mirror of
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git
synced 2024-11-18 00:21:25 +01:00
1259 lines
69 KiB
Plaintext
1259 lines
69 KiB
Plaintext
Notes on Xntpd Configuration
|
|
|
|
David L. Mills (mills@udel.edu)
|
|
University of Delaware
|
|
14 January 1993
|
|
|
|
Introduction
|
|
|
|
This document is a collection of notes concerning the use of xntpd and
|
|
related programs, and on coping with the Network Time Protocol (NTP) in
|
|
general. It is a major rewrite and update of an earlier document written
|
|
by Dennis Ferguson of the University of Toronto dated 5 November 1989.
|
|
It includes many changes and additions resulting from the NTP Version 3
|
|
specification and new implementation features. It supersedes the earlier
|
|
document, which should no longer be used for new configurations.
|
|
|
|
Xntpd is a complete implementation of the NTP Version 3 specification as
|
|
defined in RFC 1305. It also retains compatibility with both NTP Version
|
|
2, as defined in RFC 1119, and NTP Version 1, as defined in RFC 1059,
|
|
although this compatibility is sometimes strained and only
|
|
semiautomatic. In order to support in principle the ultimate precision
|
|
of about 232 picoseconds in the NTP specification, xntpd does no
|
|
floating-point arithmetic and instead manipulates the 64-bit NTP
|
|
timestamps as unsigned 64-bit integers. Xntpd fully implements NTP
|
|
Versions 2 and 3 authentication and a mode-6 control-message facility.
|
|
As extensions to the specification, a flexible address-and-mask
|
|
restriction facility has been included, along with a private mode-7
|
|
control-message facility used to remotely reconfigure the system and
|
|
monitor a considerable amount of internal detail.
|
|
|
|
The code is biased towards the needs of a busy time server with
|
|
numerous, possibly hundreds, of clients and other servers. Tables are
|
|
hashed to allow efficient handling of many associations, though at the
|
|
expense of additional overhead when the number of associations is small.
|
|
Many fancy features have been included to permit efficient management
|
|
and monitoring of a busy primary server, features which are simply
|
|
excess baggage for a server on a high stratum client. The code was
|
|
written with near demonic attention to details which can affect
|
|
precision and as a consequence should be able to make good use of high
|
|
performance, special purpose hardware such as precision oscillators and
|
|
radio clocks. The present code supports a number of radio clocks,
|
|
including those for the WWV, CHU, WWVB, DCF77, GOES and GPS radio and
|
|
satellite services. The server methodically avoids the use of Unix-
|
|
specific library routines where possible by implementing local versions,
|
|
in order to aid in porting the code to perverse Unix and non-Unix
|
|
platforms.
|
|
|
|
While this implementation slavishly obeys the NTP specification RFC
|
|
1305, it has been specifically tuned to achieve the highest accuracy
|
|
possible on whatever hardware and operating-system platform is
|
|
available. In general, its precision is limited only by that of the
|
|
onboard time-of-day clock maintained by the hardware and operating
|
|
system, while its stability is limited only by that of the onboard
|
|
frequency source, usually an uncompensated crystal oscillator. On modern
|
|
RISC-based processors connected directly to radio clocks via serial-
|
|
asynchronous interfaces, the accuracy is usually limited by that of the
|
|
radio clock and interface to the order of a few milliseconds. The code
|
|
includes special features to support a one-pulse-per-second (1-pps)
|
|
signal generated by some radio clocks. When used in conjunction with a
|
|
suitable hardware level converter, the accuracy can be improved to the
|
|
order of 100 microseconds. Further improvement is possible using an
|
|
outboard, stabilized frequency source, in which the accuracy and
|
|
stability are limited only by the characteristics of that source.
|
|
|
|
The xntp3 distribution includes, in addition to the daemon itself
|
|
(xntpd), several utility programs, including two remote-monitoring
|
|
programs (ntpq, xntpdc), a remote clock-setting program similar to the
|
|
Unix rdate program (ntpdate), a traceback utility useful to discover
|
|
suitable synchronization sources (ntptrace), and various programs used
|
|
to configure the local platform and calibrate the intrinsic errors. NTP
|
|
has been ported to a large number of platforms, including most RISC and
|
|
CISC workstations and mainframes manufactured today. Example
|
|
configuration files for many models of these machines are included in
|
|
the xntp3 distribution. While in most cases the standard version of the
|
|
implementation runs with no hardware or operating-system modifications,
|
|
not all features of the distribution are available on all platforms. For
|
|
instance, a special feature allowing Sun 4s to achieve accuracies in the
|
|
order of 100 microseconds requires some minor changes and additions to
|
|
the kernel and input/output support.
|
|
|
|
There are, however, several drawbacks to all of this. Xntpd is very,
|
|
very fat. This is rotten if your intended platform for the daemon is
|
|
memory-limited. Xntpd uses SIGIO for all input, a facility which appears
|
|
to not enjoy universal support and whose use seems to exercise the parts
|
|
of your vendors' kernels which are most likely to have been done poorly.
|
|
The code is unforgiving in the face of kernel problems which affect
|
|
performance, and generally requires that you repair the problems in
|
|
order to achieve acceptable performance. The code has a distinctly
|
|
experimental flavour and contains features which could charitably be
|
|
termed failed experiments, but which have not been hacked out yet. There
|
|
is code which has not been thoroughly tested (e.g. leap-second support)
|
|
due to the inconvenience of setting up tests. Much was learned from the
|
|
addition of support for a variety of radio clocks, with the result that
|
|
this support could use some rewriting.
|
|
|
|
How NTP Works
|
|
|
|
The approach used by NTP to achieve reliable time synchronization from a
|
|
set of possibly unreliable remote time servers is somewhat different
|
|
than other such protocols. In particular, NTP does not attempt to
|
|
synchronize clocks to each other. Rather, each server attempts to
|
|
synchronize to UTC (i.e., Universal Coordinated Time) using the best
|
|
available source and available transmission paths to that source. This
|
|
is a fine point which is worth understanding. A group of NTP-
|
|
synchronized clocks may be close to each other in time, but this is not
|
|
a consequence of the clocks in the group having synchronized to each
|
|
other, but rather because each clock has synchronized closely to UTC via
|
|
the best source it has access to. As such, trying to synchronize a set
|
|
of clocks to a set of servers whose time is not in mutual agreement may
|
|
not result in any sort of useful synchronization of the clocks, even if
|
|
you don't care about UTC. NTP operates on the premise that there is one
|
|
true standard time, and that if several servers which claim
|
|
synchronization to standard time disagree about what that time is, then
|
|
one or more of them must be broken. There is no attempt to resolve
|
|
differences more gracefully since the premise is that substantial
|
|
differences cannot exist. In essence, NTP expects that the time being
|
|
distributed from the root of the synchronization subnet will be derived
|
|
from some external source of UTC (e.g. a radio clock). This makes it
|
|
somewhat inconvenient (though not impossible) to synchronize hosts
|
|
together without a reliable source of UTC to synchronize them to. If
|
|
your network is isolated and you cannot access other people's servers
|
|
across the Internet, a radio clock may make a good investment.
|
|
|
|
Time is distributed through a hierarchy of NTP servers, with each server
|
|
adopting a "stratum" which indicates how far away from an external
|
|
source of UTC it is operating at. Stratum-1 servers, which are at the
|
|
top of the pile (or bottom, depending on your point of view), have
|
|
access to some external time source, usually a radio clock synchronized
|
|
to time signal broadcasts from radio stations which explicitly provide a
|
|
standard time service. A stratum-2 server is one which is currently
|
|
obtaining time from a stratum-1 server, a stratum-3 server gets its time
|
|
from a stratum-2 server, and so on. To avoid long lived synchronization
|
|
loops the number of strata is limited to 15.
|
|
|
|
Each client in the synchronization subnet (which may also be a server
|
|
for other, higher stratum clients) chooses exactly one of the available
|
|
servers to synchronize to, usually from among the lowest stratum servers
|
|
it has access to. It is thus possible to construct a synchronization
|
|
subnet where each server has exactly one source of lower stratum time to
|
|
synchronize to. This is, however, not an optimal configuration, for
|
|
indeed NTP operates under another premise as well, that each server's
|
|
time should be viewed with a certain amount of distrust. NTP really
|
|
prefers to have access to several sources of lower stratum time (at
|
|
least three) since it can then apply an agreement algorithm to detect
|
|
insanity on the part of any one of these. Normally, when all servers are
|
|
in agreement, NTP will choose the best of these, where "best" is defined
|
|
in terms of lowest stratum, closest (in terms of network delay) and
|
|
claimed precision, along with several other considerations. The
|
|
implication is that, while one should aim to provide each client with
|
|
three or more sources of lower stratum time, several of these will only
|
|
be providing backup service and may be of lesser quality in terms of
|
|
network delay and stratum (i.e. a same-stratum peer which receives time
|
|
from lower stratum sources the local server doesn't access directly can
|
|
also provide good backup service).
|
|
|
|
Finally, there is the issue of association modes. There are a number of
|
|
modes in which NTP servers can associate with each other, with the mode
|
|
of each server in the pair indicating the behaviour the other server can
|
|
expect from it. In particular, when configuring a server to obtain time
|
|
from other servers, there is a choice of two modes which may be
|
|
alternatively used. Configuring an association in symmetric-active mode
|
|
(usually indicated by a "peer" declaration in configuration files)
|
|
indicates to the remote server that one wishes to obtain time from the
|
|
remote server and that one is also willing to supply time to the remote
|
|
server if need be. This mode is appropriate in configurations involving
|
|
a number of redundant time servers interconnected via diverse network
|
|
paths, which is presently the case for most stratum-1 and stratum-2
|
|
servers on the Internet today. Configuring an association in client mode
|
|
(usually indicated by a "server" declaration in configuration files)
|
|
indicates that one wishes to obtain time from the remote server, but that
|
|
one is not willing to provide time to the remote server. This mode is
|
|
appropriate for file-server and workstation clients that do not provide
|
|
synchronization to other local clients. Client mode is also useful for
|
|
boot-date-setting programs and the like, which really have no time to
|
|
provide and which don't retain state about associations over the longer
|
|
term.
|
|
|
|
Configuring Your Subnet
|
|
|
|
At startup time the xntpd daemon running on a host reads the initial
|
|
configuration information from a file, usually /etc/ntp.conf, unless a
|
|
different name has been specified at compile time. Putting something in
|
|
this file which will enable the host to obtain time from somewhere else
|
|
is usually the first big hurdle after installation of the software
|
|
itself, which is described in other documents included in the xntp3
|
|
distribution. At its simplest, what you need to do in the configuration
|
|
file is declare the servers that the daemon should poll for time
|
|
synchronization. In principle, no such list is needed if some other time
|
|
server explicitly mentions the host and is willing to provide
|
|
synchronization; however, this is considered dangerous, unless the
|
|
access control or authentication features (described later) are in use.
|
|
|
|
In the case of a workstation operating in an enterprise network for a
|
|
public or private organization, there is often an administrative
|
|
department that coordinates network services, including NTP. Where
|
|
available, the addresses of appropriate servers can be provided by that
|
|
department. However, if this infrastructure is not available, it is
|
|
necessary to explore some portion of the existing NTP subnet now running
|
|
in the Internet. There are at present many thousands of time servers
|
|
running NTP in the Internet, a significant number of which are willing
|
|
to provide a public time-synchronization service. Some of these are
|
|
listed in a file maintained on the Internet host louie.udel.edu
|
|
(128.175.1.3) on the path pub/ntp/doc/clock.txt. This file is updated on
|
|
a regular basis using information provided voluntarily by various site
|
|
administrators. There are other ways to explore the nearby subnet using
|
|
the ntptrace and ntpq programs. See the man pages for further
|
|
information on these programs.
|
|
|
|
It is vital to carefully consider the issues of robustness and
|
|
reliability when selecting the sources of synchronization. Normally, not
|
|
less than three sources should be available, preferably selected to
|
|
avoid common points of failure. It is usually better to choose sources
|
|
which are likely to be "close" to you in terms of network topology,
|
|
though you shouldn't worry overly about this if you are unable to
|
|
determine who is close and who isn't. Normally, it is much more serious
|
|
when a server becomes faulty and delivers incorrect time than when it
|
|
simply stops operating, since an NTP-synchronized host normally can
|
|
coast for hours or even days without its clock accumulating serious
|
|
error over one second, for instance. Selecting at least three sources
|
|
from different operating administrations, where possible, is the minimum
|
|
recommended, although a lesser number could provide acceptable service
|
|
with a degraded degree of robustness.
|
|
|
|
Normally, it is not considered good practice for a single workstation to
|
|
request synchronization from a primary (stratum-1) time server. At
|
|
present, these servers provide synchronization for hundreds of clients
|
|
in many cases and could, along with the network access paths, become
|
|
seriously overloaded if large numbers of workstation clients requested
|
|
synchronization directly. Therefore, workstations located in sparsely
|
|
populated administrative domains with no local synchronization
|
|
infrastructure should request synchronization from nearby stratum-2
|
|
servers instead. In most cases the keepers of those servers listed in
|
|
the clock.txt file provide unrestricted access without prior permission;
|
|
however, in all cases it is considered polite to notify the
|
|
administrator listed in the file upon commencement of regular service.
|
|
In all cases the access mode and notification requirements listed in the
|
|
file must be respected.
|
|
|
|
In the case of a gateway or file server providing service to a
|
|
significant number of workstations or file servers in an enterprise
|
|
network it is even more important to provide multiple, redundant sources
|
|
of synchronization and multiple, diversity-routed, network access paths.
|
|
The preferred configuration is at least three administratively
|
|
coordinated time servers providing service throughout the administrative
|
|
domain including campus networks and subnetworks. Each of these should
|
|
obtain service from at least two different outside sources of
|
|
synchronization, preferably via different gateways and access paths.
|
|
These sources should all operate at the same stratum level, which is one
|
|
less than the stratum level to be used by the local time servers
|
|
themselves. In addition, each of these time servers should peer with all
|
|
of the other time servers in the local administrative domain at the
|
|
stratum level used by the local time servers, as well as at least one
|
|
(different) outside source at this level. This configuration results in
|
|
the use of six outside sources at a lower stratum level (toward the
|
|
primary source of synchronization, usually a radio clock), plus three
|
|
outside sources at the same stratum level, for a total of nine outside
|
|
sources of synchronization. While this may seem excessive, the actual
|
|
load on network resources is minimal, since the interval between polling
|
|
messages exchanged between peers usually ratchets back to no more than
|
|
one message every 17 minutes.
|
|
|
|
The stratum level to be used by the local time servers is an engineering
|
|
choice. As a matter of policy, and in order to reduce the load on the
|
|
primary servers, it is desirable to use the highest stratum consistent
|
|
with reliable, accurate time synchronization throughout the
|
|
administrative domain. In the case of enterprise networks serving
|
|
hundreds or thousands of client file servers and workstations,
|
|
conventional practice is to obtain service from stratum-1 primary
|
|
servers such as listed in the clock.txt file. When choosing sources away
|
|
from the primary sources, the particular synchronization path in use at
|
|
any time can be verified using the ntptrace program included in the
|
|
xntp3 distribution. It is important to avoid loops and possible common
|
|
points of failure when selecting these sources. Note that, while NTP
|
|
detects and rejects loops involving neighboring servers, it does not
|
|
detect loops involving intervening servers. In the unlikely case that
|
|
all primary sources of synchronization are lost throughout the subnet,
|
|
the remaining servers on that subnet can form temporary loops and, if
|
|
the loss continues for an interval of many hours, the servers will drop
|
|
off the subnet and free-run with respect to their internal (disciplined)
|
|
timing sources.
|
|
|
|
In many cases the purchase of one or more radio clocks is justified, in
|
|
which cases good engineering practice is to use the configurations
|
|
described above and connect the radio clock to one of the local servers.
|
|
This server is then encouraged to participate in a special primary-
|
|
server subnetwork in which each radio-equipped server peers with several
|
|
other similarly equipped servers. In this way the radio-equipped server
|
|
may provide synchronization, as well as receive synchronization, should
|
|
the local or remote radio clock(s) fail or become faulty. Xntpd treats
|
|
attached radio clock(s) in the same way as other servers and applies the
|
|
same criteria and algorithms to the time indications, so can detect when
|
|
the radio fails or becomes faulty and switch to alternate sources of
|
|
synchronization. It is strongly advised, and in practice for most
|
|
primary servers today, to employ the authentication or access-control
|
|
features of the xntp3 distribution in order to protect against hostile
|
|
penetration and possible destabilization of the time service.
|
|
|
|
Using this or similar strategies, the remaining hosts in the same
|
|
administrative domain can be synchronized to the three (or more)
|
|
selected time servers. Assuming these servers are synchronized directly
|
|
to stratum-1 sources and operate normally as stratum-2, the next level
|
|
away from the primary source of synchronization, for instance various
|
|
campus file servers, will operate at stratum 3 and dependent
|
|
workstations at stratum 4. Engineered correctly, such a subnet will
|
|
survive all but the most exotic failures or even hostile penetrations of
|
|
the various, distributed timekeeping resources.
|
|
|
|
The above arrangement should provide very good, robust time service with
|
|
a minimum of traffic to distant servers and with manageable loads on the
|
|
local servers. While it is theoretically possible to extend the
|
|
synchronization subnet to even higher strata, this is seldom justified
|
|
and can make the maintenance of configuration files unmanageable.
|
|
Serving time to a higher stratum peer is very inexpensive in terms of
|
|
the load on the lower stratum server if the latter is located on the
|
|
same concatenated LAN. When justified by the accuracy expectations, NTP
|
|
can be operated in broadcast mode, so that clients need only listen for
|
|
periodic broadcasts and do not need to send anything.
|
|
|
|
When planning your network you might, beyond this, keep in mind a few
|
|
generic don'ts, in particular:
|
|
|
|
1. Don't synchronize a local time server to another peer at the same
|
|
stratum, unless the latter is receiving time from lower stratum
|
|
sources the former doesn't talk to directly. This minimizes the
|
|
occurance of common points of failure, but does not eliminate them
|
|
in cases where the usual chain of associations to the primary
|
|
sources of synchronization are disrupted due to failures.
|
|
2. Don't configure peer associations with higher stratum servers. Let
|
|
the higher strata configure lower stratum servers, but not the
|
|
reverse. This greatly simplifies configuration file maintenance,
|
|
since there is usually much greater configuration churn in the high
|
|
stratum clients such as personal workstations.
|
|
|
|
3. Don't synchronize more than one time server in a particular
|
|
administrative domain to the same time server outside that domain.
|
|
Such a practice invites common points of failure, as well as raises
|
|
the possibility of massive abuse, should the configuration file be
|
|
automatically distributed do a large number of clients.
|
|
|
|
There are many useful exceptions to these rules. When in doubt, however,
|
|
follow them.
|
|
|
|
Dennis Ferguson writes: Note that mention was made of machines with
|
|
"good" clocks versus machines with "bad" ones. There are two things that
|
|
make a clock good, the precision of the clock (e.g. how many low order
|
|
bits in a time value are actually significant) and the frequency of
|
|
occurance (or lack thereof) of such things as lost clock interrupts.
|
|
Among the most common computers I have observed there to be a fairly
|
|
simple algorithm for determining the goodness of its clock. If the
|
|
machine is a Vax, it probably has a good clock (the low order bit in the
|
|
time is in the microseconds and most of these seem to manage to get
|
|
along without losing clock interrupts). If the machine is a Sun 3 it
|
|
probably doesn't (the low order clock bit is at the 10 or 20 millisecond
|
|
mark and Sun 3s like to lose clock interrupts, particularly if they have
|
|
a screen and particularly if they run SunOS 4.0.x). If you have IBM RTs
|
|
running AOS 4.3, they have fair clocks (low order clock bit at about a
|
|
millisecond and they don't lose clock interrupts, though they do have
|
|
trouble with clock rollovers while reading the low order clock bits) but
|
|
I recommend them as low stratum NTP servers anyway since they aren't
|
|
much use as anything else. Sun 4s running SunOS 4.1.1 make very good
|
|
time servers, once some native foolishness mentioned below is
|
|
surmounted. [However, it is very important to avoid using the keyboard
|
|
firmware, which can cause severe interrupt latencies, in favor of the
|
|
software drivers ordinarily used in conjunction with a windowing system.
|
|
- DLM] For other machines you are on your own since I don't have enough
|
|
data points to venture an opinion. In any event, if at all possible you
|
|
should try to use machines with good clocks for the lower strata.
|
|
|
|
Configuring Your Server or Client
|
|
|
|
As mentioned previously, the configuration file is usually called
|
|
/etc/ntp.conf. This is an ASCII file conforming to the usual comment and
|
|
whitespace conventions. A working configuration file might look like (In
|
|
this and other examples, do not copy this directly.):
|
|
|
|
# peer configuration for 128.100.100.7
|
|
# (expected to operate at stratum 2)
|
|
|
|
server 128.4.1.1 # rackety.udel.edu
|
|
server 128.8.10.1 # umd1.umd.edu
|
|
server 192.35.82.50 # lilben.tn.cornell.edu
|
|
driftfile /etc/ntp.drift
|
|
|
|
This particular host is expected to operate as a client at stratum 2 by
|
|
virtue of the "server" keyward and the fact that two of the three
|
|
servers declared (the first two, actually) have radio clocks and usually
|
|
run at stratum 1. The third server in the list has no radio clock, but
|
|
is known to maintain associations with a number of stratum 1 peers and
|
|
usually operates at stratum 2. Of particular importance with the last
|
|
host is that it maintains associations with peers besides the two
|
|
stratum 1 peers mentioned. This can be verified using the ntpq program
|
|
included in the xntp3 distribution. When configured using the "server"
|
|
keyword, this host can receive synchronization from any of the listed
|
|
servers, but can never provide synchronization to them.
|
|
|
|
Unless restricted using facilities described later, this host can
|
|
provide synchronization to dependent clients, which do not have to be
|
|
listed in the configuration file. Associations maintained for these
|
|
clients are transitory and result in no persistent state in the host.
|
|
These clients are normally not visible using the ntpq program included
|
|
in the xntp3 distribution; however, xntpd includes a monitoring feature
|
|
(described later) which caches a minimal amount of client information
|
|
useful for debugging administrative purposes.
|
|
|
|
A time server expected to both receive synchronization from another
|
|
server, as well as to provide synchronization to it, is delared using
|
|
the "peer" keyword instead of the "server" keyword. In all other aspects
|
|
the server operates the same in either mode and can provide
|
|
synchronization to dependent clients or other peers. It is considered
|
|
good engineering practice to declare time servers outside the
|
|
administrative domain as "peer" and those inside as "server" in order to
|
|
provide redundancy in the global Internet, while minimizing the
|
|
possibility of instability within the domain itself. A time server in
|
|
one domain can in principle heal another domain temporarily isolated
|
|
from all other sources of synchronization. However, it is probably
|
|
unwise for a casual workstation to bridge fragments of the local domain
|
|
which have become temporarily isolated.
|
|
|
|
Note the inclusion of a "driftfile" declaration. One of the things the
|
|
NTP daemon does when it is first started is to compute the error in the
|
|
intrinsic frequency of the clock on the computer it is running on. It
|
|
usually takes about a day or so after the daemon is started to compute a
|
|
good estimate of this (and it needs a good estimate to synchronize
|
|
closely to its server). Once the initial value is computed, it will
|
|
change only by relatively small amounts during the course of continued
|
|
operation. The "driftfile" declaration indicates to the daemon the name
|
|
of a file where it may store the current value of the frequency error so
|
|
that, if the daemon is stopped and restarted, it can reinitialize itself
|
|
to the previous estimate and avoid the day's worth of time it will take
|
|
to recompute the frequency estimate. Since this is a desireable feature,
|
|
a "driftfile" declaration should always be included in the configuration
|
|
file.
|
|
|
|
An implication in the above is that, should xntpd be stopped for some
|
|
reason, the local platform time will diverge from UTC by an amount that
|
|
depends on the intrinsic error of the clock oscillator and the time
|
|
since last synchronized. In view of the length of time necessary to
|
|
refine the frequency estimate, every effort should be made to operate
|
|
the daemon on a continuous basis and minimize the intervals when for
|
|
some reason it is not running.
|
|
|
|
Xntpd3 Versus Previous Versions
|
|
|
|
There are several items of note when dealing with a mixture of xntp3 and
|
|
and previous distributions of xntp (NTP Version 2 xntpd) and ntp3.4 (NTP
|
|
Version 1 ntpd). The xntp3 implementation of xntpd is an NTP Version 3
|
|
implementation. As such, by default when no additional information is
|
|
available concerning the preferences of the peer, xntpd claims to be
|
|
version 3 in the packets that it sends.
|
|
|
|
An NTP implementation conforming to a previous version specification
|
|
ordinarily discards packets from a later version. However, in most
|
|
respects documented in RFC 1305, the previous version is compatible with
|
|
the version-3 algorithms and protocol. Ntpd, while implementing most of
|
|
the version-2 algorithms, still believes itself to be a version-1
|
|
implementation. The sticky part here is that, when either xntpd version
|
|
2 or ntpd version 1 receives a packet claiming to be from a version-3
|
|
server, it discards it without further processing. Hence there is a
|
|
danger that in some situations synchronization with previous versions
|
|
will fail.
|
|
|
|
Xntpd is aware of this problem. In particular, when xntpd is polled
|
|
first by a host claiming to be a previous version 1 or version 2
|
|
implementation, xntpd claims to be a version 1 or 2 implementation,
|
|
respectively, in packets returned to the poller. This allows xntpd to
|
|
serve previous version clients transparently. The trouble occurs when an
|
|
previous version is to be included in an xntpd configuration file. With
|
|
no further indication, xntpd will send packets claiming to be version 3
|
|
when it polls. To get around this, xntpd allows a qualifier to be added
|
|
to configuration entries to indicate which version to use when polling.
|
|
Hence the entry
|
|
|
|
# specify NTP version 1
|
|
|
|
peer 130.43.2.2 version 1 # apple.com (running ntpd version 1)
|
|
peer 130.43.2.2 version 2 # apple.com (running xntpd version 2)
|
|
|
|
will cause version 1 packets to be sent to the host address 130.43.2.2.
|
|
If you are testing xntpd against previous version servers you will need
|
|
to be careful about this. Note that, as indicated in the RFC 1305
|
|
specification, there is no longer support for the original NTP
|
|
specification, popularly called NTP Version 0.
|
|
|
|
There are a few other items to watch when converting an ntpd
|
|
configuration file for use with xntpd. The first is to reconsider the
|
|
precision entry from the configuration file, if there is one. There was
|
|
a time when the precision claimed by a server was mostly commentary,
|
|
with no particularly useful purpose. This is no longer the case,
|
|
however, and so changing the precision a server claims should only be
|
|
done with some consideration as to how this alters the performance of
|
|
the server. The default precision claimed by xntpd will be right for
|
|
most situations. A section later on will deal with when and how it is
|
|
appropriate to change a server's precision without doing things you
|
|
don't intend.
|
|
|
|
Second, note that in the example configuration file above numeric
|
|
addresses are used in the peer and server declarations. It is also
|
|
possible to use names requiring resolution instead, but only if some
|
|
additional configuration is done (xntpd doesn't include the resolver
|
|
routines itself, and requires that a second program be used to do name
|
|
resolution). If you find numeric addresses offensive, see below.
|
|
|
|
Finally, "passive" and "client" entries in an ntpd configuration file
|
|
have no useful equivalent semantics for xntpd and should be deleted.
|
|
Xntpd won't reset the kernel variable tickadj when it starts, so you can
|
|
remove anything dealing with this in the configuration file. The
|
|
configuration of radio clock peers is done using different language in
|
|
xntpd configuration files, so you will need to delete these entries from
|
|
your ntpd configuration file and see below for the equivalent language.
|
|
|
|
Traffic Monitoring
|
|
|
|
Xntpd handles peers whose stratum is higher than the stratum of the
|
|
local server and pollers using client mode by a fast path which
|
|
minimizes the work done in responding to their polls, and normally
|
|
retains no memory of these pollers. Sometimes, however, it is
|
|
interesting to be able to determine who is polling the server, and how
|
|
often, as well as who has been sending other types of queries to the
|
|
server.
|
|
|
|
To allow this, xntpd implements a traffic monitoring facility which
|
|
records the source address and a minimal amount of other information
|
|
from each packet which is received by the server. This can be enabled by
|
|
adding the following line to the server's configuration file:
|
|
|
|
# enable monitoring feature
|
|
|
|
monitor yes
|
|
|
|
The recorded information can be displayed using the xntpdc query
|
|
program, described briefly below.
|
|
|
|
Address-and-Mask Restrictions
|
|
|
|
The address-and-mask configuration facility supported by xntpd is quite
|
|
flexible and general, but is not an integral part of the NTP Version 3
|
|
specification. The major drawback is that, while the internal
|
|
implementation is very nice, the user interface sucks. For this reason
|
|
it is probably worth doing an example here. Briefly, the facility works
|
|
as follows. There is an internal list, each entry of which holds an
|
|
address, a mask and a set of flags. On receipt of a packet, the source
|
|
address of the packet is compared to each entry in the list, with a
|
|
match being posted when the following is true:
|
|
|
|
(source_addr & mask) == (address & mask)
|
|
|
|
A particular source address may match several list entries. In this case
|
|
the entry with the most one bits in the mask is chosen. The flags
|
|
associated with this entry are used to control the access.
|
|
|
|
In the current implementation the flags always add restrictions. In
|
|
effect, an entry with no flags set leaves matching hosts unrestricted.
|
|
An entry can be added to the internal list using a "restrict"
|
|
declaration. The flags associated with the entry are specified
|
|
textually. For example, the "notrust" flag indicates that hosts matching
|
|
this entry, while treated normally in other respects, shouldn't be
|
|
trusted to provide synchronization even if otherwise so enabled. The
|
|
"nomodify" flag indicates that hosts matching this entry should not be
|
|
allowed to do run time configuration. There are many more flags, see the
|
|
xntpd.8 man page.
|
|
|
|
Now the example. Suppose you are running the server on a host whose
|
|
address is 128.100.100.7. You would like to ensure that run time
|
|
reconfiguration requests can only be made from the local host and that
|
|
the server only ever synchronizes to one of a pair of off-campus servers
|
|
or, failing that, a time source on net 128.100. The following entries in
|
|
the configuration file would implement this policy:
|
|
|
|
# by default, don't trust and don't allow modifications
|
|
|
|
restrict default notrust nomodify
|
|
|
|
# these guys are trusted for time, but no modifications allowed
|
|
|
|
restrict 128.100.0.0 mask 255.255.0.0 nomodify
|
|
restrict 128.8.10.1 nomodify
|
|
restrict 192.35.82.50 nomodify
|
|
|
|
# the local addresses are unrestricted
|
|
|
|
restrict 128.100.100.7
|
|
restrict 127.0.0.1
|
|
|
|
The first entry is the default entry, which all hosts match and hence
|
|
which provides the default set of flags. The next three entries indicate
|
|
that matching hosts will only have the nomodify flag set and hence will
|
|
be trusted for time. If the mask isn't specified in the restrict
|
|
keyward, it defaults to 255.255.255.255. Note that the address
|
|
128.100.100.7 matches three entries in the table, the default entry
|
|
(mask 0.0.0.0), the entry for net 128.100 (mask 255.255.0.0) and the
|
|
entry for the host itself (mask 255.255.255.255). As expected, the flags
|
|
for the host are derived from the last entry since the mask has the most
|
|
bits set.
|
|
|
|
The only other thing worth mentioning is that the restrict declarations
|
|
apply to packets from all hosts, including those that are configured
|
|
elsewhere in the configuration file and even including your clock
|
|
pseudopeer(s), in any. Hence, if you specify a default set of
|
|
restrictions which you don't wish to be applied to your configured
|
|
peers, you must remove those restrictions for the configured peers with
|
|
additional restrict declarations mentioning each peer separately.
|
|
|
|
Authentication
|
|
|
|
Xntpd supports the optional authentication procedure specified in the
|
|
NTP Version 2 and 3 specifications. Briefly, when an association runs in
|
|
authenticated mode, each packet transmitted has appended to it a 32-bit
|
|
key ID and a 64-bit crypto checksum of the contents of the packet
|
|
computed using either the Data Encryption Standard (DES) or Message
|
|
Digest (MD5) algorithms. Note that while either of these algorithms
|
|
provide sufficient protection from message-modification attacks,
|
|
distribution of the former algorithm implementation is restricted to the
|
|
U.S. and Canada, while the latter presently is free from such
|
|
restrictions. With either algorithm the receiving peer recomputes the
|
|
checksum and compares it with the one included in the packet. For this
|
|
to work, the peers must share at least one encryption key and,
|
|
furthermore, must associate the shared key with the same key ID.
|
|
|
|
This facility requires some minor modifications to the basic packet
|
|
processing procedures, as required by the specification. These
|
|
modifications are enabled by the "authenticate" configuration
|
|
declaration. In particular, in authenticated mode, peers which send
|
|
unauthenticated packets, peers which send authenticated packets which
|
|
the local server is unable to decrypt and peers which send authenticated
|
|
packets encrypted using a key we don't trust are all marked
|
|
untrustworthy and unsuitable for synchronization. Note that, while the
|
|
server may know many keys (identified by many key IDs), it is possible
|
|
to declare only a subset of these as trusted. This allows the server to
|
|
share keys with a client which requires authenticated time and which
|
|
trusts the server but which is not trusted by the server. Also, some
|
|
additional configuration language is required to specify the key ID to
|
|
be used to authenticate each configured peer association. Hence, for a
|
|
server running in authenticated mode, the configuration file might look
|
|
similar to the following:
|
|
|
|
# peer configuration for 128.100.100.7
|
|
# (expected to operate at stratum 2)
|
|
# fully authenticated this time
|
|
|
|
peer 128.100.49.105 key 22 # suzuki.ccie.utoronto.ca
|
|
peer 128.8.10.1 key 4 # umd1.umd.edu
|
|
peer 192.35.82.50 key 6 # lilben.tn.cornell.edu
|
|
authenticate yes # enable authentication
|
|
keys /usr/local/bin/ntp.keys # path for key file
|
|
trustedkey 1 2 14 15 # define trusted keys
|
|
requestkey 15 # key (7) for accessing server variables
|
|
controlkey 15 # key (6) for accessing server variables
|
|
|
|
#authdelay 0.000047 # authentication delay (Sun4c/50 IPX DES)
|
|
authdelay 0.000094 # authentication delay (Sun4c/50 IPX MD5)
|
|
|
|
There are a couple of previously unmentioned things in here. The
|
|
"authenticate yes" line enables authentication processing, while the
|
|
"keys /usr/local/bin/ntp.keys" specifies the path to the keys file (see
|
|
below and the xntpd.8 man page for detaiils of the file format). The
|
|
"trustedkey" declaration identifies those keys that are known to be
|
|
uncompromised; the remainder presumably represent the expired or
|
|
possibly compromised keys. Both sets of keys must be declared by key
|
|
identifier in the ntp.keys file described below. This provides a way to
|
|
retire old keys while minimrequestkey 15izing the frequency of delicate
|
|
key-distribution procedures. The "requestkey 15" line establishes the
|
|
key to be used for mode-6 control messages as specified in RFC 1305 and
|
|
used by the ntpq utility program, while the "controlkey 15" establishes
|
|
the key to be used for mode-7 private control messages used by the
|
|
xntpdc utility program these keys are used to prevent unauthorized
|
|
modification of daemon variables.
|
|
|
|
The "authdelay" declaration is an estimate of the amount of processing
|
|
time taken between the freezing of a transmit timestamp and the actual
|
|
transmission of the packet when authentication is enabled (i.e. more or
|
|
less the time it takes for the DES or MD5 routine to encrypt a single
|
|
block), and is used as a correction for the transmit timestamp. This can
|
|
be computed for your CPU by the authspeed program included in the
|
|
authstuff directory in the xntp3 distribution. The usage is illustrated
|
|
to the following:
|
|
|
|
# for DES keys
|
|
|
|
authspeed -n 30000 auth.samplekeys
|
|
|
|
# for MD5 keys
|
|
|
|
authspeed -nd 30000 auth.samplekeys
|
|
|
|
Additional utility programs included in the authstuff directory can be
|
|
used to generate random keys, certify implementation correctness and
|
|
display sample keys. As a general rule, keys should be chosen randomly,
|
|
except possibly the request and control keys, which must be entered by
|
|
the user as a password.
|
|
|
|
The ntp.keys file contains the list of keys and associated key IDs the
|
|
server knows about (for obvious reasons this file is better left
|
|
unreadable by anyone except the server). The contents of this file might
|
|
look like:
|
|
|
|
# ntp keys file (ntp.keys)
|
|
|
|
1 N 29233E0461ECD6AE # des key in NTP format
|
|
2 M RIrop8KPPvQvYotM # md5 key as an ASCII random string
|
|
14 M sundial # md5 key as an ASCII string
|
|
15 A sundial # des key as an ASCII string
|
|
|
|
# the following 3 keys are identical
|
|
|
|
10 A SeCReT
|
|
10 N d3e54352e5548080
|
|
10 S a7cb86a4cba80101
|
|
|
|
In the keys file the first token on each line indicates the key ID, the
|
|
second token the format of the key and the third the key itself. There
|
|
are four key formats. An "A" indicates a DES key written as a 1-to-8
|
|
character string in 7-bit ASCII representation, with each character
|
|
standing for a key octet (like a Unix password). An "S" indicates a DES
|
|
key written as a hex number in the DES standard format, with the low
|
|
order bit (LSB) of each octet being the (odd) parity bit. An "N"
|
|
indicates a DES key again written as a hex number, but in NTP standard
|
|
format with the high order bit of each octet being the (odd) parity bit
|
|
(confusing enough?). An "M" indicates an MD5 key written as a 1-to-31
|
|
character ASCII string in the "A" format. Note that, because of the
|
|
simple tokenizing routine, the characters ' ', '#', '\t', '\n' and '\0'
|
|
can't be used in either a DES or MD5 ASCII key. Everything else is fair
|
|
game, though. Key 0 (zero) is used for special purposes and should not
|
|
appear in this file.
|
|
|
|
The big trouble with the authentication facility is the keys file. It is
|
|
a maintenance headache and a security problem. This should be fixed some
|
|
day. Presumably, this whole bag of worms goes away if/when a generic
|
|
security regime for the Internet is established.
|
|
|
|
Query Programs
|
|
|
|
Three utility query programs are included with the xntp3 distribution,
|
|
ntpq, ntptrace and xntpdc. Ntpq is a rather handy program which sends
|
|
queries and receives responses using NTP standard mode-6 control
|
|
messages. Since it uses the standard control protocol specified in RFC
|
|
1305, it may be used with NTP Version 2 and Version 3 implementations
|
|
for both Unix and Fuzzball, but not Version 1 implementations. It is
|
|
most useful to query remote NTP implementations to assess timekeeping
|
|
accuracy and expose bugs in configuration or operation.
|
|
|
|
Ntptrace can be used to display the current synchronization path from a
|
|
selected host through possibly intervening servers to the primary source
|
|
of synchronization, usually a radio clock. It works with both version 2
|
|
and version 3 servers, but not version 1.
|
|
|
|
Xnptdc is a horrid program which uses NTP private mode-7 control
|
|
messages to query local or remote servers. The format and and contents
|
|
of these messages are specific to xntpd. The program does allow
|
|
inspection of a wide variety of internal counters and other state data,
|
|
and hence does make a pretty good debugging tool, even if it is
|
|
frustrating to use. The other thing of note about xntpdc is that it
|
|
provides a user interface to the run time reconfiguration facility.
|
|
|
|
See the respective man pages for details on the use of these programs.
|
|
The primary reason for mentioning them here is to point out an
|
|
inconsistancy which can be awfully annoying if it catches you, and which
|
|
is worth keeping firmly in mind. Both xntpdc and xntpd demand that
|
|
anything which has dimensions of time be specified in units of seconds,
|
|
both in the configuration file and when doing run time reconfiguration.
|
|
Both programs also print the values in seconds. Ntpq on the other hand,
|
|
obeys the standard by printing all time values in milliseconds. This
|
|
makes the process of looking at values with ntpq and then changing them
|
|
in the configuration file or with xntpdc very prone to errors (by three
|
|
orders of magnitude). I wish this problem didn't exist, but xntpd and
|
|
its love of seconds predate the mode-6 protocol and the latter's
|
|
(Fuzzball-inspired) millisecond orientation, making the inconsistancy
|
|
irresolvable without considerable work.
|
|
|
|
Run Time Reconfiguration
|
|
|
|
Xntpd was written specifically to allow its configuration to be fully
|
|
modifiable at run time. Indeed, the only way to configure the server is
|
|
at run time. The configuration file is read only after the rest of the
|
|
server has been initialized into a running, but default unconfigured,
|
|
state. This facility was included not so much for the benefit of Unix,
|
|
where it is handy but not strictly essential, but rather for dedicated
|
|
platforms where the feature is more important for maintenance.
|
|
Nevertheless, run time configuration works very nicely for Unix servers
|
|
as well.
|
|
|
|
Nearly all of the things it is possible to configure in the
|
|
configuration file may be altered via NTP mode-7 messages using the
|
|
xntpdc program. Mode-6 messages may also provide some limited
|
|
configuration functionality (though the only thing you can currently do
|
|
with mode-6 messages is set the leap-second warning bits) and the ntpq
|
|
program provides generic support for the latter. The leap bits that can be
|
|
set in the leap_warning variable (up to one month ahead) and in the
|
|
leap_indication variable have a slightly different encoding than the
|
|
usual interpretation:
|
|
|
|
Value Action
|
|
00 The daemon passes the leap bits of its
|
|
synchronisation source (usual mode of operation)
|
|
01/10 A leap second is added/deleted
|
|
11 Leap information from the sychronisation source
|
|
is ignored (thus LEAP_NOWARNING is passed on)
|
|
|
|
Mode-6 and mode-7 messages which would modify the configuration of the
|
|
server are required to be authenticated using standard NTP
|
|
authentication. To enable the facilities one must, in addition to
|
|
specifying the location of a keys file, indicate in the configuration
|
|
file the key IDs to be used for authenticating reconfiguration commands.
|
|
Hence the following fragment might be added to a configuration file to
|
|
enable the mode-6 (ntpq) and mode-7 (xntpdc) facilities in the daemon:
|
|
|
|
# specify mode-6 and mode-7 trusted keys
|
|
|
|
requestkey 65535 # for mode-7 requests
|
|
controlkey 65534 # for mode-6 requests
|
|
|
|
If the "requestkey" and/or the "controlkey" configuration declarations
|
|
are omitted from the configuration file, the corresponding run time
|
|
reconfiguration facility is disabled.
|
|
|
|
The query programs require the user to specify a key ID and a key to use
|
|
for authenticating requests to be sent. The key ID provided should be
|
|
the same as the one mentioned in the configuration file, while the key
|
|
should match that corresponding to the key ID in the keys file. As the
|
|
query programs prompt for the key as a password, it is useful to make
|
|
the request and control authentication keys typable (in ASCII format)
|
|
from the keyboard.
|
|
|
|
Name Resolution
|
|
|
|
Xntpd includes the cability to specify host names requiring resolution
|
|
in "peer" and "server" declarations in the configuration file. There are
|
|
several reasons why this was not permitted in the past. Chief among
|
|
these is the fact that name service is unreliable and the interface to
|
|
the Unix resolver routines is synchronous. The hangups and delays
|
|
resulting from name-resolver clanking can be unacceptable once the NTP
|
|
server is running (and remember it is up and running before the
|
|
configuration file is read). However, it is advantageous to resolve time
|
|
server names, since their addresses are occasionally changed.
|
|
|
|
Instead of running the resolver itself the daemon can defer this task to
|
|
a separate program, xntpres. When the daemon comes across a "peer" or
|
|
"server" entry with a non-numeric host address it records the relevant
|
|
information in a temporary file and continues on. When the end of the
|
|
configuration file has been reached and one or more entries requiring
|
|
name resolution have been found, the server runs an instance of xntpres
|
|
with the temporary file as an argument. The server then continues on
|
|
normally but with the offending peers/servers omitted from its
|
|
configuration.
|
|
|
|
When xntpres successfully resolves a name from this file, it configures
|
|
the associated entry into the server using the same mode-7 run time
|
|
reconfiguration facility that xntpdc uses. If temporary resolver
|
|
failures occur, xntpres will periodically retry the offending requests
|
|
until a definite response is received. The program will continue to run
|
|
until all entries have been resolved.
|
|
There are several configuration requirements if xntpres is to be used.
|
|
The path to the xntpres program must be made known to the daemon via a
|
|
"resolver" configuration entry, and mode-7 run time reconfiguration must
|
|
be enabled. The following fragment might be used to accomplish this:
|
|
|
|
# specify host name resolver data
|
|
|
|
resolver /local/etc/xntpres
|
|
keys /etc/ntp.keys
|
|
requestkey 65535
|
|
|
|
Note that xntpres sends packets to the server with a source address of
|
|
127.0.0.1. You should obviously avoid "restrict" modification requests
|
|
from this address or xntpres will fail.
|
|
|
|
Dealing with Frequency Tolerance Violations (Tickadj and Friends)
|
|
|
|
The NTP Version 3 specification RFC 1305 calls for a maximum oscillator
|
|
frequency tolerance of +-100 parts-per-million (ppm), which is
|
|
representative of those components suitable for use in relatively
|
|
inexpensive workstation platforms. For those platforms meeting this
|
|
tolerance, NTP will automatically compensate for the frequency errors of
|
|
the individual oscillator and no further adjustments are required,
|
|
either to the configuration file or to various kernel variables.
|
|
|
|
However, in the case of certain notorious platforms, in particular Sun
|
|
4s, the 100-ppm tolerance is routinely violated. In such cases it may be
|
|
necessary to adjust the values of certain kernel variables; in
|
|
particular, "tick" and "tickadj". The variable tick is the increment in
|
|
microseconds added to the system time on each interval-timer interrupt,
|
|
while the variable tickadj is used by the time adjustment code as a slew
|
|
rate. When the time is being adjusted via a call to the system routine
|
|
adjtime(), the kernel increases or reduces tick by tickadj microseconds
|
|
until the specified adjustment has been completed. Unfortunately, in
|
|
most Unix implementations the tick increment must be either zero or
|
|
plus/minus exactly tickadj microseconds, meaning that adjustments are
|
|
truncated to be an integral multiple of tickadj (this latter behaviour
|
|
is a misfeature, and is the only reason the xntpd code needs to concern
|
|
itself with the internal implementation of adjtime() at all). In
|
|
addition, the stock Unix implementation considers it an error to request
|
|
another adjustment before a prior one has completed.
|
|
|
|
Thus, to make very sure it avoids problems related to the roundoff, the
|
|
xntpd daemon reads the values of tick and tickadj from /dev/kmem when it
|
|
starts. It then ensures that all adjustments given to adjtime() are an
|
|
even multiple of tickadj microseconds and computes the largest
|
|
adjustment that can be completed in the adjustment interval (using both
|
|
the value of tickadj and the value of tick) so it can avoid exceeding
|
|
this limit.
|
|
|
|
Unfortunately, the value of tickadj set by default is almost always too
|
|
large for xntpd. NTP operates by continuously making small adjustments
|
|
to the clock, usually at one-second intervals. If tickadj is set too
|
|
large, the adjustments will disappear in the roundoff; while, if tickadj
|
|
is too small, NTP will have difficulty if it needs to make an occasional
|
|
large adjustment. While the daemon itself will read the kernel's values
|
|
of tick and tickadj, it will not change the values, even if they are
|
|
unsuitable. You must do this yourself before the daemon is started,
|
|
either with adb or, in the running kernel only, with the tickadj program
|
|
included in the util directory of the xntp3 distribution. Note that the
|
|
latter program will also computes an optimal value of tickadj for NTP
|
|
use based on the kernel's value of tick.
|
|
|
|
The tickadj program can reset several other kernel variables if asked.
|
|
It can also change the value of tick if asked, this being necessary on a
|
|
few machines with very broken clocks, like Sun 4s. With these machines
|
|
it should also set the value of the kernel dosynctodr variable to zero.
|
|
This variable controls whether to synchronize the system clock to the
|
|
time-of-day clock, something you really don't want to be happen when
|
|
xntpd is trying to keep it under control.
|
|
|
|
In order to maintain reasonable correctness bounds, as well as
|
|
reasonably good accuracy with acceptable polling intervals, xntpd will
|
|
complain if the frequency error is greater than 100 ppm. For machines
|
|
with a value of tick in the 10-ms range, a change of one in the value of
|
|
tick will change the frequency by about 100 ppm. In order to determine
|
|
the value of tick for a particular CPU, disconnect the machine from all
|
|
sources of time (dosynctodr = 0) and record its actual time compared to
|
|
an outside source (eyeball-and-wristwatch will do) over a day or more.
|
|
Multiply the time change over the day by 0.116 and add or subtract the
|
|
result to tick, depending on whether the CPU is fast or slow. An example
|
|
call to tickadj useful on Sun 4s is:
|
|
|
|
tickadj -t 9999 -a 5 -s
|
|
|
|
which sets tick 100 ppm fast, tickadj to 5 microseconds and turns off
|
|
the clock/calendar chip fiddle. This line can be added to the rc.local
|
|
configuration file to automatically set the kernel variables at boot
|
|
time.
|
|
|
|
All this stuff about diddling kernel variables so the NTP daemon will
|
|
work is really silly. If vendors would ship machines with clocks that
|
|
kept reasonable time and would make their adjtime() system call apply
|
|
the slew it is given exactly, independent of the value of tickadj, all
|
|
this could go away.
|
|
|
|
Tuning Your Subnet
|
|
|
|
There are several parameters available for tuning the NTP subnet for
|
|
maximum accuracy and minimum jitter. Two important parameters are the
|
|
the "precision" and "prefer" configuration declarations. The precision
|
|
declaration specifies the number of significant bits of the system clock
|
|
representation relative to one second. For instance, the default value
|
|
of -6 corresponds to 1/64 second or about 16 milliseconds.
|
|
|
|
The NTP protocol makes use of the precision parameter in several places.
|
|
It is included in packets sent to peers and is used by them to calculate
|
|
the maximum absolute error and maximum statistical error. When faced
|
|
with selecting one of several servers of the same stratum and about the
|
|
same network path delay for synchronization purposes, clients will
|
|
usually prefer to synchronize to those servers claiming the smallest
|
|
(most negative) precision, since this maximizes the accuracy and
|
|
minimizes the jitter apparent to application programs running on the
|
|
client platform. Therefore, when the maximum attainable accuracy is
|
|
required, it is important that every platform configure an accurate
|
|
value for the precision variable. This can be done using the optional
|
|
"precision" declaration in the configuration file:
|
|
|
|
# precision declaration
|
|
|
|
precision -18 # for microsecond clocks (Sun 4s, DEC 5000/240)
|
|
|
|
When more than one eligible server exists, the NTP clock-selection and
|
|
combining algorithms act to winnow out all except the "best" set of
|
|
servers using several criteria based on differences between the readings
|
|
of different servers and between successive readings of the same server.
|
|
The result is usually a set of surviving servers that are apparently
|
|
statistically equivalent in accuracy, jitter and stability. The
|
|
population of survivors remaining in this set depends on the individual
|
|
server characteristics measured during the selection process and may
|
|
vary from time to time as the result of normal statistical variations.
|
|
In LANs with high speed RISC-based time servers, the population can
|
|
become somewhat unstable, with individual servers popping in and out of
|
|
the surviving population, generally resulting in a regime called
|
|
clockhopping.
|
|
|
|
When only the smallest residual jitter can be tolerated, it may be
|
|
convenient to elect one of the servers at each stratum level as the
|
|
preferred one using the keyword "prefer" on the configuration
|
|
declaration for the selected server:
|
|
|
|
# prefered server declaration
|
|
|
|
peer 128.4.1.1 prefer # preferred server
|
|
|
|
The preferred server will always be included in the surviving
|
|
population, regardless of its characteristics and as long as it survives
|
|
preliminary sanity checks and validation procedures.
|
|
|
|
The most useful application of the prefer keyword is in high speed LANs
|
|
equipped with precision radio clocks, such as a GPS receiver. In order
|
|
to insure robustness, the hosts need to include outside peers as well as
|
|
the GPS-equipped server; however, as long as that server is running, the
|
|
synchronization preference should be that server. The keyword should
|
|
normally be used in all cases in order to prefer an attached radio
|
|
clock. It is probably inadvisable to use this keyword for peers outside
|
|
the LAN, since it interferes with the carefully crafted judgement of the
|
|
selection and combining algorithms.
|
|
|
|
Provisions for Leap Seconds and Accuracy Metrics
|
|
|
|
Xntpd understands leap seconds and will attempt to take appropriate
|
|
action when one occurs. In principle, every host running xntpd will
|
|
insert a leap second in the local timescale in precise synchronization
|
|
with UTC. This requires that the leap-warning bits be manually activated
|
|
some time prior to the occurance of a leap second at the primary
|
|
(stratum 1) servers. Subsequently, these bits are propagated throughout
|
|
the subnet depending on these servers by the NTP protocol itself and
|
|
automatically implemented by xntpd and the time-conversion routines of
|
|
each host. The implementation is independent of the idiosyncracies of
|
|
the particular radio clock, which vary widely among the various devices,
|
|
as long as the idiosyncratic behavior does not last for more than about
|
|
20 minutes following the leap. Provisions are included to modify the
|
|
behavior in cases where this cannot be guaranteed.
|
|
|
|
While provisions for leap seconds have been carefully crafted so that
|
|
correct timekeeping immediately before, during and after the occurance
|
|
of a leap second is scrupulously correct, stock Unix systems are mostly
|
|
inept in responding to the available information. This caveat goes also
|
|
for the maximum-error and statistical-error bounds carefully calculated
|
|
for all clients and servers, which could be very useful for application
|
|
programs needing to calibrate the delays and offsets to achieve a near-
|
|
simulataneous commit procedure, for example. While this information is
|
|
maintained in the xntpd data structures, there is at present no way for
|
|
application programs to access it. This may be a topic for further
|
|
development.
|
|
|
|
Clock Support Overview
|
|
|
|
Xntpd was designed to support radio (and other external) clocks and does
|
|
some parts of this function with utmost care. Clocks are treated by the
|
|
protocol as ordinary NTP peers, even to the point of referring to them
|
|
with an (invalid) IP host address. Clock addresses are of the form
|
|
127.127.t.u, where t specifies the particular type of clock (i.e. refers
|
|
to a particular clock driver) and u is a unit number whose
|
|
interpretation is clock-driver dependent. This is analogous to the use
|
|
of major and minor device numbers by Unix and permits multiple
|
|
instantiations of clocks of the same type on the same server, should
|
|
such magnificant redundancy be required.
|
|
|
|
Because clocks look much like peers, both configuration file syntax and
|
|
run time reconfiguration commands can be be used to control clocks in
|
|
the same way as ordinary peers. Clocks are configured via "server"
|
|
declarations in the configuration file, can be started and stopped using
|
|
xntpdc and are subject to address-and-mask restrictions much like a
|
|
normal peer, should this stretch of imagination ever be useful. As a
|
|
concession to the need to sometimes transmit additional information to
|
|
clock drivers, an additional configuration file is available: the
|
|
"fudge" statement. This enables one to specify the values two time
|
|
quantities, two integral values and two flags, the use of which is
|
|
dependent on the particular clock driver. For example, to configure a
|
|
PST radio clock which can be accessed through the serial device
|
|
/dev/pst1, with propagation delays to WWV and WWVH of 7.5 and 26.5
|
|
milliseconds, respectively, on a machine with an imprecise system clock
|
|
and with the driver set to disbelieve the radio clock once it has gone
|
|
30 minutes without an update, one might use the following configuration
|
|
file entries:
|
|
|
|
# radio clock fudge fiddles
|
|
|
|
server 127.127.3.1
|
|
fudge 127.127.3.1 time1 0.0075 time2 0.0265
|
|
fudge 127.127.3.1 value2 30 flag1 1
|
|
|
|
Additional information on the interpretation of these data with respect
|
|
to various radio clock drivers is given in the xntpd.8 man page.
|
|
|
|
Towards the Ultimate Tick
|
|
|
|
This section consideres issues in providing precision time
|
|
synchronization in NTP subnets which need the highest quality time
|
|
available in the present technology. These issues are important in
|
|
subnets supporting real-time services such as distributed multimedia
|
|
conferencing and wide-are experiment control and monitoring.
|
|
|
|
In the Internet of today synchronization paths often span continents and
|
|
oceans with moderate to high variations in delay due to traffic spasms.
|
|
NTP is specifically designed to minimize timekeeping jitter due to delay
|
|
variations using intricately crafted filtering and selection algorithms;
|
|
however, in cases where these variations are as much as a second or
|
|
more, the residual jitter following these algorithms may still be
|
|
excessive. Sometimes, as in the case of some isolated NTP subnets where
|
|
a local source of precision time is available, such as a 1-pps signal
|
|
produced by a calibrated cesium clock, it is possible to remove the
|
|
jitter and retime the local clock oscillator of the NTP server. This has
|
|
turned out to be a useful feature to improve the synchronization quality
|
|
of time distributed in remote places where radio clocks are not
|
|
available. In these cases special features of the xntp3 distribution are
|
|
used together with the 1-pps signal to provide a jitter-free timing
|
|
signal, while NTP itself is used to provide the coarse timing and
|
|
resolve the seconds numbering.
|
|
|
|
Most available radio clocks can provide time to an accuracy in the order
|
|
of milliseconds, depending on propagation conditions, local noise levels
|
|
and so forth. However, as a practical matter, all clocks can
|
|
occasionally display errors significantly exceeding nominal
|
|
specifications. Usually, the algorithms used by NTP for ordinary network
|
|
peers, as well as radio clock "peers" will detect and discard these
|
|
errors as discrepancies between the disciplined local clock oscillator
|
|
and the decoded time message produced by the radio clock. Some radio
|
|
clocks can produce a special 1-pps signal which can be interfaced to the
|
|
server platform in a number of ways and used to substantially improve
|
|
the (disciplined) clock oscillator jitter and wander characteristics by
|
|
at least an order of magnitude. Using these features it is possible to
|
|
achieve accuracies in the order of 100 microseconds with a fast RISC-
|
|
based platform.
|
|
|
|
There are three ways to implement 1-pps support, depending on the radio
|
|
clock model, platform model and serial line interface. Each of these
|
|
requires circuitry to convert the TTL signal produced by most clocks to
|
|
the the EIA levels used by most serial interfaces. An example of a
|
|
device designed to do this is presented in the gadget subdirectory
|
|
included in the xntp3 distribtuion. Besides being useful for this
|
|
purpose, this device includes an inexpensive modem designed for use with
|
|
the Canadian CHU time/frequency radio station.
|
|
|
|
In order to select the appropriate implementation, it is important to
|
|
understand the underlying 1-pps mechanism used by xntpd. The 1-pps
|
|
suport depends on a continuous source of 1-pps pulses used to calculate
|
|
an offset within +-500 milliseconds relative to the local clock. The
|
|
serial timecode produced by the radio or the time determined by NTP in
|
|
absence of the radio is used to adjust the local clock within +-128
|
|
milliseconds of the actual time. As long as the local clock is within
|
|
this interval the 1-pps support is used to discipline the local clock
|
|
and the timecode used only to verify that the local clock is in fact
|
|
within the interval. Outside this interval the 1-pps support is disabled
|
|
and the timecode used directly to control the local clock.
|
|
|
|
The first method of implementation uses a dedicated serial port and
|
|
either the bsd line discipline or System V streams module, which can be
|
|
found in the kernel directory of the xntp3 distribution. This method can
|
|
be used with any radio clock or in the absence of any clock. The line
|
|
discipline and streams modules take receive timestamps in the kernel,
|
|
specifically the interrupt routine of the serial port hardware driver.
|
|
Using this method the port is dedicated to serve the 1-pps signal and
|
|
cannot be used for other purposes. Instructions for implementing the
|
|
feature, which requires rebuilding the kernel, are included in the
|
|
modules themselves. Note that xndpd must be compiled with the -DPPSDEV
|
|
compiler switch in this case. There is an inherent error in this method
|
|
due to the latency of the interrupt system and remaining serial-line
|
|
protocol modules in the order of a millisecond with Sun 4s. While the
|
|
jitter in this latency is unavoidable, the systematic component can be
|
|
calibrated out using a special configuration declaration:
|
|
|
|
# pps delay and baud rate
|
|
|
|
pps delay .0017 baud 19200 # pps delay (ms) and baud rate
|
|
|
|
Note that the delay defaults to zero and the baud to 38400.
|
|
|
|
The second method uses mechanisms embedded in the radio clock driver,
|
|
which call the 1-pps support directly and do not require a dedicated
|
|
serial port. Currently, only the DCF77 (German radio time service)
|
|
driver uses this method. Instructions for implementing this are given in
|
|
README files in the xntp3 distribution.
|
|
|
|
The third method and the most accurate and intrusive of all uses the
|
|
carrier-detect modem-control lead monitored by the serial port driver.
|
|
This method can be used with any radio clock and 1-pps interface
|
|
mentioned above. It requires in addition to a special streams module,
|
|
replacement of the kernel high resolution time-of-day clock routine.
|
|
This method is applicable only to Sun 4 platforms running SunOS 4.1.1
|
|
and then only with either of the two onboard serial ports. It does not
|
|
work with other platforms, operating systems or external (SBus) serial
|
|
multiplexors.
|
|
|
|
Swatting Bugs
|
|
|
|
Let's say you have compiled and installed the code and put up an
|
|
apparently relevant configuration file. In many Unix systems the xntpd
|
|
daemon and utility programs (ntpq, ntptrace and xntpdc) are usually
|
|
installed in the /usr/local directory along with the key file
|
|
(ntp.keys), while the configuration file (ntp.conf) and drift file
|
|
(ntp.drift) are installed in the /etc directory. The daemon can is
|
|
usually started from the rc.local shell script at system boot time, but
|
|
could be started (and stopped) at other times for debugging, etc. How do
|
|
you verify that the daemon can form associations with remote peers and
|
|
verify correct synchronization? For this you need the ntpq utility
|
|
described in the ntpq.8 man page.
|
|
|
|
After starting the daemon, run the ntpq program using the -n switch,
|
|
which will avoid possible distractions due to name resolutions. Use the
|
|
peer command to display a billboard showing the status of configured
|
|
peers and possibly other clients poking the daemon. After operating for
|
|
a few minutes, the display should be something like:
|
|
|
|
remote refid st when poll reach delay offset disp
|
|
========================================================================
|
|
+128.4.2.6 132.249.16.1 2 131 256 373 9.89 16.28 23.25
|
|
*128.4.1.20 .WWVB. 1 137 256 377 280.62 21.74 20.23
|
|
-128.8.2.88 128.8.10.1 2 49 128 376 294.14 5.94 17.47
|
|
+128.4.2.17 .WWVB. 1 173 256 377 279.95 20.56 16.40
|
|
|
|
The hosts shown in the "remote" column should agree with the entries in
|
|
the configuration file, plus any peers not mentioned in the file at the
|
|
same or lower than your stratum that happen to be configured to peer
|
|
with you. The "refid" entry shows the current source of synchronization
|
|
for that peer, while the "st" reveals its stratum and the "poll" entry
|
|
the polling interval, in seconds. The "when" entry shows the time since
|
|
the peer was last heard, in seconds, while the "reach" entry shows the
|
|
status of the reachability register (see specification), which is in
|
|
octal format. The remaining entries show the latest delay, offset and
|
|
dispersion computed for the peer, in milliseconds.
|
|
|
|
*** This section incomplete. Soon.
|
|
|
|
status=0664 leap_none, sync_ntp, 6 events, event_peer/strat_chg
|
|
system="UNIX", leap=00, stratum=2, rootdelay=280.62,
|
|
rootdispersion=45.26, peer=11673, refid=128.4.1.20,
|
|
reftime=af00bb42.56111000 Fri, Jan 15 1993 4:25:38.336, poll=8,
|
|
clock=af00bbcd.8a5de000 Fri, Jan 15 1993 4:27:57.540, phase=21.147,
|
|
freq=13319.46, compliance=2
|
|
|
|
status=7414 reach, auth, sel_sync, 1 event, event_reach
|
|
srcadr=128.4.2.6, srcport=123, dstadr=128.4.2.7, dstport=123, keyid=1,
|
|
stratum=2, precision=-10, rootdelay=362.00, rootdispersion=21.99,
|
|
refid=132.249.16.1,
|
|
reftime=af00bb44.849b0000 Fri, Jan 15 1993 4:25:40.517,
|
|
delay= 9.89, offset= 16.28, dispersion=23.25, reach=373, valid=8,
|
|
hmode=2, pmode=1, hpoll=8, ppoll=10, leap=00, flash=0x0,
|
|
org=af00bb48.31a90000 Fri, Jan 15 1993 4:25:44.193,
|
|
rec=af00bb48.305e3000 Fri, Jan 15 1993 4:25:44.188,
|
|
xmt=af00bb1e.16689000 Fri, Jan 15 1993 4:25:02.087,
|
|
filtdelay= 16.40 9.89 140.08 9.63 9.72 9.22 10.79 122.99,
|
|
filtoffset= 13.24 16.28 -49.19 16.04 16.83 16.49 16.95 -39.43,
|
|
filterror= 16.27 20.17 27.98 31.89 35.80 39.70 43.61 47.52
|
|
|
|
ind assID status conf reach auth condition last_event cnt
|
|
===========================================================
|
|
1 11670 7414 no yes ok synchr. reachable 1
|
|
2 11673 7614 no yes ok sys.peer reachable 1
|
|
3 11833 7314 no yes ok outlyer reachable 1
|
|
4 11868 7414 no yes ok synchr. reachable 1
|
|
|
|
Parting Shots
|
|
|
|
There are several undocumented programs which are useful if you are
|
|
trying to set up a clock. They can be found in the clockstuff directory
|
|
of the xntp3 distribution. The most useful of these is the propdelay
|
|
program, which can compute high frequency radio propagation delays
|
|
between any two points whose latitude and longitude are known. The
|
|
program understands something about the phenomena which allow high
|
|
frequency radio propagation to occur, and will generally provide a
|
|
better estimate than a calculation based on the great circle distance.
|
|
The other two programs in the directory are clktest, which allows one to
|
|
exercise the generic clock line discipline, and chutest, which runs the
|
|
basic reduction algorithms used by the daemon on data received from a
|
|
serial port.
|