RE: [fw-wiz] Acqusition of time

From: Reckhard, Tobias (tobias.reckhard@secunet.com)
Date: 01/31/03


From: "Reckhard, Tobias" <tobias.reckhard@secunet.com>
To: firewall-wizards@honor.icsalabs.com
Date: Fri Jan 31 08:00:15 2003

Martin Peikert wrote:
> Ben Nagy wrote:
> > If a firewall can't reach an NTP server because of some
> transient network
> > condition the clock doesn't automatically go haywire - it
> will just start
> > drifting as per the normal accuracy of the hardware clock, no?

ntpd periodically (every hour, I believe) saves the current clock drift to a
drift file, typically /etc/ntp.drift. When the daemon starts, it initializes
the drift of its state machine using the value in this file in an effort to
speed up synchronisation (and especially it settling down). I believe it
will apply this correction to the clock even when running in an
unsynchronised state, i.e. when it can't reach any reliable peers or
servers.

You shouldn't make the typical mistake of configuring the local clock as a
reference source, however. In that case, the computer's time will skew
considerably when the other servers can't be reached. The LCL source is only
meant to be used when it is synchonised by some external means (or if you
don't want to synchronise to anything external).

> Not necessarily. You could use clockspeed, see
> http://cr.yp.to/clockspeed.html
> ,-------------------------------------------------------------
> ----------
> | clockspeed uses a hardware tick counter to compensate for a
> | persistently fast or slow system clock. Given a few time
> measurements
> | from a reliable source, it computes and then eliminates the clock
> | skew.

Of course this only works as long as the clock skew is constant, resulting
in linear drift if uncompensated. This is an OK assumption for quartzes
running at fixed levels of temperature, such as the clocks in always-on
servers in a thermally controlled server room. It is not OK for your typical
workstation. Reboot cycles often introduce errors of up to half a second and
temperatures vary much more. I've also observed some SGI machines to perform
20 ms jumps every now and then, completely unpredictably.

> | Typical success story: I started clockspeed on one of my Pentium
> | computers at home on 1998-05-05. I ran sntpclock (through a 28.8
> | dialup line) once on 1998-05-05 and once on 1998-05-30. On
> 1998-08-22,
> | after no network time input for nearly three months, the clock was
> | just 0.21 seconds off.

This rating is rather subjective, of course. .21 seconds equates to 210 ms,
which is a tremendous offset by NTP standards. It's also a lot if you're
trying to sort logs from different machines, which are connected by
modertaly busy mbps, even kbps lines. Of course, the 2.3 ms per day offset
the quoted machine experiences (on average) is a lot better than the up to
half a second that uncorrected clocks can exhibit.

> So, if a firewall can't reach an NTP server a longer time, I
> would think
> that you really have a problem ;-) But for a sufficient
> length of time
> clockspeed will do the job and keep the time from drifting too far...

Could be that ntpd will, too.

I myself prefer to have a stratum 1 source in the management network that
the DMZ systems are connected to, which doesn't see any production traffic
and isn't connected to anything else. That way, worms and other crap on the
production network segments doesn't hamper NTP or any other management
traffic (until a DMZ machine is infected, of course, but that can be
mitigated further..). Of course, when faced with The Real World (TM) this
setup often remains a dream..

Cheers,
Tobias



Relevant Pages

  • Re: Time clock on SBS 2003
    ... give your laptop an ip one number higher than the time clock. ... If the device was on the network and it was getting an ip using the ... guess that I would have to find the device in the server first to make it ... In the end we had to install the user interface on the server and RDP ...
    (microsoft.public.windows.server.sbs)
  • Re: ref clock for network POP locations
    ... I would still like to have a very accurate time source. ... I was thinking that it might be possible to get an oscillator to provide a PPS signal, and then use a very well connected (possibly even a dedicated network link with no router/switch) network peer as the preferred peer. ... a GPS based reference clock By the time you get to the computer's clock that degrades to a microsecond or two. ... The problem with networks is that they introduce random "phase noise"; e.g. if you set up a server in New York that sends packets at EXACT one second intervals, those packets will not arrive in Los Angeles at anything like one second intervals. ...
    (comp.protocols.time.ntp)
  • Re: Linux, Garmin GPX-18X LVM & PPS
    ... I am trying to set up an NTP server using the Garmin GPS-18 as the reference clock. ... So, it looks like its synchronising to the NMEA data coming from the GPS receiver without any problems, but is the PPS working? ...
    (comp.protocols.time.ntp)
  • Re: high precision tracking: trying to understand sudden jumps
    ... I'm trying to configure a small network for high precision time. ... Recently acquired an Endrun CDMA time server that runs like ... ramping up to as long as 1024 seconds as the clock is beaten into ...
    (comp.protocols.time.ntp)
  • Re: Clock accuracy
    ... Otherwise the time is simply kept by your BIOS clock and will drift ... Windows comes with a time sync service to get time for a NTP server. ...
    (microsoft.public.windowsxp.general)