On 5/1/19 4:28 PM, Mel Beckman wrote:
> Harlan and Mehmet,
>
> I can expand on one important reason that James only alluded to with his
> “Kepping the Auditors happy” comment.
>
> Passing NTP through a firewall and then using that as a critical time
> reference source represents a huge security risk. Here’s one detailed
> explanation of that risk:
>
> https://insights.sei.cmu.edu/sei_blog/2017/04/best-practices-for-ntp-services.html
I have some significant disagreements with some of the assumptions and
positions in that posting, for whatever that's worth. And there are
some good points in there, too.
H
--
> -mel
>
> On May 1, 2019, at 3:48 PM, James R Cutler
> <james.cut...@consultant.com<mailto:james.cut...@consultant.com>> wrote:
>
> On Wed, May 01, 2019 at 02:35:58PM -0700, Harlan Stenn wrote:
> - Why do folks want to have one or more NTP server masters that have at
> least 1 refclock on them in a data center, instead of having their data
> center NTP server masters that only get time over the internet?
>
> Answers to that include:
>
> * Keeping the Auditors happy
> * Knowing that “everyone does it” - the vendor told them so
> * Bragging rights (expensive hardware)
> * Being unbothered by fighting with facilities for building penetrations
> and antenna mounts
> * Misunderstanding the beauty and economy Dave Mills marvelous algorithms
> for consistent time based on multiple sources, even those connected via
> internet
> * Unwillingness or inability to leverage other local resources capacity
> to run ntpd with minimal impact in order to have a good constellation of
> local NTP servers
> * Willingness to farm out time service without doing a deep dive into why
> and how, just leaving the design to the appliance vendors
>
> This covers most of what I have encountered in providing enterprise time
> services for $dayjob+clients. I probably left out some significant points,
> but it has been a few years...
>
>
>
>
--
Harlan Stenn <st...@nwtime.org>
http://networktimefoundation.org - be a member!
