Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network Time ● Jonathan Schipp ● Dubois County Linux User Group ● August 7 th, 2011 ● jonschipp (at) gmail.com.

Published byProsper Randall Modified over 8 years ago

Similar presentations

Presentation on theme: "Network Time ● Jonathan Schipp ● Dubois County Linux User Group ● August 7 th, 2011 ● jonschipp (at) gmail.com."— Presentation transcript:

1 Network Time ● Jonathan Schipp ● Dubois County Linux User Group ● August 7 th, 2011 ● jonschipp (at) gmail.com

2 Network Time Protocol ● The Network Time Protocol (NTP) is used to synchronize the time of a computer client or server to another server or reference time source ● NTP uses UDP as it's transport mechanism: port 123 ● The Internet Engineering Task Force formalized NTP in RFC 1305. Simple network time protocol, SNTP, formalized in RFC 2030, uses a less complex client implementation.

3 Why use NTP? ● Time is critical for transactions across computer networks. Many events on the network need accurate time to initiate and control processes, and complete transactions such as authentication. Accurate time for time stamps and log files is also very important for billing systems, network diagnostics, digital forensics, high- reliability databases and process analysis. ● Yet clocks in electronic devices are not designed for accuracy. A typical clock can drift more than one hour in a year. The solution is to employ network time synchronization. ● Less egress packets : ) instead of having all clients reach out to a public server on the internet. ● Tighter security? Limit egress traffic for NTP to a single machine(time server)

4 Regulatory Compliance ● The synchronization of clocks is usually required to meet compliance: ● Regulation - Driver ● Sarbanes-Oxley - Accuracy of financial reporting ● HIPAA - Patient privacy in health care ● Order Audit Trail System (OATS) - Elimination of fraudulent security trades ● Gramm-Leach-Bliley - Customer privacy ● CFR 21, Part 11 - Accuracy of electronic records for drug manufacturers and others ● Payment Card Industry - Data Security Standardssecurity of cardholder data ● North American Electric Reliability Council (NERC)Requirements for a reliable and secure bulk power system.

5 Stratums ● Stratum levels define the distance from the reference clock. A reference clock is a stratum-0 device that is assumed to be accurate and has little or no delay associated with it. The reference clock typically synchronizes to the correct time (UTC) using GPS transmissions, CDMA technology or other time signals such as Irig-B, WWV, DCF77, etc. Stratum-0 servers cannot be used on the network, instead, they are directly connected to computers which then operate as stratum-1 servers. ● A server that is directly connected to a stratum-0 device is called a stratum-1 server. ● A stratum-2 server is connected to the stratum-1 server OVER A NETWORK PATH. ● And so on.

6 Stratum cont. ● As you progress through different strata there are network delays involved that reduce the accuracy of the NTP server in relation to UTC. Timestamps generated by an EndRun Stratum 1 Time Server will typically have 10 microseconds accuracy to UTC. A stratum-2 server will have anywhere from 1/2 to 100 ms accuracy to UTC and each subsequent stratum layer (stratum-3, etc.) will add an additional 1/2-100 ms of inaccuracy.

7 UTC ● Coordinated Universal Time (abbreviated UTC) is the primary time standard by which the world regulates clocks and time. Computer servers, online services and other entities that rely on having a universally accepted time use UTC for that purpose. ● Coordinated Universal Time is a time standard based on International Atomic Time (TAI) with leap seconds added at irregular intervals to synchronize with the Earth's rotation.[2] ● UTC is conceptually different from Universal Time and Greenwich Mean Time (GMT), but it can be used interchangeably where sub- second precision is not required, ● Time zones around the world can be expressed as positive or negative offsets from UTC

8 GMT ● UTC evolved from the former GMT (Greenwich Mean Time) that once was used to set the clocks on ships before they left for a long journey. ● Later GMT had been adopted as the world's standard time. ● One of the reasons that GMT had been replaced as official standard time was the fact that it was based on the mean solar time. Newer methods of time measurement showed that the mean solar time varied a lot by itself.

9 a little history and geography ● Why does the Prime Meridian (Zero Longitude) pass through Greenwich? ● The International Meridian Conference took place in October 1884 in Washington DC. Twenty-five nations were represented at the conference by 41 delegates. The Greenwich Meridian was chosen to become the Prime Meridian of the World. There were several reasons for this; the main one being that nearly two thirds of the World's ships were already using charts based on it. ● The voting was 22:1 in favour of Greenwich (San Domingo, now the Dominican Republic, voted against); France and Brazil abstained. The French did not adopt the Greenwich meridian until 1911.

10 Public Time Servers ● The pool.ntp.org project is a big virtual cluster of timeservers providing reliable easy to use NTP service for millions ofclients. ● Your ISP probably has time server. ● Many universities have public time servers. ● OSX clients have their default time server set to: time.apple.com ● etc..

11 ntpd ● Ntpd – the network time protocol daemon ● Available for almost, if not all, of the unices. ● Daemon that runs in the background, listening for NTP requests.

12 Ntpd overview ● ntpd starts it checks its configuration file (/etc/ntp.conf) to determine synchronization sources, authentication options, monitoring options, access control and other operating options. ● It also checks the frequency file (/etc/ntp/drift) that contains the latest estimate of clock frequency error. ● If specified, it will also look for a file containing the authentication keys (/etc/ntp/keys).

13 Ntpd ● Ntpd will synchronize with public time servers at regular poll intervals. ● NTP needs some reference clock that defines the true time to operate. All clocks are set towards that true time. ● Its behavior will depend on the delay between the local time and its reference servers ● Packet exchanges takes place until a NTP server is accepted as a synchronization source, which take about five minutes

14 How to use? ● Configure ntpd via the ntpd configuration file. ● Point all clients to the listening ntpd service. ● Simple enough?

15 /etc/ntp.conf ● The minimalist ntp.conf file just needs a “server” line, so that ntpd knows who to synchronize with: server 0.pool.ntp.org ● The drift file is usually set by default but you can include it: ● driftfile /var/db/ntp.drift ● The logfile isn't necessary unless you want them in a specific place, logs are typically sent to /var/log/messages: ● logfile /var/log/ntp.log ● “iburst” sends a burst of packets if it cannot obtain a connection with the first attempt. ● server 0.pool.ntp.org iburst

16 config parameters ● server - Specifies that a server is running on the host (own local clock) ● fudge - Passes additional information to the clock driver ● stratum 10 - Manually sets the Stratum the server should operate at (1- 15) ● driftfile - Specifies the location of the frequency file ● broadcastdelay - Sets the propagation delay from the server when broadcasting ● keys - Store a list of keys needed for any cryptographic links

17 LCL – Local Clock ● If setting up an NTP server, you need to add local clock as a server, so that, in case it loses internet access, it will continue serving time to the network; add local clock as a stratum 10 server (using the fudge command) so that it will never be used unless internet access is lost : ● server 127.127.1.0 ● fudge 127.127.1.0 stratum 10

18 Access Control ● This restricts everyone from modifying anything and prevents everyone from querying your time server: "nomodify" prevents reconfiguring your ntpd (with ntpq or ntpdc), "nopeer" prevents using your ntpd as a time server by someone else, and "noquery" prevents dumping status data from your ntpd (also with ntpq or ntpdc). ● restrict default nomodify nopeer noquery ● This tells ntpd that 1.2.3.4 and all IP addresses from the 192.168.0.0 range will be allowed to synchronize on this server, but they will not be allowed to modify anything. All other IP addresses in the world will still obey the default restrictions (the first restrict line in the ntp.conf). ● restrict 1.2.3.4 nomodify ● restrict 192.168.0.0 mask 255.255.255.0 nomodify notrap

19 ACL list ● “ignore” - Deny all packets and queries ● “kod” - Send Kiss-Of-Death packet on access violation ● “nomodify” - Deny ntpq / ntpdc queries that attempt to modify the server ● “notrap” - Deny control message trap service ● “noquery” - Deny all ntpq / ntpdc queries ● “noserve” - Deny all queries - except ntpq / ntpdc ● “notrust” - Deny access unless cryptographically authenticated (ver 4.2 onwards) ● “nopeer” - Deny all packets that attempt to establish a peer association

20 ACL's cont. ● It would be much smarter and more efficient to do ACL's in the kernel via: ● Netfilter (Linux) <---iptables ● PF (OpenBSD/FreeBSD) <---- pf ● IPFW (FreeBSD) ← ipfw

21 Starting on boot ● Each OS will have it's specific way of doing things. ● On FreeBSD it's as simple as adding this to /etc/rc.conf: ● ntpd_enable=”YES” ● On Arch Linux, it's as simple as adding ntpd to the /etc/rc.conf ● DAEMONS=(... !hwclock ntpd …) ● !hwclock – turns of the hwclock, recommended in the Arch Wiki ● Server can be stopped and started with your OS's rc scripts

22 Client configuration ● ntpdate ● is the client which will send a time request to the time server. As easy as: ● ntpdate 192.168.1.5 ● Can be ran as cron job at regular intervals. ● Or can you can set up ntp.conf on the client to poll the local time server.

23 Client ntpd ● Add to /etc/ntp.conf on the client and start ntpd on the client: ● server 192.168.1.1 ● restrict default ignore ● restrict 127.0.0.1 ● restrict 192.168.1.1 mask 255.255.255.255 nomodify notrap noquery ● driftfile /var/lib/ntp/drift

24 Windows client config ● To configure windows machine to point to your time server it is usually similar to something like this: ● Control Panel → Date & Time → Time Server → Address of time server ● However on Windows 2000 and NT it must be done with a registry entry or via a script --> “net time” ● net time /setsntp:time.server.com, net time /querysntp ● net stop w32time && net start w32time

25 Windows cont. ● The standard time query interval for Windows (XP) is one query every 7 days, which for time critical applications and environments is ineffective. To adjust the time interval for Windows (XP), a registry value needs to be adjusted. ● Windows (XP) stores the following registry key in a hexadecimal format, which converted to decimal will amount to the time in seconds between time queries. Select the new time (in seconds) that you require the Windows (XP) system to poll the server, then convert it to hexadecimal (86400 seconds is 1 day). This should be the "DWORD" value. ● [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\w32tim e\TimeProviders\NtpClient] ● "SpecialPollInterval"=dword:00093a80

26 Diagnostics ● ntpq – ntp query ● See if your time server is functioning, command will show all peers used and configured together with their corner performance data: ● ntpq -p ● Query a remote time server for more info: ● ntpq -c 192.168.1.5

27 References/Plagiarism ● https://wiki.archlinux.org/index.php/Network_Time_Protocol_daemon https://wiki.archlinux.org/index.php/Network_Time_Protocol_daemon ● http://support.ntp.org/bin/view/Servers/WebHome http://support.ntp.org/bin/view/Servers/WebHome ● http://www.brennan.id.au/09-Network_Time_Protocol.html http://www.brennan.id.au/09-Network_Time_Protocol.html ● http://www.endruntechnologies.com/stratum1.htm http://www.endruntechnologies.com/stratum1.htm ● http://en.wikipedia.org/wiki/Network_Time_Protocol http://en.wikipedia.org/wiki/Network_Time_Protocol ● http://support.ntp.org/bin/view/Servers/StratumOneTimeServers http://support.ntp.org/bin/view/Servers/StratumOneTimeServers ● http://ntpserver.wordpress.com/2008/09/10/ntp-server-stratum-levels-explained/ http://ntpserver.wordpress.com/2008/09/10/ntp-server-stratum-levels-explained/ ● http://www.freebsd.org/doc/handbook/network-ntp.html http://www.freebsd.org/doc/handbook/network-ntp.html ● http://www.worldtimeserver.com/current_time_in_UTC.aspx http://www.worldtimeserver.com/current_time_in_UTC.aspx ● http://en.wikipedia.org/wiki/Coordinated_Universal_Time http://en.wikipedia.org/wiki/Coordinated_Universal_Time ● http://wwp.greenwichmeantime.com/ http://wwp.greenwichmeantime.com/ ● http://en.wikipedia.org/wiki/Greenwich_Mean_Time

Download ppt "Network Time ● Jonathan Schipp ● Dubois County Linux User Group ● August 7 th, 2011 ● jonschipp (at) gmail.com."

Similar presentations

Network Time Protocol (NTP) August 9 th 2011, OSG Site Admin Workshop Jason Zurawski – Internet2 Research Liaison.

Network Time Protocol (NTP) August 9 th 2011, OSG Site Admin Workshop Jason Zurawski – Internet2 Research Liaison.
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.

11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 4 Installing and Configuring the Dynamic Host Configuration Protocol.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 4 Installing and Configuring the Dynamic Host Configuration Protocol.
Maintaining and Updating Windows Server 2008

Maintaining and Updating Windows Server 2008
1 Network File System. 2 Network Services A Linux system starts some services at boot time and allow other services to be started up when necessary. These.

1 Network File System. 2 Network Services A Linux system starts some services at boot time and allow other services to be started up when necessary. These.
© 2006, The Technology FirmWWW.THETECHFIRM.COM 1 WINDOWS XP SUPPORT TOOLS.

© 2006, The Technology FirmWWW.THETECHFIRM.COM 1 WINDOWS XP SUPPORT TOOLS.
1 Chapter Overview Creating Sites and Subnets Configuring Intersite Replication Troubleshooting Active Directory Replication.

1 Chapter Overview Creating Sites and Subnets Configuring Intersite Replication Troubleshooting Active Directory Replication.
1 Physical Clocks need for time in distributed systems physical clocks and their problems synchronizing physical clocks u coordinated universal time (UTC)

1 Physical Clocks need for time in distributed systems physical clocks and their problems synchronizing physical clocks u coordinated universal time (UTC)
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5 DISTRIBUTED SYSTEMS.

Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.
A Security Analysis of the Network Time Protocol (NTP) Presentation by Tianen Liu.

A Security Analysis of the Network Time Protocol (NTP) Presentation by Tianen Liu.
176 Introduction to Network Time Protocol (NTP) Version A.01 H3065S Module 15 Slides.

176 Introduction to Network Time Protocol (NTP) Version A.01 H3065S Module 15 Slides.
CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.

CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.
Bootstrap and Autoconfiguration (DHCP)

Bootstrap and Autoconfiguration (DHCP)
Configuring the MagicInfo Pro Display

Configuring the MagicInfo Pro Display
Name Resolution Domain Name System.

Name Resolution Domain Name System.
Copyright ®xSpring Pte Ltd, All rights reserved Versions DateVersionDescriptionAuthor May 20121.0First version. Modified from Enterprise edition.NBL.

Copyright ®xSpring Pte Ltd, All rights reserved Versions DateVersionDescriptionAuthor May First version. Modified from Enterprise edition.NBL.
HTTP HTTP stands for Hypertext Transfer Protocol. It is an TCP/IP based communication protocol which is used to deliver virtually all files and other.

HTTP HTTP stands for Hypertext Transfer Protocol. It is an TCP/IP based communication protocol which is used to deliver virtually all files and other.
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.

Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
Troubleshooting Windows Vista Security Chapter 4.

Troubleshooting Windows Vista Security Chapter 4.
Guide to Linux Installation and Administration, 2e1 Chapter 2 Planning Your System.

Guide to Linux Installation and Administration, 2e1 Chapter 2 Planning Your System.

Similar presentations

Ads by Google