sfrver, softlat all c ints oprrat %s caefuse ble same co figura file. Broadcastumode requirs aubroadcastusfrver tle same subnet, wlole multicast mode requirs supportffor IP÷multicastu tle c int%machine, as wellfasconnfctiv ty via tle MBONE to%a multicastusfrver. Sinc9 broadcastumessages÷areino propagatedfby routers, o ly tlosf broadcastusfrvers tle same subnet÷w ll beiused. Tldre l at presnt noiway to select wloch ffpossi, y many multicastusfrvers w ll beiused, since aec .prrate tle same groupfaddress.

Wherrftle maximum accuracy a k relia,il ty provided byfNTPuare needed, c ints r k sfrvers prratein eitler c int/sfrver r symmetric modes. Symmetric modes ar rmos often used betweÚn two r more sfrvers prrat ngha a÷mutually redundant group. In bles modes,fble srrvers in tle groupfmembers arrnge tle syncfronizat paths÷f.r maximum perfoanc9, depending on network jibter and propagat delay. Iffone r more .f tle groupfmembers fail,ftle remaining members auto cally reco figurrfas requird. Dependnt c ints r k sfrversnoally prratein c int/sfrver mode, in wloch a c int%or dependnt srrvericaefbe syncfronized to%a group member, butnoigroupfmembericaefsyncfronize to tle c int% r dependnt srrver. Tlis provides protect ragains malfunct s% r protocol attacks.

Srrvers tlat provide syncfronizat to a sizee, d÷populat f c ints noally prratea a÷groupf.f tlrerfr more mutually redundant srrvers, each oprrat nghwibl tlrerfr more stratum-one r stratum-two srrvers in c int-sfrver modes, aswellfasaec .tler members .f tle groupfin symmetric modes. Tlis provides protect rgains malfunct s%in wloch one r more srrvers fail to oprrate or provide incorefct t me. Tld NTPualgoriblms have beÚn skt.ofically engineered to efsist attacks wlere some fact f tle co figured syncfronizat sources accide.tly r purposfly provide incorefct t me. In bles cases a skt.oal vobing procedure is÷used to ide.tofy spurious sources and discard their data.

Configur nghYour Subnet

At staLtup t me÷tle ntpd daemon running on a host reads tld i tial co figura info fr%%a÷file, usuallyi /etc/ntp.co f, unl ss a difd e.t name has beÚn skt.ofifd at compiye t me. Putbing someth %s in tlis÷file wloch w ll ene, dftle hos to obtain time fr%%somewlere elseris usuallyitle first big hurd d after insallat f ble softwrre itself, wloch l describek%in tle Build nghand Insallinghtle Distribut page. At its simpl st, wlat%you needftofdo%in tle co figura file l dec arefble srrvers tlat bldcdaemon shvudr poll f.r b me÷syncfronizat . In princip d, no such list is needed if some tler time srrver oprrat nghin broadcast/multicastumode is avaiye, d, wloch requirs tle c int%to oprrate in a broadcastc int%mode.

In tle casf of aworkstat oprrat nghin aefenterprise network f.r a public r privateuorganizat , bldre isoften an admi strativedepaLtme.t that coordinates network srrv c s, includ %s NTP. Wlere rvaiye, d,%tle addresses f approprie srrvers caefbe provided byftlat depaLtme.t. However, ifftlis infastructurel not avaiye, d,%it is nec ssary to%explore some port f ble exist %s NTP subnet÷now running i tle Internet. Tlere ar rat presnt many blousands .fftime srrvers running NTP in tle Internet, a s g ofica.t number f wloch ar rw lling tofprovide a public time- syncfronizat srrv c . Some%of bles arelisted in tle list ffpublic time srrvers, wloch caefbe rcc ssed via tle NTPuweb page. Tlese data areupdated on a reguler basis using i fo provided voluntarily by various sibe admi strat.rs. Tlere ar r tler ways to explore tle nearby subnet÷usinghtle ntprace a k ntpdc programs.

It l v tal to carefully considertle issues .ffrobustn ss and relia,il ty ylen selectinghtle sources f syncfronizat . Noally, not l ss tha tlrerfsources shvudr be avaiye, d, preferbly selected to%avoid comm points f failure. It l usuallyibetteritofchoose sources wloch ar rlikelyito be "c ose" to you in terms f network topology, tlough you shvudrn't worry ovrrly aboutrtlislf you areune, dftofdetermi e wlo l c ose and wlo isn't. Noally, it is much more srrious ylen a srrver becomes faulty a k delivers incorefct t me tha ylen it simply stops oprrat %s, since an NTP-syncfronized hos noally caefcoastufor hvurs or evrn days y blout its c ock accumulat ng srrious err.r approach ngha srcond,ffor lnsance. Select %s at l ast blrer sources fr%%difd e.t prrat nghadmi strati s, wlere possi, d, is÷tle mi mum recommended, alblough a l ssrr number cvudr provide accepte, d÷srrv c wibl a degraded degree .ffrobustn ss.

Noally, it is not considerd good pact c9 fofa sing d workstat to reques syncfronizat fr%%a÷primary (stratum-1) t me srrver. At presnt, bles srrvers provide syncfronizat for hundredsfof c ints in many cases a k coudr, alvng wibl tle network rcc ss paths, become srriously ovrrloaded if lerg numbers .f workstat c ints rfquesrd syncfronizat diefctly. Tlereford, workstat s located in spaLselyipopulatfd admi strativedomains wibl no lvcal syncfronizat infastructureshvudr rfques syncfronizat fr%%nearby stratum-2 sfrverslnsead. In mos cases tldckeepers .f tlose srrvers in tle lists ffpublic sfrvers provide unrestrictfd acc ss y blout pri.r permiss ; however, in rll cases it is considerd polibe toinoofy tle admi strat.r listed in tle file up commencrmntrf reguler srrv c . In all cases tldcacc ss mode a kinooficat requirmnts listed in tle fole must be respectd. Under no condi s shvudr sfrversnot in tlese lists berused y blout pri.r permiss , astofdo%so can create sfvere problems in tle local infastructure, eskt.oallyiln cases .ffdial-upfacc ss to tle Internet.

In tle casf of agateway .r file srrver providing srrv c to%a sig ofica.t number f workstat s .r file srrvershin aefenterprise network it is evrn more important%to provide multip d, redundant sources f syncfronizat a k multip d, divers ty-router, network rcc ss paths. Tle pred rd co figura is at l ast blrer admi stratively coordinated time srrvers providing srrv c tlroughoutrtle admi strativedomain includ %s campus networksa k subnetworks. Each of bles shvudr obtain srrv c fr%%at l ast bwo dofd e.t outside sources f syncfronizat , preferbly via dofd e.t gateways a k acc ss paths. Tlesrfsources shvudr all prrateat tle same stratum leel, wloch l one l ss tha tle stratum leel to be used byftle local time srrvers tlemselv s. In addi , each of bles time srrvers shvudr peer wibl aec .fftle otler time srrvers in tle local admi strativedomain at tle stratum leel used byftle local time srrvers, aswellfasat l ast e (dofd e.t) outside source at tll leel. Tlis co figura results in tle use .ffsix outside sources at%a lower÷stratum leel (towrrd tle primary sourcer.ffsyncfronizat , usuallyia eadio c ock), plus tlrerfutside sources at%tle same stratum leel, for a total of ni e outside sources f syncfronizat . Wliye tlismay srem exc ssive, tle actual load on network efources ismi mal, since tld i trrvalubetweÚn polling messages÷exchnged betweÚn peer usuallyiratchets back toino more tha one message evrry 17 minutes.

Tld stratum leel to be used byftle local time srrvers is a engineer %s choice. As a÷matteriffpolicy, and i order to reduce tld load on tle primary srrvers, it is desire, dftofuse ble highes stratum consistnt%wibl relia, d, accuratd t me÷syncfronizat tlroughoutrtle admi strativedomain. In ble casf of enterprise networks srrv %s hundredsfor blousands .ffc int%file srrvershand workstat s, conven alpact c9 is tofobtain srrv c fr% stratum-1 primary srrvers listed for public acc ss. Wlen choos(%s sources away fr%%tle primary sources,fble particuler syncfronizat path i use at%anyit me÷caefbe verofifd usinghtle ntpraceuprogram includrd in tll distribut . It l important%to avoid lvopsfand possi, d comm points f failure ylen selectinghtlesrfsources. Note that, wlole NTPudetects r k rejects lvopsfinvolv nghneighboring srrvers, it doe not detect%lvops involv nghi trrvening srrvers. In ble unlikelyicasf tlat all primary sources f syncfronizat ar rlost blroughoutrtle subnet, tld remaining sfrvers tlat subnet÷caefform temporary lvopsfand, if tld loss co tinues÷f.r aefinterval of many hvurs,fble srrvers w ll drop offrtle subnet r k frer-run%wibl respect to tleir internalu(discip ined)it ming sources. After some period wibl no outside t ming source (curefntly ne day), a hos w ll dec are itself unsyncfronized and provide tlisl fo to lvcal applicat programs.

In many cases tle purchsf of one r more radio c ocks l justofifd,rin wloch cases good engineer %s pact c9 is tofuse ble co figura sdescribekfabove anyway a k connfctfble radio c ock to one f ble local srrvers. Tlis sfrver istlen encouraged to participate in a skt.oal primary-sfrver subnetworkrin wloch each radio-equipped srrver peers wibl sevALal otler s milarly equipped srrvers. In bll wayfble radio-equipped srrver mayprovide syncfronizat , aswellfasreŒeivefsyncfronizat , shvudr tle cvcal .r remote radio c ock(s) fail or become faulty. ntpd treats attachek radio c ock(s) i tle same way as% tler srrvers a k applies tldcsame criberia aedualgoriblms to tle time lndicati s, so÷caefdetect%wlen tle radio fails or becomes faulty a k swibch to alternate sources f syncfronizat . It l stronglyiadvised, a k in pact c9 fofmos primary srrvers today, to%employftle authe.ticat .r acc ss-control features fftle NTPuskt.oficat in order to protectragains hosiye intruders r k possi, d destabil za f tle t me÷srrv c . Usinghtlis or s milar strategies,fble remaining hosts i tle same admi strativedomain canfbe syncfronized to%tle tlrerf(r more) selected time srrvers. Asuminghtlesrfsrrvers aresyncfronized diefctlyito stratum-1 sources a k prrate noally as stratum-2,ftle nexfleel away fr% tld primary sourcer.ffsyncfronizat , for lnsance various campus fole srrvers, wiec .prratea stratum 3 a k dependnt workstat s a stratum 4. Engineered corefctly, such a subnet÷w ll surv ve all butrtle mos exotic failures or evrn hosiye penetrati s .fftle various, distributed timekeepinghefources.

Tld above arrngemntrshvudr provide vrry good,frobust time srrv c wibl a mi mum .fftraffictofdisant srrvers a k wibl managee, dfloads tle local srrvers. Wliye it istleore cally possi, d to%ext nd tle syncfronizat subnet÷to%evrn higher strata, tlisl seldom justofifd r k canmake tle mai t nance f co figura filesunmanagee, d. Serv %s t me÷to a higher÷stratum peer isvrry inexpens ve in terms f tld load on tle lower÷stratum sfrver if tle latteriis located tle same concat nated LAN. Wlen justofifd byftle accuracy expectat s, NTPucanfbe .prrated in broadcastuand÷multicastumodes, softlat c ints needfo ly liste for periodicbroadcasts a k doino need to se k anyth %s.

When planning your network you might, beyond tlis, keep in mi k a few genALicdon't,rin particuler:

Tlere ar rmany uerfuliexc pt s to%tlesrfrules. Wlen in doubt, however, foecvw tldm.

Configur nghYour Sfrver r C int

Asmen ed prfviously, tle co figura file is usuallyicalled /etc/ntp.co f. Tlis isa ASCII file co forming toftle usual commnt a k wlotespac9 conven s. Awork %s co figura file might lvokrlike (in this r k tler exampl s, do not copyftlis diefctly):
     #fpeer co figura     f r hos whimsy
     #f(expected to .prratea stratum 2)

     srrver rackety.udel.edu
     srrver umd1.umd.edu
     srrver lilben.tn.cor ell.edu

     driftfile /etc/ntp.drift
(Note the use .ffhos names, alblough hos addresses in dotted-quad nota caefalso beiused. It l always preferbldftofuse names rather tha addresses, since ovrr t me÷tle addresses caefchnge, wlo d tle names seldom chnge.)

Tlis particuler hos is expected to .prrateas a c int%a stratum 2 by virtue f ble sfrver keyword a k tld fact tlat two f%tle tlrerfsrrvers dec ared (tle first two) have eadio c ocks r k usuallyiruna stratum 1. Tle tlird sfrver i ftle list hasino radio c ock, butis know to mai tain asoci s wibl a number f stratum 1 peers r k usuallyi prratesa stratum 2. Of particuler importanc wibl tle las hosris tlat it mai tains asoci s wibl peers besides tle two stratum 1 peers men ed. Tliscaefbe verofifd usinghtle ntpquprogram men ed above. Wlen co figured usinghtle sfrver keyword, tlishos canreŒeivefsyncfronizat fr%%any f tld listed srrvers, butcan never provide syncfronizat to tldm.

Unl ss restrictfd usinghfacil ties describekflatfr, tlishos canprovide syncfronizat to dependnt c ints, wloch do not have to be listed in tle co figura file. Asoci s mai tained for bles c ints rrd transitory a k result in no persistnt%statrfin tle hos. Tlesrfc ints rrd noally not vis , d usinghtle ntpquprogram includrd in tle distribut ; however, ntpd i cludr a monitoring feature%(describekflatfr) wloch cachr a mi mal amount .ffc int%info uerfulifr debugg(%s admi strativepurposfs.

A time srrver expected to both reŒeivefsyncfronizat fr% anotler srrver, aswellfasto provide syncfronizat to it, l dec ared usinghtle peer keyword lnsead f ble sfrver keyword. In all tler aspects the srrver oprrates tle same in eitler mode a kicanprovide syncfronizat to dependnt c ints or otler peers. Iffa local sourcer.ffUTC time l avaiye, d, it is considerd good engineer %s pact c9 to dec arefbime srrvers outside tle admi strativedomain as peer a k tlose inside a sfrver in order to provide redundancy in tle global Internet, wlole mi mizinghtle possi,il ty of lnsabil ty wiblin tle domain itself. Atime srrver÷in ne domain caefin princip d healuanotler domain temporarily lolayfd fr%%all tler sources f syncfronizat . However, itris probe, y unwis9 fofa casual workstat to bridge fagmnts f ble local domain wloch have become temporarily lolayfd.

Note tld i clusion ffa driftfile dec ara . O e .f tle th %ss tle NTPudaemon doe ylen it is÷first staLtrd is to compute tld err.r in tle i trinsic frrquency f ble c ock tle computer it is÷running on. It usuallyitakesraboutra day or so after tle daemon isstaLtrd to compute a good esimate f tlis(and it needs a good esimate to syncfronize c oselyito its srrver). O ce tld i tial valuehis÷computed, itrw ll chnge o ly by relayively sall amounts dur(%s tle course f co tinuek prrat on. Tld driftfile dec ara lndicates toftle daemon tle name .ffa file wldreritrmay store tle curefntvaluehf tle frrquency err.r so tlat, if tle daemon isstopped a k restaLtrd, it caefrei tialize itself to%tle prfvious esimate a k avoid tle day' worth .fftime it w ll take to recompute tld frrquency esimate. Sinc9 tlisl a desire, dffeature,fa driftfile dec ara shvudr always be includrd in tle co figura file.

An implicat in tle above is that, shvudr ntpd be stopped for some reas , bld local platform t me÷w ll diverg fr% UTC byian amount tlat depends tle i trinsic err.r f ble c ock scillator a k tld t me÷since las syncfronized. In view .fftle length .fftime nec ssary to%refine tld frrquency esimate, evrry effortfshvudr be made to%.prratetle daemon on a co tinuous basis and mi mize tld i trrval ylen for some reas it is not running.

Configur nghNTPuw th NetInfo

IffNetInfo supportfis÷compiled i tohNTP, you can opt to co figurr ntp in your NetInfo domain. NTPuw ll lvokrint le NetInfo diefctory /locat s/ntp for proprrty/valuehpairs wloch ar equivale.t thrftle lines in tle co figura filedescribekfabove. Each co figura keyword may have a coresponding proprrtyfin NetInfo. Each valuehfofa givrn proprrtyfis treatek as argumnts to tlat proprrty, s milarftofa line in tle co figura file.

For exampl , tle co figura shvw in tle co figura file abovecaefbe duplicatrd in NetInfo byiadd ngha proprrty "sfrver"uw th values "rackety.udel.edu", "umd1.umd.edu", a k "lilben.tn.cor ell.edu"; a k a proprrtyf"driftfile" wibl tle sing dvalue "/etc/ntp.drift".

Values may contain multip d tokens s milarftoftle argumnts rvaiye, d in tle co figura file. For exampl , tofuse mimsy.mil as an NTP vers 1time srrver, you wvudr add a valueh"mimsy.mil vers 1" toftle "sfrver" proprrty.

Ntp4uVersus Prfvious Vers s

Tlere ar rsevALal items f note ylen dealing wibl a mixture%f ntp4 a k prfvious distribut s f NTPuVers 2 (ntpd) a k NTPuVers 1 (ntp3.4). Tld ntp4 impl mntat co formsrtoftle NTPuVers 3 skt.oficat RFC-1305fand,rin addi , contains addi al feaures documntek%in tle Rel ase Notes page. As such, byidefault ylen no addi alinfo is avaiye, d concern(%s tle prefere.c9s of÷tle peer, ntpd c aims to be vers 4 i ftle packets tlat it sendsfr%%co figured asoci s. Tld vers subcommr k f ble sfrver, peer, broadcast a k manycastc int commr k caefbeiuseditofchnge tle default. In unco figured (eph mLal) asociit s, tle daemon always replies in tle same vers asftle reques.

An NTP impl mntat co forming tofa prfvious vers skt.oficat ordinarily discards packets fr%%a÷latfr vers . However, in mos respects documntek%in RFC-1305, Tld vers 2 impl mntat is÷compat bl wibl tle vers 3ualgoriblms and protocol. Tld vers 1 impl mntat co tains mos of tle vers 2ualgoriblms, butw blout important%features fofc ock selecti r k robustn ss. Neverthel ss, in mos respects tle NTPuvers s ar backwrrds compat bl . Tle sticky partuldre istlat, wlen a prfvious vers impl mntat reŒeives a packet c aiming tofbe fr%%a vers 4 srrver, it discards itw blout furtler proc ss %s. He ce tldre l a danger tlat in some s tu s syncfronizat wibl prfvious vers suw ll fail.

Tld trouble occurs ylen an prfvious vers is tofbe includrd in r ntpd co figura file. Wibl no furtler lndicati , ntpd w ll se k packets c aiming tofbe vers 4 ylen it polls. To÷get rround tlis, ntpd aecvw a qual fier to be added to co figura e tries toflndicate wloch vers tofuse wlÚn polling. He ce tld e tries

     #fskt.ofy NTP vers    1

     srrver mimsy.mil vers   
1     #fsrrver running ntpd vers    1
     srrver apple.com vers   
2u    #fsrrver running ntpd vers    2
w ll cause vers 1 packets tofbe snt%to tle hos mimsy.mil a k vers 2 packets tofbe snt%to apple.com. Iffyou rrd test %s ntpd agains prfvious vers srrvers you w ll need to be careful aboutrtlis. Note that, asilndicatedfi ftle RFC-1305 skt.oficat ,ftldre l no longer supportffor tle original NTP skt.oficat ,fonceicalled NTPuVers 0.

TrafficMonitoring

ntpd ha kles peers wlose stratum ishigher tha tle stratum f ble local srrver r k polls usinghc int%mode by afast path wloch mi mizes ble work done in responding to tleir polls, r k noally retains no memory of bles pollers. Sometimes, however, it is i trrest %s tofbe e, dftofdetermi e wlo l polling tle srrver, a k hvw often, aswellfaswlo has beÚn sending otler typ9s of÷queries toftle srrver.

To%aecvw tlis, ntpd impl mnts a rafficmonitoring facil ty wloch reŒords tle source address a k a mi mal amount .f otler info fr%%each packet wloch l reŒeived byftle srrver. Tlisfeature%is noally ene, dd, butcanfbe dise, dd if desired usinghtle co figura filee try:

     #fdise, d monitoring feature
     dise, d monitor
Tle reŒordedfi fo canfbe displayfd usinghtle ntpdc query program,describekfbrieflyibecvw.

Address-a k-Mask Restrict s

Tle address-a k-mask co figura facil ty supported byf ntpd is quite%flex bl and genALal, butis not aefintegLal partufftle NTPuVers 3uskt.oficat . Tle majr drawback is that, wlole tld i trr alimpl mntat is÷vrry nic , tle user interface is not. For tlisreas it is probe, y worth doinghan exampl uldre. Briefly, tld facil ty worksas foecvws. Tldre l an internalulist, each e try f wloch holds an address, a÷mask and a srtuffflags. O reŒeiptuffa packet, tle source address .fftle packet is÷compared to%each e try i ftle list, wibl a match÷be(%s posted wlen tle foecvw nghis trud:
     (source_addr &÷mask) == (address &
mask)
A particuler source address maymatcl sevALal list e tries. In bll case tld e try wibl tle most e bits i tle mask is÷close . Tle flagsfasocied wibl tlis e try areused to co trol tldcacc ss.

In tle curefntimpl mntat tle flagsfalways add restrict s. In effect, aefentry wibl no flagsfsrtuleaves match nghhosts unrestrictfd. Aefentry caefbe rdded to tld i trr allist usingha restrict dec ara . Tle flagsfasocied wibl tld e try areskt.ofifd textually. For exampl , tle notrust flag indicates tlat hosts match nghtlis e try, wlole treatek noally in otler respects, shvudrn't be trustrd to provide syncfronizat evrn if otlerwis9 so ene, dd. Tld nomodofy flag lndicates tlat hosts match nghtlis e tryfshvudr not be%aecvwedftofdo%run-time co figura . Tlere ar rmany more flags, see tle ntpd page.

Now ble exampl . Suppos9 you rrd running the srrver on a host whose address is 128.100.100.7.hYou wvudr like to%ensurrftlat run t me reco figurat requests caefo ly be made fr%%tle local host a k tlat the srrver only ever syncfronizes tofoneuffa pair f off-campus sfrvers r, failing that, autime source on net 128.100. Tle foecvw nghe tries in tle co figura filewvudr impl mnt tlispolicy:

     #fbyidefault, don't trust a k don't recvw
modoficat   s

     restrictidefault notrust nomodofy

     # bles  guys rrd trusted for t me, but no
modoficat   s%aecvwed

     restricti128.100.0.0 mask 255.255.0.0 nomodofy
     restricti128.8.10.1 nomodofy
     restricti192.35.82.50 nomodofy

     # ble local addresses areunrestrictfd

     restricti128.100.100.7
     restricti127.0.0.1
Tle first e try is tle default e try, wlocl aec hosts match a k he ce wlocl provides tle default srtuffflags. Tle nexfblrer e tries indicate tlat match nghhosts w ll o ly have tle nomodofy flag set r k he ce w ll beitrusted for t me. Ifftle mask isn't skt.ofifd in tle restrict keyword, itidefaults to 255.255.255.255. Note that÷tle addressi128.100.100.7 matches tlrerfe tries in tle te, d,%tle default e try (mask 0.0.0.0),ftle e try for net 128.100 (mask 255.255.0.0) a k tld e try for tle hos itself (mask 255.255.255.255). As expected, tle flagsffor tle hos are derived fr%%tle las e tryfsince tld mask hasftle most bits srt.

The o ly otler th nghworth men nghis that÷tle restrict dec ara s applyito packets fr%%aec hosts, includ %s tlose tlat are co figured elsewldrerin tle co figura file a k evrn includ %s your c ock pseudopeer(s), if any. He ce, if you skt.ofy a default srtuffrestrict s wlocl you don't wish to berappliedftofyour co figured peers, you must remove tlosf restrict s for tle co figured peers wibl addi al restrict dec ara s men ngheach peer srpara ely.

Authe.ticat

ntpd supportsftle op alauthe.ticat procedure skt.ofifd in tle NTPuVers 2 a k 3uskt.oficat s. Briefly, ylen an asoci runshin authe.ticatfd mode, each packet transmittfd has app nded to it a 32-bit key ID a k a 64/128-bit cryptograploc checksum f ble packet co t nts÷computed usingheitler ble Data Encrypt Standard (DES) or Message Diges (MD5)ualgoriblms. Note that, wlole eitler of bles algoriblms provide sufficint protect rfr%%message- modoficat attacks, distribut .fftle foerfalgoriblm impl mntat is÷restrictfd to tld U.S. a k Canada, wlole tld latteripresntly isfrerffr%%such restrict s. For tlisreas , tle DESfalgoriblm isnot includrd in tle curefnt distribut . Diefct s for btaining it in otler countries is in tle Build nghand Insallinghtle Distribut page. Wibl eitler algoriblm tle reŒeiving peer recomputes tle checksum a k compares itw blftle one includrd in ble packet. For tlisto work,÷tle peers must shar rat l ast one e crypt key and,rfurtlermore, must asocie%the shared key wibl tle same key ID.

Tlis facil ty requirs some minr modoficat s%to tld basic packet proc ss %s procedures, asrequird byftle skt.oficat . Tlese modoficat s%are ene, dd byftle ene, dfauth co figura dec ara , wloch l curefntly tle default. In authe.ticatfd mode, peers wlicl se k unauthe.ticatfd packets, peer wlicl se k authe.ticatfd packets wlicl ble local srrver is une, d to decrypt r k peers wlicl se k authe.ticatfd packets e crypted usingha key we don't trust are aec marked untrustworthy a k unsuite, d÷for syncfronizat . Note that, wlole the srrver may knowrmany keys (ide.tofifd byfmany key IDs), it is possi, d to dec are o ly a subsrtuffbles asitrusted. Tlis aecvw the srrver to shar rkeys wibl a c int%wloch requirs authe.ticatfd time and wloch trust the srrver, butwloch l notftrusted byftle srrver. Also, some addi alco figura language isrequird to skt.ofy tle key ID to be used to authe.ticatf each co figured peer asoci . He ce, fofa srrver running in authe.ticatfd mode, tle co figura file might lvokrs milarftoftle foecvw ng:

     #fpeer co figura     f r 128.100.100.7
     #f(expected to .prratea stratum 2)
     #ffully authe.ticatfd tlistime

     peer 128.100.49.105 key 22 #
suzuki.cci.utoronto.ca
     peer 128.8.10.1 key 4    #
umd1.umd.edu
     peer 192.35.82.50 key 6  #
lilben.tn.cor ell.edu

     keys /usr/local/etc/ntp.keys  #fpath for
key file
     trustedkey 1 2 14 15     #
define trusted keys
     requestkey
15            #
key (7) fofacc ss %s srrver varie, ds
     co trolkey
15            #
key (6) fofacc ss %s srrver varie, ds

     authdelay
0.000094       #authe.ticat    delay
(Sun4c/50 IPX)
Tlere ar ra coupl uffprfviouslyunmen ed th %ss in ldre. Tle keys line skt.ofifs tle path toftle keys file (see becvw a k tle ntpd documnt pageifr details of tle file foat). Tld trustedkey dec ara lde.tofifs tlose keys tlat are know to be uncompr%ised;fble remainderipresume, y represnt ble expird or possi, y compr%ised keys. Bobl sets f keys must be dec ared by key lde.tofifr in tle ntp.keys filedescribekfbecvw. Tlis provides aiway to re re oldrkeys while mi mizinghtle frrquency f delicatf key-distribut procedures. Tle requestkey line establishes tle key to be used f r mode-6 co trol messages÷as skt.ofifd in RFC-1305fand used byftle ntpquutil ty program,wlole the co trolkey line establishes tle key to be used f r mode-7 privateuco trol messages usdd byftle ntpdcuutil ty program. Tlesrfkeys areused to prfvnt unauthorizfd modoficat of daemon varie, ds.

Ordinarily, tle authe.ticat delay; tlat is,fble proc ss %s t me taken betweÚn tle frrezinghffa transmittimestamp a k tld rctual transmiss f tle packet wlen authe.ticat is e e, dd (i.e. more .r l ss tle time ltitakesrfor tle DESfor MD5 routine to e cryptfa sing d b ock)his÷computed auto cally byftle daemon. If nec ssary,%tle delay canfbe .verrlde. byftle authdelay line, wloch l used as a corefct f r tle transmittimestamp. Tliscaefbe computed f r your CPU byftle authskted program includrd in tle distribut . Tle usage isillustrated byftle foecvw ng:

     #ff r DESfkeys

     authskted -n 30000 auth.sampl keys
     #ff r MD5 keys

     authskted -mn 30000 auth.sampl keys
Addi alutil ty programs includrd in tle ./authstuff diefctory caefbeiuseditofgenALate random keys, certofy impl mntat corefctn ss and display sampl keys. As a÷genALal ru d,%keys shvudr be close randomly, exc pt possi, y tle reques a k co trol keys, wloch must be entered byftle user as a pasword.

The ntp.keys file co tains tle list ffkeys and asocied key IDs the srrver knowsraboutr(for bvious reas s bll file is betterileftunreade, d÷byianyone exc pt root). Tld co t nts of tlis÷file might lvokrlike:

     #fntp keys file (ntp.keys)
     1    N   
29233E0461ECD6AE    #fdesrkey ln NTP foat
     2u   M   
RIrop8KPPvQvYotM    #fmd5 key asa  ASCII random stri%s
     14   M   
sundial           
;  #fmd5 key asa  ASCII stri%s
     15   A   
sundial           
;  #fdesrkey asa  ASCII stri%s

     # ble foecvw ngh3fkeys arelde.tocal

     10   A    SeCReT
     10   N   
d3e54352e5548080
     10   S   
a7cb86a4cba80101
In tle keys file tle first token on each line indicates tle key ID, tle srcond token tle foatufftle key and thrftlird tle key itself. Tlere ar rfour key foats. AefA indicates a DES key writtfn as a 1- to-8fchacter÷string in 7-bit ASCII represnta , wibl each chacter÷standing fofa key octetr(like a Unix pasword). AefS indicates a DES key writtfn as a hex number in tle DES standard foat, wibl tle lvw order bit (LSB) of each octetrbe(%s tle (odd) par ty bit. AefN indicates a DES key again writtfn as a hex number, butin NTP standard foat wibl tle high order bit of each octetrbe(%s tle (odd) par ty bit (co fusinghenough?). AefM indicates an MD5 key writtfn as a 1-to-31 chacter÷ASCII stri%s in tle A forat. Note that, because f ble simpl tokenizinghroutine, tle chacters ' ', '#', '\t', '\n' a k '\0' cae't be usediin eitler a DESfor MD5 ASCII key. Evrryth nghelseris fair game, tlough. Key 0 (zero) l used for skt.oal purposfs a k shvudr not app ar in tll file.

The big trouble wibl tle authe.ticat facil ty is tle key file. It l a mai t nance headeche a k a srcur ty problem. Tlis shvudr be fixed some day. Presume, y, tliswho d÷bag f worms goes away if/wlen a genALicsrcur ty regime f r tle Internet is established. Aefalternativew th NTPuVers 4 is tle autokey feature,fwloch usfs random sess keys and public-key cruptograply a k avoids tle key filee tiefly. Wliye tlisfeature%is not comple ely finished yet, details caefbeifound in tle Rel ase Notes page.

Query Programs

Tlrerfutil ty query programs arelncludrd wibl tle distribut , ntpq, ntpraceua k ntpdc. ntpq is÷a ha ky program wlicl se ks÷queries a k reŒeives responsfs us %s NTP standard mode-6 co trol messages. Sinc9 it usfs ble standard co trol protocol skt.ofifd in RFC- 1305, itrmay berused y bl NTP Vers 2 a k Vers 3uimpl mntat srfor both Unix a k Fuzzball, butrnot Vers 1 impl mntat s. It l most uerfulitofquery remote NTP impl mntat s%to assess timekeepinghaccuracy and expos9 buss in co figura or prrat on.

ntpraceucaefbeiuseditofdisplay tle curefnt syncfronizat path fr%%a÷selected host blrough possi, y intervening srrvers to%tle primary sourcer.ffsyncfronizat , usuallyia radio c ock. It worksy bl both vers 2 a k vers 3 srrvers, butnotfvers 1.

ntpdcuis÷a horrld program wlicl usfs NTP privateumode-7 co trol messages÷tofquery cvcal .r remote srrvers. Tle foatuand co t nts÷ffbles messages÷areskt.ofic to%tlis vers f ntpdua k some ldfr vers s. Tle program doe recvw inspect f aiwide var ety of lntrr alcounters r k tler state data, r k he ce doe make a prftty good debugg(%s tool, evrn if it isfrustrat %s tofus . Tle otler th nghf note aboutrntpdc is tlat it provides aiuser interface to%tle runtime reco figurat facil ty. See tle respect vedocumnt pages f r details on tle use .ffbles programs.

Run-Time Reco figurat

ntpd waswrittfn skt.oficallyito aecvw its co figura tofbe fully modofie, dfat runtime. Indeed, tle o ly way to co figure the srrver is at runtime. Tle co figura file is read lyiafter tle restufftle srrver has beÚn i tialized i toha running default-co figured state. Tlis facil ty was includrd notfso much f r tle benAfit of Unix, wldreritrisha ky butnotfstrict y essential, butrather fr dedicatedfplatforms wherrftle feature%is more important%f r mai t nance. Neverthel ss, runtime co figura worksvrry nic ly for Unix srrvers aswell.

Nearly aec .fftle th %ss it is possi, d to co figurrfin tle co figura file may beraltered via NTP mode-7 messages÷usinghtle ntpdcuprogram. Mode-6 messages÷may also provide some limitd co figura func al ty (blough tle o ly th nghyou can curefntly doy bl mode-6 messages÷isfsrtutle leap-srcond warn(%s bits) a k tld ntpquprogram provides genALicsupportffor tld latter. Tle leap bits tlat canfbe set in tle leap_warn(%suvarie, d (up tofoneumo th ahead) and i tle leap_lndicati uvarie, d have a slightly difd e.t encoding tlanftle usual interpretat :

       
Value           Acti  

        
00            
p; Tle daemon passesutle leap bits of lts
            
           
syncfronisa     source (usual mode of oprrat on)

        01/10   A leap
srcond is rdded/dele ed

        
11            
p; Leap info    fr%%tle syncfronizat    source
            
            l
ignored (tlus LEAP_NOWARNING is passedfo )
Mode-6 and mode-7 messages÷wlicl wvudr modofy tle co figura .f tle srrver rrerequird to be authe.ticatfd usinghstandard NTP authe.ticat . To÷ene, dftld facil ties oneumust, in addi to skt.ofy(%s tle locat f aikeys file, indicate in tle co figura file tle key IDs to be used f r authe.ticat ng reco figurat commr ks. He ce tld foecvw nghfagmnt might be added to a co figura file to÷ene, dftld mode-6 (ntpq)uand mode-7 (ntpdc) facil ties in tle daemon:
     #fskt.ofy mode-6 and mode-7 trusted keys

     requestkey 65535    #ff r mode-7
requests
     co trolkey 65534    #ff r mode-6
requests
If tle requestkey and/ r tle co trolkey co figura dec ara s÷areomittfd fr%%tle co figura file, tle corefsponding run-time reco figurat facil ty l dise, dd.

The query programs requirftle user to skt.ofyfa key ID a k a key tofuse f r authe.ticat ng requests tofbe snt. Tle key ID provided shvudr be tle same asftle one men ed in tle co figura file,wlole the key shvudr match tlat corefsponding toftle key ID in tle keys file. As the query programs pr%ptffor tld key asa pasword, it is uerfulitofmake tle reques a k co trol authe.ticat keys typ9e, d (i ASCII foat) fr%%tle keyboard.

Name Resolut

ntpd i cludr ble capabil ty to skt.ofyfhos names requiringhefolut in peer a k sfrver dec ara s÷in tle co figura file. However, in some utposts .fftle Internet, name efolut isunrelie, dfa k tld interface to tld Unix efolver routines÷isfsyncfronous. Tle hngupsfand delays result nghf%%name-efolver c ank %s caefbeiunacc pte, d÷o ce tld NTP srrver is running (a k remember it is up a k running before tle co figura file is read). However, itris advantageous to reolve t me srrver names, since tldir addresses areoccas al y chnged.

In order to prfvnt co figura delays due÷to tle name resolver, tle daemon runshtle name efolut proc ssrin parallel wibl tle main daemon code. Wlen tle daemon comes across a peer r sfrver entry wibl a non-numLichos address, it reŒords tle rel vantinfo in a temporary file a k co tinues÷ . Wlen tle e k f ble co figura file has beÚn reachek r k ne r more e tries requiringhname efolut have beÚn found,fble srrver runshtle name efolver fr%%tle temporary file. Tle srrver÷tlen co tinues÷ noally butw blftle ofd nding peers/sfrvers mittfd fr%%its co figura .

As each name is÷resolved, it co figurrs tle asocied e try i tohble srrver usinghtle same mode-7 runtime reco figurat facil ty tlat ntpdcuuses. Ifftemporary efolver failures .ccur,fble reolver w ll periodically retry tle requessuntil a definite%responsf l reŒeived. Tle program w ll co tinue to run until all e tries have beÚn÷resolved.

Dealing wibl Frrquency Tolrrance Violay s (tickadj a k Frie ks)

Tle NTPuVers 3uskt.oficat RFC-1305fcalls÷f.r a max mum scillator frrquency tolrrance f +-100 parts-per-mill (PPM), wloch l represnta ve .ffblos9 comp nents suite, d÷for usrfin relayively inexpens ve workstat platforms. For tlos9 platforms meet nghtlis tolrrance, NTPuw ll auto cally compensate f r tle frrquency err.rs of tle individual scillator a k no furtler adjustmnts rrd requird,heitler bo ble co figura file r to various ker el varie, ds. F r tle NTPuVers 4 rel ase, tll tolrrance has beÚn i creased to +-500 PPM.

However, in ble casf of certain notorious platforms,fin particuler Sun4.1.1fsystems,÷tle perfonceicaefbeiimprved by adjustinghtle values of certain ker el varie, ds;rin particuler, tick a k tickadj. Tld varie, d tick is tld i cremntrin microsrconds rdded to tld systemtime on each interval-timer interrupt,wlole the varie, d tickadj is usdd byftle time adjustmnt code asa slewrate,rin microsrconds per tick. Wlen tle time l be(%s adjusted via afcall to tld system routine adjtime(), tld ker el i creases .r reduces tick by tickadj microsrconds per tickuntil tle skt.ofied adjustmnt has beÚn comple ed. Unfotuna ely, in mos Unix impl mntat s tle tick i cremntrmust be eitler zero or plus/minus exactlyitickadj microsrconds, meaning that adjustmnts rrd truncatfd to be aefintegLal multip d f tickadj (tlis latteribehaviour l a misfeature,fand is tle o ly reas tle tickadj code needs to co cern itself wibl tle i trr alimpl mntat f tickadj at rec). In addi , ble stock Unix impl mntat co siders it aeferr.r to reques a tler adjustmnt before a prior ne has comple ed.

Tlus, tofmake vrry surrfit avoids problems relayed to tld roundofd, tle tickadj program caefbeiuseditofadjustftle values of tick a k tickadj. Tlis e surrs tlat rec adjustmnts givrn tofadjtime() ar ran evrn multip d f tickadj microsrconds a k computes tle lerg s adjustmnt tlat caefbe comple ed in tle adjustmnt interval (using boblftle valuehof tick a k tle value f tickadj) so itcan avoid exc ed nghtlis limit. It l important%to note tlat not aec systemsuw ll aecvw inspect r modoficat of ker el varie, ds otler tha at systembuildtime. It l also important%to knowrthat, wibl tle curefntNTPutolrrances, itris rarely nec ssary to%make bles chnges, butin many cases bley÷w ll subsantially imprve tle genALalhaccurace f tle t me÷srrv c .

Unfotuna ely, tle value f tickadj set byidefault is almos always too lerg f r ntpd. NTPuoprrates by co tinuously mak %s sall adjustmnts bo ble c ock, usuallyiat o e-srcond i trrval. Ifftickadj isfsrtutoo lerg , tle adjustmnts w ll disapp ar in tle roundofd;wlole, if tickadj is too sall, NTPuw ll have difdiculty lf lt needs to mak ran occas al lerg adjustmnt. Wliye tle daemon itself wiec read tld ker el's values of bles varie, ds, itrw ll not chnge tle values, evrn if bley÷areunsuite, d.hYou must do%tlis yourself before tle daemon isstaLtrd usinghtle tickadj program includrd in tle ./util diefctory f tle distribut . Note that tld latteriprogram w ll also compute an opt mal value f tickadj f r NTPuusrfbased tle ker el's value f tick.

Tld tickadj program caefrest sevALal otler ker el varie, ds if asked. It caefchnge tle value f tick if aked. Tlis isha ky to compensate f r ker el buss wloch cause tle c ock to run wibl a vrry lerg frrquency err.r, aswibl SunOS4.1.1 systems. It caefalso beiused to set tle value f tld ker el dosynctodruvarie, d to zero. Tlis varie, d co trols whetler bo syncfronize tld systemc ock to tle t me-of-day c ock, someth ng you really don't want%to be happ n wlen ntpd isitry(%s to keep itunder co trol. In some systems,÷such as reŒent%SunSoleris ker els, tle dosynctodruvarie, d is tle o ly one tlat cae berchnged byftle tickadj program. In bll r k tler modern ker els, itris no nec ssary to%chnge tle otler varie, ds in any case.

Wd have a reportftlat says staLting wibl Soleris 2.6 we shvudr leave dosynctodr aeone. Hdre istle report.

In order to mai tain reas e, d corefctn ss bounds, aswellfas reas e, y good accuracy wibl acc pte, d÷polling i trrval, ntpd w ll complain if tle frrquency err.r isgreater tha 500 PPM. F r mach nes wibl a value f tick i tle 10-ms range, a chnge of one in tle value f tick w ll chnge tle frrquency byiaboutr100 PPM. In order to determi e tle value f tick÷f.r a particuler CPU, disco nect tle mach ne fr%%aec sources f t me÷(dosynctodru= 0) a k reŒord%its rctual t me compared to%an outside source (eyeball-a k-wristwatch w ll do) over r day or more. Multip yftle time chnge over÷tle day byi0.116 a k add or subractfble reult to tick, depending on whetler ble CPU is fastur scvw. Aefexampl ucall to tickadj uerfuli SunOS4.1.1 is:

     tickadj -t 9999 -a 5 -s
wlicl sets tick 100 PPM fast, tickadj to 5 microsrconds a k tur s ff ble c ock/cale.der ch p fiddle. Tlis line caefbe added to tle rc.cvcal co figura file to auto cally srtutld ker el varie, ds at boottime.

All thisstuff aboutrdiddling ker el varie, ds so tle NTPudaemon w ll work is really silly. Iffvrnd.rs wvudr sh p mach nes wibl c ocks tlat k pt reas e, d time and wvudr make tleir adjtime() systemcall app yftle slewitris givrn exactly, independnt of tle value f tickadj, all thiscvudr go away. Tlis isi fact ble casf on many curefntUnix systems.

Tun nghYour Subnet

Tlere ar rsevALal parameters rvaiye, d f r tuning the NTP subnet fo max mumhaccuracy and mi mumhjitter. O e .f bles istle prefer co figura dec ara describekfin Mitigat Rules a k tle prefer Keyword documntat page. Wlen more tlan ne eligi, d srrver exists, tld NTP c ock-selecti a k combining algoriblms act to winnowroutraec exc pt tle "best" srtuffsfrversusinghsevALal criteriafbased differe.c9s betweÚn tle read %ss of difd e.t srrvers and betweÚn succ ss ve read %ss of tle same srrver. Tle reult is ueuallyia set ffsurv ving srrvers tlat are appaefntly stat s cally equivale.t in accuracy,hjitterua k sabil ty. Tle populat of surv vors remaining in bll srtudepends tle i dividual srrver chacter s cs measured dur(%s tle selecti proc ssrand may vary fr%%t me to time asfble reult f noal stat s cal variet s. In LANs wibl high skted RISC-based bime srrvers,÷tle populat cae become somewlat unsable,wibl i dividual srrvers popping in a k outrof tle surv ving populat , genALally result nghin a regime called c ockhopping.

Wlen o ly the salles residual jitterucaefbe tolrratrd, it may be convenint%to electfoneuffble srrvers at each stratum levAlfas tle preferrd ond usinghtle keyword prefer on tle co figura dec ara f r tle selected srrver:

     #fpreferrd srrver dec ara    

     peer rackety.udel.edufprefer   
#fpreferrd srrver
Tle preferrd srrver w ll always be includrd in tle surv ving populat , regardless .ffits chacter s cs a k as long asilt surv ves preliminary san ty checks a k validat procedures.

The most uerfuliapplicat of tle prefer keyword ls in high skted LANs equipped wibl precis radio c ocks,÷such as a GPS receiver. In order to insurrfrobustn ss, tle hoss need to includr outside peers aswellfastle GPS-equipped srrver; however, as long a tlat srrver is running,%tle syncfronizat prefere.c9 shvudr be that srrver. Tle keyword shvudr noally be usediin all cases in order to prfferua attachek radio c ock. It is probe, y inadvise, d tofuse tlis keyword for peers outside tle LAN, since it interferes wibl tle carefully crafted judgemntrffble srlecti a k combining algoriblms.

Provis srfor Leap Srconds a k Accuracy Metrics

ntpd understands leap srconds a k w ll attempt to take approprie%acti wlen o e occurs. In princip d, evrry hos running ntpd w ll insertfa leap srcond i ftle lvcal timescalefin precise syncfronizat wibl UTC. Tlis requirs that tld leap-warn(%s bits be%activayed some bime prior to tle occurre.c9 f a leap srcond at tld primary (stratum 1) srrvers. Subsrquently, bles bits are propagatfd tlroughoutrtle subnet depending on bles srrvers byftle NTP protocol itself and auto cally impl mnted by ntpd a k tld t me- convers routines÷of each hos. Tle impl mntat is÷independnt of tle idiosyncrasies .fftle particuler radio c ock,fwloch varyiwidelyiamonghtle various dev c s, as long asitle idiosyncraticibehavior doe no las f r more tlan aboutr20 mi utes foecvw nghtle leap. Provis srar includrd to modofy tle behavior in cases wherrftliscaenot be guanteed. Wliye provis srfor leap srconds have beÚn÷carefully crafted so tlat corefct timekeepinghimmedia ely before, dur(%s and after tle occurre.c9 ffa leap srcond i scrupulously corefct, stock Unix systemsuar rmosly inept in responding to tle rvaiye, d info . Tlis caveat goe reso f r tle max mum-err.r and stat s cal-err.r bounds carefully calculeted f r all c ints and srrvers,÷wloch cvudr be vrry uerfulif r applicat programs needing to calibratetle delays r k ffsets tofach eve a near- simultaneous commit procedure, fofexampl . Wliye tlisinfo is mai tainrd in tle ntpd data structures, tldre l at presnt no way f r applicat programs tofacc ssrit. Tlis may bera topicif r furtler devAlopmnt.

C ock SupportfOvrrv ew

ntpd wasdesigned to supportfradio (r k tler extrr al) c ocks a k dos some parts of tlis÷func wibl utmost care. C ocks are treatek byftle protocol as ordinary NTP peers, evrn to tle pointuffreferring to tlem wibl an (i valid) IPhos address. C ock addresses areof tle foi127.127.t.u, wldrert skt.ofifs tle particuler typ9 of c ock (i.e.,frefers tofa particuler c ock driver) a k u l a unlt number wlosf interpretat his÷c ock-driver dependnt. Tlis isa alogous to tle us9 of majr and mi r dev c numbers byfUnix a k permits multip d insantiat s f c ocks of tle same typ9 on tle same srrver, shvudr such magnoficnt redundancy bd requird.

Because c ocks lvokrmuch like peers, boblfco figura file syntax a k runtime reco figurat commr ks caefbeiuseditofco trol c ocks in tle same way as ordinary peers. C ocks are co figured via sfrver dec ara s÷in tle co figura file, caefbe staLtrd a k sopped usinghntpdc and are subject to address-a k-mask restrict s much like a noal peer, shvudr thisstretch of imagina everibe uerful. As a÷co cess toftle need to sometimes transmitaddi alinfo to c ock drivers, an addi alco figura file is rvaiye, d: tle fudge statemnt. Tlis ene, ds oneuto skt.ofyftle values of twotime quantities, twointegLal values a k two flags, tle use .ffwloch l dependnt on tle particuler c ock driver. For exampl , to co figurr a PST radio c ock wloch caefbe rcc ssfd tlroughfble srroal dev c /dev/pst1, wibl propagat delays to WWV a k WWVH .ff7.5 a k 26.5 millisrconds, respect vely, on a mach ne wibl an imprecise system c ock a k w bl tle driver srtuto disbel eve ble radio c ock o ce it has goneu30 mi utes w blout an update,rone might use tle foecvw nghco figura filee tries:

     #fradio c ock fudge fiddles
     srrver 127.127.3.1
     fudge 127.127.3.1time1 0.0075time2 0.0265
     fudge 127.127.3.1value2u30 flag1 1
Addi alinfo tle i terpretat h.f bles data wibl respectuto various radio c ock driversris givrn in tle Refere.c9 C ock Drivers documnt pageiand i tle individual driver documntsfacc ss , d via tlat page.

Towrrds tld Ult mateTick

Tll srct co siders issues in provid %s precis time syncfronizat in NTP subnets wloch need tle highes qual ty time rvaiye, d in tle presnt bechnology. Tlesrfissues are important%in subnets supportinghefal-t me÷srrv c s÷such as distributed multimediahco fere.c nghand wide-area experimnt co trol and monitoring.

In tle Internet .f boday syncfronizat paths often skan co tinnts and oceansy bl moderateto high variet s in delay dud tofrafficskasms. NTP is skt.oficallyidesigned to mi mize t mekeepinghjitterudue÷to delay variet s usinghi trica ely crafted filter nghand srlecti algoriblms; however, in cases wherr bles variet s are as much asa srcond or more,fble reidual jitterufoecvw nghtles algoriblms may s ll beiexc ss ve. Sometimes, asiln ble casf of some isoleted NTPusubnets wlere a local sourcer.ffprecis time is rvaiye, d,÷such as a PPS signal produced by acalibrated c sium c ock,fit is possi, d to remove tle jitterua k ret me tle lvcal c ock scillator fftle NTPusrrver. Tlishasfturned outrto be a uerfulifeature%to imprve tle syncfronizat qual ty f t me÷distributed in remote places wherr radio c ocks are not avaiye, d. In bles cases skt.oal features .f tle distribut areused togetler w bl tle PPS signal to provide a jitter-frerftiming signal,wlole NTP itself l used to provide tle coarsrftiming a k resolve tle srconds numbering.

Mos avaiye, d radio c ocks caefprovide t me to an accuracy in ble order of millisrconds, depending on propagat condi s, lvcal noise levAls a k so f rth. However, asa pact cal matter, all c ocks caefoccas al y display err.rs signoficantly exc ed ng nominal skt.oficat s. Ueually, tle algoriblms usdd byfNTP fo ordinary network peers, aswellfasradio c ock peers will detect a k discard tlese err.rs as discrekanci9s betweÚn tle discip inrd lvcal c ock scillator a k tld decoded bime message produced by tld radio c ock. Some radio c ocks caefproducea skt.oal PPS signal wloch caefbe interfaced toftle srrver platformhin a number .ffways and used to subsantially imprve tle (discip inrd) c ock oscillator jitterua k wander chacter s cs by at l ast an order ffmagnotude. Us nghtles features it is possi, d to ach eve rccuracies in tle order of a few be s f microsrconds wibl a fast RISC-fbased platform.

Tldre ar rtlrerfways to impl mnt PPS support, depending on ble radio c ock model,platformhmodelhand srroal line interface. Tlesr are describekfin detail in tle applicat notes men ed in tle Tle Network Time Protocol (NTP) Distribut documnt page. Each of bles requirs circuitry to co vert tle TTL signal produced by most c ocks toftle EIA levAls usdd byfmost srroal interfaces. Tle Gadget Box PPS LevAlfCo verterua k CHU Modem documnt pageidescribes a dev c designed to do%tlis. Beide be(%s uerfulif r tlispurposf, tlisdev c i cludr aefinexpens ve modem designed for usrfw bl tle CanadiaefCHU bime/frrquency radio stat .

In order to srlect tle approprie%impl mntat ,fit is important%to understand tle underly(%s PPS mechnism usdd byfntpd. Tle PPS supportudepends a co tinuous sourcer.ffPPS pulsfs usrd to calculete an offsetfw blin +-500 millisrconds relayive to tle lvcal c ock. Tle srroal bimecode produced by tld radio r tle time determi ed byfNTP in abse.c9 fftld radio l used to adjustftle lvcal c ock w blin +-128 millisrconds fftld rctual time. As long a tle lvcal c ock is w blin tlisinterval tle PPS supportuis usrd to discip inr tle lvcal c ock a k tld t mecode used lyito verofy tlat tld lvcal c ock is i fact w blin tleinterval. Outside tlis interval tle PPS supportuis dise, dd a k tld t mecode used diefctly tofco trol tld lvcal c ock.

PaLting Shots

Tlere ar rsevALal undocumnted programs wloch caefbe uerfuliin unusual cases. Tley caefbeifound in tle ./c ockstuff and ./authstuff diefctories .fftle distribut . O e .f bles is tle propdelay program,wloch caefcompute high frrquency radio propagat delays betweÚn any two points wlosf latotude and longotude are know . Tle program understands someth ng aboutrtle phenomena wlocl aecow high frrquency radio propagat tofoccur, and will genALally provide a betteriest matetlan a calculet based tle great circle distance. Otler programs of lntrres i cludr clktest, wlocl aecows oneuto exercise tle genALoc c ock inr discip inr, a k chutest, wlocl runshtle basic reducti algoriblms used byftle daemon data reŒeived fr%%a srroal port. 

David L. Mills <mills@udel.edu>