Computer System Design and Administration

Topic 6. Network time sync service: ISC NTP

José Ángel Herrero Velasco

Department of Computer and
Electrical Engineering

This work is published under a License:

Creative Commons BY-NC-SA 4.0
 Computer System Design and Administration
Topic 6. Network time sync service: ISC NTP

Secure information service: Puzzle

Information server
LDAP clients

Open LDAP
Active
Directory

client
Open

Main service
SSL
LDAP LDAP DB

SSL

SSH server

Secondary
services
ISC ISC ISC
Third-party service DHCP DNS NTP

Replicated service
client

Open

SSL
SSH client LDAP
LDAP DB

José Ángel Herrero Velasco

 Computer System Design and Administration
Topic 6. Network time sync service: ISC NTP

Target: …server convergence

• Installa'on,  configura'on  and  deployment  of  third-­‐party  network  

services  for  local  networking  management  on  the  INTRANET:  
– Dynamic  configura'on  service  (DHCP):  ISC  dhcpd.  
– Domain  name  service  (DNS):  ISC  bind9:  
– Network  'me  service  (NTP):  ISC  ntpd:  
• Keeping  the  so-ware  /me  synchronized  in  accordance  with  a  common  
'me  reference.  
• EVERY  network  host  must  have  the  same  soOware  'me:    
– Reference  /me.  
– Regular  checks  (sync).  

José Ángel Herrero Velasco

 Computer System Design and Administration
Topic 6. Network time sync service: ISC NTP

Computer time
• In  computer  systems:  
–  Time  =  number  of  seconds  elapsed  since  a  reference  'me  (01/01/1970)Unix  
• Every  computer  has  2  clocks:  
– Hardware  clock:  
• Integrated  in  motherboard  and  powered  by  a  small  baWery:  
– Computer  keeps  the  hardware  /me  even  during  shutdowns.  
– If  you  take  out  this  baDery      “Reset”  (/me,  BIOS  password  ?!?!?   ):  
» Beware  if  baWery  runs  out!!!!!!  
• Hardware  'me  can  be  changed  by  OS  or  BIOS.  
• It  is  used  to  configure  the  computer  local  /me.  
– So-ware  clock:  
• It  uses  the  UTC    Coordinated  Universal  Time:  
– Primary  /me  standard  by  which  the  world  regulates  clocks  and  /me    From  1  January  1960.  
– Successor  to  Greenwich  Mean  Time  (GMT).  
– UTC  (from  1970)  is  defined  by:  
» Interna/onal  Atomic  Time  (IAT):  
• Atomic  reference  clocks  Cesium  atoms    Distributed  by  GPS  (and  radio),  modems      
» With  leap  seconds  added:    
• At  irregular  intervals  to  compensate  for  the  slowing  of  Earth's  rota'on  (31s/century  ΔT).  
» UTC  according  to  geographic  zones  (Time  Zones):  
• Posi've  or  nega've  offsets  (24)  from  UTC.  
• In  the  past,  “GMT”  was  used  as  reference    Greenwich  Mean  Time:  Mean  solar  /me:  
– Astronomical  base.  
– Stable  but  not  constant…    
  Both  of  them  are  independent  of  each  other,  except  when  OS  boots:  
• OS  uses  HW  'me  to  set  up  its  SW  'me  (on  boot).  
• Then,  SW  'me  is  synchronized  (UTC)  by  NTP.  
José Ángel Herrero Velasco
 Computer System Design and Administration
Topic 6. Network time sync service: ISC NTP

NTP: Network time sync protocol

• NTP:  Network  Time  Protocol.  
• Mo/va/on:  
– Many  services  and  network  apps  need  soOware  clocks  to  be  100%  synchronized  (/mestamps):  
• Kerberos,  batch  processing  systems,  distributed  file  systems  &  databases,  log  systems,  developing  tools  
(makes),  etc…  
• Defini/on  (NTP):  
– NTP  is  a  protocol  designed  to  synchronize  the  clocks  of  computers  in  a  variable-­‐latency  data  
network.  
  Selects  the  best  'me  among  several  /me  sources  and  minimizes  cumula/ve  delay.  
– Targets:    
1. Op/mize  local  Cme  accuracy  for  UTC.  
2. All  hosts  on  a  LAN  have  their  clocks  synchronized  (use  the  same  soOware  'me).  
• Origins  and  history:  
– One  of  the  oldest  protocols  on  the  Internet  (since  1979):  
• Internet  Clock  Service  (RFC  778):  
–   Internet  services  running  over  a  trans-­‐Atlan/c  satellite  network.  
•  Accuracy  of  only  several  hundred  milliseconds.  
– Versions:  
• 1985.  Fuzzball  and  Unix  implemented  the  NTPv0  (RFC  958):  
– David  L.  Mills  (Delaware  University  -­‐  USA).  
• 1988.  The  first  complete  specifica'on:  a  much  more  complete  specifica'on  in  the  NTPv1  (RFC  1059).  
• 1889.  Introduc'on  of  symmetric-­‐key  authen'ca'on  in  the  NTPv2  (RFC  1119).  
• 1992.  Introduc'on  of  formal  correctness  principles  in  NTPv3  (RFC  1305):  
– 1994:  NTPv3  works  for  a  new  version  of  NTP:  SNTP  (RFC  2030).  
• 1994-­‐XX.  Analysis  of  all  sources  of  error,  external  pulses  calibra'on  and  more  new  features...  
• 2010.  NTPv4  (RFCs  5905/6/7  y  8)    Con'nues  to  be  a  developing  version:  
– The  reference  implementa/on  is  currently  maintained  as  an  open  source  project  led  by  Harlan  Stenn.  
José Ángel Herrero Velasco
 Computer System Design and Administration
Topic 6. Network time sync service: ISC NTP

NTP: Basis & features

• Fundamentals:  
– NTP  needs  a  reference  /me  to  define  the  true  'me  (network  'me):  
• NTP  system  uses  UTC  as  reference  'me,  based  on  InternaConal  Atomic  Time  (IAT).  
• This  “reference  'me”  will  be  assigned  by  the  hierarchical  system.  
– NTP  is  a  fault  tolerant  protocol  (Bellman-­‐Ford  shortest-­‐path  spanning  tree):  
• The  'me  data  comes  from  mul/ple  sources.     NTP  architecture  

– NTP  is  highly  scalable:  

• It  can  increase  in  client  numbers…  
– NTP  can  sync  the  host  /me  even  though  network  is  “down”:    
• Temporally…  (fudge  +  driftfile).  
• Precision:  
– Strongly  dependent  on  the  type  of  network:  
• From  5-­‐100  ms  (Internet)  to  200  μs  (LAN).  
• Architecture:  
– NTP  uses  a  hierarchical  system  of  servers  on  the  Internet  
(Servers    Peers):  
• NTP  stratum  model.   TRANSPORT  layer  (TCP/IP)  
• Each  level    stratum  (ID).  
– Many  peers  provide  'me  redundancy.  
• TCP/IP  protocol:  
– Transport  layer.  
– NTP  package  format  (NTP/SNTPv4):  
• The  following  to  IP/UDP  headers…  
• The  64-­‐bit  'mestamps:      
– Compute  the  offsets.  
José Ángel Herrero Velasco
 Computer System Design and Administration
Topic 6. Network time sync service: ISC NTP

NTP: Computing the “right time”

• NTP  algorithms  for  'me  compu'ng:    
– The  key:  
  Selects  the  best  Cme  among  many  sources.  
  Minimizes  cumula/ve  delay  
         (minimizes  the  accumulated  error).  
– Architecture  and  Algorithms:  
• (1)  Clock  Filter  algorithm:    
– Time  references  are  calculated  based  on  round  trip  delay  and  interval  observa/ons.  
– Then,  it  selects  the  offset  with  minimum  delay.  
• (3)  Clustering  algorithm:    
– Selects  the  best  suite  of  servers  (peers)  and  combines  their  differences  to  determine  the  offset.  
• (2)  Intersec/on  algorithm  (default):    
– Based  on  Marzullo's  algorithm.  
– A  typical  NTP  client  will  regularly  pool  3  or  more  servers  on  diverse  networks:  
» Client  must  compute  their  'me  offset  and  round-­‐trip  delay.  
» Among  several  servers,  it  requires  that  the  midpoint  of  the  interval  be  at  the  intersecCon.  
•  (4)  Combina/onal  Algorithm:  
– Computes  the  mean  /me  offsets.   Clock  Discipline    
Peer  1   Filter  1  
•  (5)  Clock  Discipline  Algorithm:   Intersec/on  
Conbina/onal  
algo'thm  

Peer  2   Filter  2   &  clustering   Loop  Filter  

– It  is  an  adap/ve  parameter,   algorithm  
algorithms  
 hybrid  phase/frequency-­‐lock   Peer  3   Filter  3  
 feedback  loop    Minimize   Remote  
 the  jiDer  (dispersion).   servers   VFO  
Timestamps  
Clock  adjust  process  
Variable frequency oscillator (VFO)  

José Ángel Herrero Velasco

 Computer System Design and Administration
Topic 6. Network time sync service: ISC NTP

NTP: Service architecture (Topology)

• NTP  uses  a  hierarchical,  semi-­‐layered  system  of  'me  sources:  
– Each  level  of  this  hierarchy  is  termed  a  "stratum".    
– Each  stratum  is  assigned  a  ID  (0  ..  N).  
• The  stratum  ID  represents  the  distance  from  the  reference  clock  (n  +  1):  
– Stratum  is  not  always  an  indica'on  of  quality  or  reliability.  
• Clock  strata:  
– Stratum  0:  
• High-­‐precision  /mekeeping  devices    Atomic  (cesium,  rubidium)  clocks.  
– Stratum  1:  
• These  are  computers  whose  system  clocks  are  synchronized  within  a  few  microseconds  of  their  
aWached  stratum  0  devices.  
• They  may  peer  with  other  stratum  1  servers  (backups).  
– Stratum  2,  3…  to  14  (although  it  supports  up  to  256):  
• These  are  computers  that  are  synchronized  over  a  network  to  a  stratum  1,  2...  to  13  servers.  
•  They  can  themselves  act  as  servers  for  stratum  3  computers,  and  so  on.  

According  to  A  Survey  of  the  NTP  Network,    

Stratum 0 UTC   there  are  at  least  175,000  hosts  running  NTP  
High-­‐precision  /mekeeping  devices  in  the  Internet.  
Time  reference  (NTP)  

Stratum 1
 propaga/on  

NTP servers 300  servers  

Stratum 2
20000  servers  
NTP Servers

Stratum 3 80000  servers  

NTP Servers
Direct  connec'on   Network  connec'on  

José Ángel Herrero Velasco

 Computer System Design and Administration
Topic 6. Network time sync service: ISC NTP

NTP: Operational basis

• When  a  NTP  client  requests  a  'me  sync  (Client/server  mode):
– If  server  is  a  direct  /me  source  (stratum  0):
• The  server  sends  its  “local  /me”,  “/me  zone”  and  stratum.
– Else:
• The  server  sends  a  computed  Cme:
– Using  data  from  servers  of  the  same  or  higher  stratum.
– Using  NTP  algorithms.

• The  client  must  recalculate  the  'me  obtained:

– Using  the  Intersec/on  algorithm:
• Time  offset  and  round-­‐trip  delay.

• Public  NTP  server  list:

– Public  NTP  Primary  (stratum  1)  Time  Servers:
• hWp://[Link]/bin/view/Servers/StratumOneTimeServers.
– Public  NTP  Secondary  (stratum  2)  Time  Servers:
• hWp://[Link]/bin/view/Servers/StratumTwoTimeServers.
– Public  NTP  Pool  Time  Servers:
Source:  hWps://[Link].  
• hWp://[Link]/bin/view/Servers/NTPPoolServers.
José Ángel Herrero Velasco
 Computer System Design and Administration
Topic 6. Network time sync service: ISC NTP

NTP: Network time sync service

• NTP  on  Linux/UNIX:  
– Service  managed  by  the  ntpd  daemon  (most  of  protocol  is  implemented  in  it):  
• Opera/on  modes:  
– Client/server  mode:    
» The  client  requests  “'me  sync”  to  a  par'cular  NTP  server.  
– Broadcast  mode  (client/server):    
» Many  clients  may  be  sync  with  one  or  more  NTP  servers.  
» Opera'on:  
• Server  sends  “'me”  to  everybody.  
• Clients  listen  only!!!    
•   It  reduces  network  traffic  (LAN).  
– Mul/cast  mode:  
» One  or  more  servers  periodically  mulCcast  the  'me  to  the  servers  in  the  network.    
» Only  in  NTPv4.  
– Symmetric  mode:  
» It  enables  NTP  servers  to  synchronize  with  each  other  to  provide  “'me  reference”  copies  (Horizontal  sync):  
• To  improve  the  accuracy  of  their  synchroniza'on  over  'me.  
• NTP  is  defined  for  TCP/IP  networks:  
– UDP  123  
• NTP  security:    
– NTP  (v4)  is  able  to  guarantee  the  server  authen/city.  
– NTP  may  use  symmetric-­‐key  and  public  key-­‐cryptography  modes:  
» Public/private  keys.  

• Protocol  alterna/ves:  
– Thera  are  different  deployments  of  the  same  protocols  (NTP)    
• Protocol  variants.  
• SNTP  (Simple  Netwok  Time  Protocol):  RFC  5905:  
– More  simple  (no  storage  of  previous  connec/ons)  and  less  precise!!!  
– For  embedded  devices.  
José Ángel Herrero Velasco
 Computer System Design and Administration
Topic 6. Network time sync service: ISC NTP

NTP: Service installation (ISC NTP)

• NTP  server  and  tools  installa'on  (Server):  

– Stage  1.  Hardware  clock  setng:   Source:  [Link].  
$ hwclock --set --date=”10/11/2010 16:27:30”
$ hwclock --hctosys  

– Stage  2.  Time  zone  setng  (local):  

$ dpkg-reconfigure tzdata  

– Stage  3.  Service  soOware  installa/on:  

$ apt-get update
$ apt-get install ntp ntp-doc
$ update-rc.d ntp defaults

• Lab  2.  We  should  deploy  a  local  NTP  service.  

José Ángel Herrero Velasco

 Computer System Design and Administration
Topic 6. Network time sync service: ISC NTP

NTP: Service configuration

• NTPd  service  main  configura'on  file:  
$ vi /etc/[Link]
– Main  configura'on  entries:  
• server <ip>:  
– NTP  source  public  servers  list  (1/2  stratums).  
– It  is  recommended  to  have  at  least  3  servers.  
• restrict <ip> [opciones]:
– Access  control  restric/ons.  
– By  default,  the  NTP  server  will  be  accessible  from  all  internet  hosts.  
– It  establishes  which  hosts  can  use  the  NTP  service  and  which  do  not.  
• fudge <ip> stratum <num>:
– Rou/ng  control  (pseudo  IP)    Backup.  
– It  is  only  used  when  NTP  servers  fail  (unavailable):  
» NTP  server  sync  itself.  
• keys <fichero>:
– Key  file  for  queries.  
• driftfile <fichero>:
– Dri-  file    The  dri-  file  is  used  to  store  the  frequency  offset  between  the  system  clock  running  
at  its  nominal  frequency  and  the  frequency  required  to  remain  in  synchroniza/on  with  UTC.  
Default:  /var/lib/ntp/[Link].
• statsdir <directorio>:
– Logs  and  sta/s/cs  file  for  NTP  service.  
• broadcast <ip>:  
– Server  configura/on  in  broadcast  mode.  

José Ángel Herrero Velasco

 Computer System Design and Administration
Topic 6. Network time sync service: ISC NTP

NTP: Daemon configuration

• NTPd  daemon  main  configura'on  file:  
$ vi /etc/default/ntp  
– NTP  daemon  (ntpd)  parameters  defined  as  variables:    
• They  are  used  by  startup  script:  
– /etc/init.d/ntp.
– Sample:  
• NTPD_OPTS='-g'
– To  view  the  op'ons  available  in  the  NTP  service:  
• $ man ntpd.

• More  important  things  about  NTP  service:  

– Firewalls:  
• It  is  necessary  to  keep  port  123  open  for  UDP:  
– For  incoming  and  outgoing  traffic.  

José Ángel Herrero Velasco

 Computer System Design and Administration
Topic 6. Network time sync service: ISC NTP

Examples: Service configuration

Sample  
• /etc/[Link]
driftfile /var/lib/ntp/[Link]
statsdir /var/log/ntpstats/
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable Server  list  for  ½  
stratum.  
server [Link]
server [Link]
server [Link] Pseudo-­‐IP  
fudge [Link] stratum 13
address.  If  any  
restrict default kod notrap nomodify nopeer noquery error  happens,  
restrict [Link] nomodify
NTP  syncs  itself.  
broadcast [Link]

• /etc/default/ntp  
NTPD_OPTS='-g'

José Ángel Herrero Velasco

 Computer System Design and Administration
Topic 6. Network time sync service: ISC NTP

NTP: Client installation

• NTP  client  is  based  on  the  scheduled  run  of  ntpdate-debian  command.

• NTP  client  installa/on  (client):  

– The  recommenda'ons  for  server  installa'on,  as  in  the  previous  steps,  are  also  
valid  for  NTP  clients.  
– Stage  1.  Hardware  clock  setng:  
$ hwclock --set --date=”10/11/2010 16:27:30”
$ hwclock --hctosys  
– Stage  2.  Time  zone  setng  (local):    
$ dpkg-reconfigure tzdata  
– Stage  3.  Client  soOware  installa/on:  
$ apt-get update
$ apt-get install ntpdate  

José Ángel Herrero Velasco

Computer System Design and Administration
Topic 6. Network time sync service: ISC NTP

NTP: Client configuration

• ntpdate-­‐debian  configura'on:  
$ vi /etc/default/ntpdate
– Op'ons:  
• DATE_USE_NTP_CONF:
– It’s  only  used  if  host  runs  ntpd.
» /etc/[Link].  
• NTPSERVERS:
– NTP  servers  list  used  by  ntpdat-­‐debian.  

José Ángel Herrero Velasco

 Computer System Design and Administration
Topic 6. Network time sync service: ISC NTP

Examples: Client configuration

Sample  
• /etc/default/ntpdate  
# The settings in this file are used by the program ntpdate-debian, but not
# by the upstream program ntpdate.

# Set to "yes" to take the server list from /etc/[Link], from package ntp,
# so you only have to keep it in one place.
NTPDATE_USE_NTP_CONF=no

NTPSERVERS=“[Link] [Link] [Link]"

# Additional options to pass to ntpdate

NTPOPTIONS=""

José Ángel Herrero Velasco

 Computer System Design and Administration
Topic 6. Network time sync service: ISC NTP

NTP: Client configuration (regular sync)

• To  maintain  a  client  regular  /me  sync,  we  must  use  the  CRON  service:  
– Op/on  1.  Root  crontab:  
$ crontab –e
*/15 * * * * /usr/sbin/ntpdate-debian
$ /etc/init.d/cron reload

– Op/on  2.  Temporary  crontab  /etc/cron.{daily,hourly}

$ vi /etc/[Link]/ntpdate
/usr/sbin/ntpdate-debian
$ chmod 755 /etc/[Link]/ntpdate
$ /etc/init.d/cron reload  

José Ángel Herrero Velasco

 Computer System Design and Administration
Topic 6. Network time sync service: ISC NTP

NTP: Checking
• Checking  if  NTP  service  is  “running”:  
$ /etc/init.d/ntp restart
$ pgrep ntpd
$ ps –elf |grep ntp
$ netstat –atunp

• Checking  if  a  firewall  is  setng:  

$ iptables -L

• Checking  the  NTP  service  sync  according  to  the  upper  stratum:  
$ ntpq –p (prints  the  current  soOware  'me).
$ ntpdc –loopinfo (prints  how  the  soOware  'me  is  driOed).  
$ ntpdc –kerninfo (prints  the  current  aggregated  correc'on).  
$ ntptime

• Sync  the  client  soOware  'me:  

$ ntpdate-debain <ntp server>

• Sync  the  client  hardware  'me  according  to  hardware  'me:  

$ hwclock --systohc  

José Ángel Herrero Velasco