[c-nsp] NTP network design considerations

Aaron dudepron at gmail.com
Fri Oct 14 15:07:47 EDT 2022


You can setup a raspberry pi as a server and do GPS. Not sure on the
scalability (how many devices it can handle) of that but it does work.
I would do at least 3 in different servers/locations, then have my routers
slave off them and peer with each other.
It is internal and is cheap.
There are a few sources on the internet that I trust for time. It depends
on your level of comfort.

Aaron

On Fri, Oct 14, 2022 at 2:43 PM harbor235 via cisco-nsp <
cisco-nsp at puck.nether.net> wrote:

> I hear what your saying but NTP is an active attack vector, I don't trust
> outside resources implicitly and traffic segmentation is a prudent measure
> especially if you are getting internet time. Now if you have your own
> stratum1 then I understand your point more.
>
>
> Mike
>
> On Fri, Oct 14, 2022 at 10:45 AM Gert Doering <gert at greenie.muc.de> wrote:
>
> > Hi,
> >
> > On Fri, Oct 14, 2022 at 10:27:16AM -0400, harbor235 via cisco-nsp wrote:
> > > How are you integrating NTP into your infrastructures? Is it part of
> your
> > > management network(s)?
> >
> > NTP servers (appliances from Meinberg and regular FreeBSD servers,
> > basically)
> > are just sitting "on the Internet" and our machines sync to them, and
> > monitor their relative times (= so if one is misbehaving, NTP will
> > do the right thing on its own, and monitoring will tell us so we can
> > fix it).
> >
> > The machines protect themselves by local iptables rules for SSH/https,
> > and in-band by NTP access rules ("serve time to everyone, serve larger
> > responses only to management systems, do not believe anyone").
> >
> > I've never understood this obsession on filtering things that are
> intended
> > to be put out in the wild.
> >
> > gert
> >
> > --
> > "If was one thing all people took for granted, was conviction that if you
> >  feed honest figures into a computer, honest figures come out. Never
> > doubted
> >  it myself till I met a computer with a sense of humor."
> >                              Robert A. Heinlein, The Moon is a Harsh
> > Mistress
> >
> > Gert Doering - Munich, Germany
> > gert at greenie.muc.de
> >
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


More information about the cisco-nsp mailing list