Automatic Server Discoveryschemes

From: Harlan Stenn Date: Wed, 12 Oct 2011 06:48:59 +0000 (-0400) Subject: revert bogus changes X-Git-Tag: NTP_4_2_7P223~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8822cc218f74ab88f6a93f2d8e1590f8a81c1e83;p=thirdparty%2Fntp.git revert bogus changes bk: 4e95385bqnxovJTgMzHgPwiLCJC99g --- diff --git a/html/accopt.html b/html/accopt.html index 25ac5b353..9ce44375b 100644 --- a/html/accopt.html +++ b/html/accopt.html @@ -3,69 +3,86 @@ -Automatic Server Discoveryschemes +Access Control Commands and Options + -

Automatic Server Discovery Schemes

from Alice's Adventures in Wonderland, Lewis Carroll -

Make sure who your friends are.

Access Control Commands and Options

from Pogo, Walt Kelly +

The skunk watches for intruders and sprays.

Last update: - 11-Oct-2011 18:51 + 11-Sep-2010 16:55 UTC

Introduction

This page describes the automatic server discovery schemes provided in NTPv4. There are three automatic server discovery schemes: broadcast/multicast, manycast and server pool described on this page. The broadcast/multicast and manycast schemes utilize the ubiquitous broadcast or one-to-many paradigm native to IPv4 and IPv6. The server pool scheme uses DNS to resolve addresses of multiple volunteer servers scattered throughout the world. All three schemes work in much the same way and might be described as grab-n'-prune. Through one means or another they grab a number of associations either directly or indirectly from the configuration file, order them from best to worst according to a defined metric, then cast off the associations with the lowest metric until no more than the number specified by the maxclock option of the toscommand remain.

Association Management

All schemes use a stratum filter to select just those servers with stratum considered useful. This can avoid large numbers of clients ganging up on a small number of low-stratum servers and avoid servers below or above specified stratum levels. By default, servers of all strata are acceptable; however, the tos command can be used to restrict the acceptable range from the floor option, inclusive, to the ceiling option, exclusive. Potential servers operating at the same stratum as the client will be avoided, unless the cohort option is present.

The pruning process is handled using a set of counters, one for each preemptible association. Once each poll interval the counter is increased by one. If the association survives the selection and clustering algorithms; that is, it is a candidate for synchronization, the counter is reset to zero. If not and the counter reaches a defined threshold and the number of assocations is greater than maxclock, the association becomes a candidate for pruning. The pruning algorithm assigns to each association a metric ranging from the lowest, corresponding to no possibility of synchronization, to the highest, corresponding to a very likely possibility of synchronization. Upon reaching the threshold, an association is demobilized if it has the lowest metric of all associations. Operation continues in this way until the number of remaining associations is not greater than maxclock.

Following is a summary of each scheme. Note that reference to option applies to the commands described on the Configuration Options page. See that page for applicability and defaults.

Broadcast/Multicast Scheme

A broadcast server generates messages continuously at intervals by default 64 s and time-to-live by default 127. These defaults can be overriden by the minpoll and ttl options, respectively. Not all kernels support the ttl option. A broadcast client responds to the first message received by waiting a randomized interval to avoid implosion at the server. It then polls the server in client/server mode using the iburst option in order to quickly authenticate the server, calibrate the propagation delay and set the host clock. This normally results in a volley of six client/server exchanges at 2-s intervals during which both the synchronization and cryptographic protocols run concurrently.

Following the volley, the server continues in listen-only mode and sends no further messages. If for some reason the broadcast server does not respond to these messages, the client will cease transmission and continue in listen-only mode with a default propagation delay. The volley can be avoided by using the broadcastdelay command with nonzero argument.

A server is configured in broadcast mode using the broadcast command and specifying the broadcast address of a local interface. If two or more local interfaces are installed with different broadcast addresses, a broadcast command is needed for each address. This provides a way to limit exposure in a firewall, for example. A broadcast client is configured using the broadcastclient command.

NTP multicast mode can be used to extend the scope using IPv4 multicast or IPv6 broadcast with defined span. The IANA has assigned IPv4 multicast address 224.0.1.1 and IPv6 address FF05::101 (site local) to NTP, but these addresses should be used only where the multicast span can be reliably constrained to protect neighbor networks. In general, administratively scoped IPv4 group addresses should be used, as described in RFC-2365, or GLOP group addresses, as described in RFC-2770.

A multicast server is configured using the broadcast command, but specifying a multicast address instead of a broadcast address. A multicast client is configured using the multicastclient command specifying a list of one or more multicast addresses. Note that there is a subtle distinction between the IPv4 and IPv6 address families. The IPv4 broadcast or mulitcast mode is determined by the IPv4 class. For IPv6 the same distinction can be made using the link-local prefix FF02 for each interface and site-local prefix FF05 for all interfaces.

It is possible and frequently useful to configure a host as both broadcast client and broadcast server. A number of hosts configured this way and sharing a common broadcast address will automatically organize themselves in an optimum configuration based on stratum and synchronization distance.

Since an intruder can impersonate a broadcast server and inject false time values, broadcast mode should always be cryptographically authenticated. By default, a broadcast association will not be mobilized unless cryptographically authenticated. If necessary, the auth option of the disable command will disable this feature. The feature can be selectively enabled using the notrust option of the restrict command.

With symmetric key cryptography each broadcast server can use the same or different keys. In one scenario on a broadcast LAN, a set of broadcast clients and servers share the same key along with another set that share a different key. Only the clients with matching key will respond to a server broadcast. Further information is on the Authentication Support page.

Public key cryptography can be used with some restrictions. If multiple servers belonging to different secure groups share the same broadcast LAN, the clients on that LAN must have the client keys for all of them. This scenario is illustrated in the example on the Autokey Public Key Authentication page.

Manycast Scheme

Manycast is a automatic server discovery and configuration paradigm new to NTPv4. It is intended as a means for a client to troll the nearby network neighborhood to find cooperating servers, validate them using cryptographic means and evaluate their time values with respect to other servers that might be lurking in the vicinity. It uses the grab-n'-drop paradigm with the additional feature that active means are used to grab additional servers should the number of survivors fall below the minclock option of the tos command.

The manycast paradigm is not the anycast paradigm described in RFC-1546, which is designed to find a single server from a clique of servers providing the same service. The manycast paradigm is designed to find a plurality of redundant servers satisfying defined optimality criteria.

A manycast clients is configured using the manycastclient configuration command, which is similar to the server configuration command. It sends ordinary client mode messages, but with a broadcast address rather than a unicast address and sends only if less than minclock associations remain and then only at the minimum feasible rate and minimum feasible time-to-live (TTL) hops. The polling strategy is designed to reduce as much as possible the volume of broadcast messages and the effects of implosion due to near-simultaneous arrival of manycast server messages. There can be as many manycast client associations as different addresses, each one serving as a template for future unicast client/server associations.

A manycast server is configured using the manycastserver command, which listens on the specified broadcast address for manycast client messages. If a manycast server is in scope of the current TTL and is itself synchronized to a valid source and operating at a stratum level equal to or lower than the manycast client, it replies with an ordinary unicast server message.

The manycast client receiving this message mobilizes a preemptable client association according to the matching manycast client template, but only if cryptographically authenticated and the server stratum is less than or equal to the client stratum.

It is possible and frequently useful to configure a host as both manycast client and manycast server. A number of hosts configured this way and sharing a common multicast group address will automatically organize themselves in an optimum configuration based on stratum and synchronization distance.

The use of cryptograpic authentication is always a good idea in any server discovery scheme. Both symmetric key and public key cryptography can be used in the same scenarios as described above for the broadast/multicast scheme.

Server Pool Scheme

The idea of targeting servers on a random basis to distribute and balance the load is not a new one; however, the NTP pool scheme puts this on steroids. At present, several thousand operators around the globe have volunteered their servers for public access. In general, NTP is a lightweight service and servers used for other purposes don't mind an additional small load. The trick is to randomize over the population and minimize the load on any one server while retaining the advantages of multiple servers using the NTP mitigation algorithms.

To support this service custom DNS software used for pool.ntp.org and its subdomains - returns a random selection of participating servers in response to a DNS query. - The client receiving this list mobilizes some or all of them, similar to the - manycast discovery scheme, and casts off the excess. Unlike manycastclient, - cryptographic authentication is not required. The pool scheme solicits a single - server at a time, compared to manycastclient which solicits all servers - within a multicast TTL range simultaneously. Otherwise, the pool server discovery - scheme operates as manycast does.

The pool scheme is configured using one or more pool commands with DNS names - indicating the pool from which to draw. The pool command can be used more - than once; duplicate servers are detected and discarded. In principle, it is - possible to use a configuration file containing a single line pool - pool.ntp.org. The NTP Pool - Project offers instructions on using the pool with the server command, which is suboptimal but works with older versions of ntpd predating the pool command. With recent ntpd, consider replacing the - multiple server commands in their example with a single pool command.

Commands and Options

Unless noted otherwise, further information about these ccommands is on the Access Control Support page.

discard [ average avg ][ minimum min ] [ monitor prob ]

Set the parameters of the rate control facility which protects the server from client abuse. If the limited flag is present in the ACL, packets that violate these limits are discarded. If, in addition, the kod flag is present, a kiss-o'-death packet is returned. See the Rate Management page for further information. The options are: +

average avg: Specify the minimum average interpacket spacing (minimum average headway + time) in log₂ s with default 3.
minimum min: Specify the minimum interpacket spacing (guard time) in seconds with default 2.
monitor: Specify the probability of being recorded for packets that overflow the MRU list size limit set by mru maxmem or mru maxdepth. This is a performance optimization for servers with aggregate arrivals of 1000 packets per second or more.

restrict default [flag][...] + restrict source [flag][...] + restrict address [mask mask] [flag][...]

The address argument expressed in dotted-quad form is the address of a host or network. Alternatively, the address argument can be a valid host DNS name. The mask argument expressed in IPv4 or IPv6 numeric address form defaults to all mask bits on, meaning that the address is treated as the address of an individual host. A default entry (address 0.0.0.0, mask 0.0.0.0 for IPv4 and address :: mask :: for IPv6) is always the first entry in the list. restrict default, with no mask option, modifies both IPv4 and IPv6 default entries. restrict source configures a template restriction automatically added at runtime for each association, whether configured, ephemeral, or preemptible, and removed when the association is demobilized.

Some flags have the effect to deny service, some have the effect to enable service and some are conditioned by other flags. The flags. are not orthogonal, in that more restrictive flags will often make less restrictive ones redundant. The flags that deny service are classed in two categories, those that restrict time service and those that restrict informational queries and attempts to do run-time reconfiguration of the server. One or more of the following flags may be specified:

flake: Discard received NTP packets with probability 0.1; that is, on average drop one packet in ten. This is for testing and amusement. The name comes from Bob Braden's flakeway, which once did a similar thing for early Internet testing.
ignore: Deny packets of all kinds, including ntpq and ntpdc queries.
kod: Send a kiss-o'-death (KoD) packet if the limited flag is present and a packet violates the rate limits established by the discard command. KoD packets are themselves rate limited for each source address separately. If the kod flag is used in a restriction which does not have the limited flag, no KoD responses will result.
limited: Deny time service if the packet violates the rate limits established by the discard command. This does not apply to ntpq and ntpdc queries.
lowpriotrap: Declare traps set by matching hosts to be low priority. The number of traps a server can maintain is limited (the current limit is 3). Traps are usually assigned on a first come, first served basis, with later trap requestors being denied service. This flag modifies the assignment algorithm by allowing low priority traps to be overridden by later requests for normal priority traps.
mssntp: Enable Microsoft Windows MS-SNTP authentication using Active Directory services. Note: Potential users should be aware that these services involve a TCP connection to another process that could potentially block, denying services to other users. Therefore, this flag should be used only for a dedicated server with no clients other than MS-SNTP.
nomodify: Deny ntpq and ntpdc queries which attempt to modify the state of the server (i.e., run time reconfiguration). Queries which return information are permitted.
noquery: Deny ntpq and ntpdc queries. Time service is not affected.
nopeer: Deny packets that might mobilize an association unless authenticated. This includes broadcast, symmetric-active and manycast server packets when a configured association does not exist. Note that this flag does not apply to packets that do not attempt to mobilize an association.
noserve: Deny all packets except ntpq and ntpdc queries.
notrap: Decline to provide mode 6 control message trap service to matching hosts. The trap service is a subsystem of the ntpdc control message protocol which is intended for use by remote event logging programs.
notrust: Deny packets that are not cryptographically authenticated. Note carefully how this flag interacts with the auth option of the enable and disable commands. If auth is enabled, which is the default, authentication is required for all packets that might mobilize an association. If auth is disabled, but the notrust flag is not present, an association can be mobilized whether or not authenticated. If auth is disabled, but the notrust flag is present, authentication is required only for the specified address/mask range.; This is actually a match algorithm modifier, rather than a restriction + flag. Its presence causes the restriction entry to be matched only if the + source port in the packet is the standard NTP UDP port (123). A restrict line + containing ntpport is considered more specific than one with the + same address and mask, but lacking ntpport.
version: Deny packets that do not match the current NTP version.

Default restriction list entries with the flags ignore, ntpport, for each of the local host's interface addresses are inserted into the table at startup to prevent the server from attempting to synchronize to its own time. A default entry is also always present, though if it is otherwise unconfigured; no flags are associated with the default entry (i.e., everything besides your own NTP server is unrestricted).

diff --git a/html/assoc.html b/html/assoc.html index 203748c6e..3a0cd32ec 100644 --- a/html/assoc.html +++ b/html/assoc.html @@ -3,688 +3,78 @@ -Event Messages and Status Words +Association Management -

Event Messages and Status Words

from Alice's Adventures in Wonderland, Lewis Carroll -

Caterpillar knows all the error codes, which is more than most of us do.

Association Management

from Alice's Adventures in Wonderland, Lewis Carroll +

Make sure who your friends are.

Last update: - 04-Oct-2011 21:20 + 12-May-2011 13:16 UTC

Introduction

This page lists the status words, event messages and error codes used for ntpd reporting and monitoring. Status words are used to display the current status of the running program. There is one system status word and a peer status word for each association. There is a clock status word for each association that supports a reference clock. There is a flash code for each association which shows errors found in the last packet received (pkt) and during protocol processing (peer). These are commonly viewed using the ntpq program.

Significant changes in program state are reported as events. There is one - set of system events and a set of peer events for each association. In addition, - there is a set of clock events for each association that supports a reference - clock. Events are normally reported to the protostats monitoring file - and optionally to the system log. In addition, if the trap facility is configured, - events can be reported to a remote program that can page an administrator.

This page also includes a description of the error messages produced by the Autokey protocol. These messages are normally sent to the cryptostats monitoring file.

In the following tables the Code Field is the status or event code assigned and the Message Field a short string used for display and event reporting. The Description field contains a longer explanation of the status or event. Some messages include additional information useful for error diagnosis and performance assessment.

System Status Word

The system status word consists of four fields LI (0-1), Source (2-7), Count (8-11) and Code (12-15). It is reported in the first line of the rv display produced by the ntpq program.

- - - - - - - -

Leap

Source

Count

Code

The Leap Field displays the system leap indicator bits coded as follows:

- - - - - - - - - - - - - - - - - - - - - - - - - - -

Code	Message	Description
`0`	`leap_none`	normal synchronized state
`1`	`leap_add_sec`	insert second after 23:59:59 of the current day
`2`	`leap_del_sec`	delete second 23:59:59 of the current day
`3`	`leap_alarm`	never synchronized

The Source Field displays the current synchronization source coded as follows:.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Code	Message	Description
`0`	`sync_unspec`	not yet synchronized
`1`	`sync_pps`	pulse-per-second signal (Cs, Ru, GPS, etc.)
`2`	`sync_lf_radio`	VLF/LF radio (WWVB, DCF77, etc.)
`3`	`sync_hf_radio`	MF/HF radio (WWV, etc.)
`4`	`sync_uhf_radio`	VHF/UHF radio/satellite (GPS, Galileo, etc.)
`5`	`sync_local`	local timecode (IRIG, LOCAL driver, etc.)
`6`	`sync_ntp`	NTP
`7`	`sync_other`	other (IEEE 1588, openntp, crony, etc.)
`8`	`sync_wristwatch`	eyeball and wristwatch
`9`	`sync_telephone`	telephone modem (ACTS, PTB, etc.)

The Count Field displays the number of events since the last time the code changed. Upon reaching 15, subsequent events with the same code are ignored.

The Event Field displays the most recent event message coded as follows:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Code	Message	Description
`00`	`unspecified`	unspecified
`01`	`freq_not_set`	frequency file not available
`02`	`freq_set`	frequency set from frequency file
`03`	`spike_detect`	spike detected
`04`	`freq_mode`	initial frequency training mode
`05`	`clock_sync`	clock synchronized
`06`	`restart`	program restart
`07`	`panic_stop`	clock error more than 600 s
`08`	`no_system_peer`	no system peer
`09`	`leap_armed`	leap second armed from file or Autokey
`0a`	`leap_disarmed`	leap second disarmed
`0b`	`leap_event`	leap event
`0c`	`clock_step`	clock stepped
`0d`	`kern`	kernel information message
`0e`	`TAI...`	leapsecond values update from file
`0f`	`stale leapsecond values`	new NIST leapseconds file needed

Peer Status Word

The peer status word consists of four fields: Status (0-4), Select (5-7), Count (8-11) and Code (12-15). It is reported in the first line of the rv associd display produced by the ntpq program.

- - - - - - - -

Status

Select

Count

Code

The Status Field displays the peer status code bits in hexadecimal; each bit is an independent flag. (Note this field is 5 bits wide, and combines with the the 3-bit-wide Select Field to create the first full byte of the peer status word.) The meaning of each bit in the Status Field is listed in the following table:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Code	Message	Description
`08`	`bcst`	broadcast association
`10`	`reach`	host reachable
`20`	`authenb`	authentication enabled
`40`	`auth`	authentication ok
`80`	`config`	persistent association

The Select Field displays the current selection status. (The T Field in the following table gives the corresponding tally codes used in the ntpq peers display.) The values are coded as follows:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Code	Message	T	Description
`0`	`sel_reject`		discarded as not valid (TEST10-TEST13)
`1`	`sel_falsetick`	`x`	discarded by intersection algorithm
`2`	`sel_excess`	`.`	discarded by table overflow (not used)
`3`	`sel_outlyer`	`-`	discarded by the cluster algorithm
`4`	`sel_candidate`	`+`	included by the combine algorithm
`5`	`sel_backup`	`#`	backup (more than `tos maxclock` sources)
`6`	`sel_sys.peer`	`*`	system peer
`7`	`sel_pps.peer`	`o`	PPS peer (when the prefer peer is valid)

The Count Field displays the number of events since the last time the code changed. Upon reaching 15, subsequent events with the same code are ignored.

The Event Field displays the most recent event message coded as follows:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Code	Message	Description
`01`	`mobilize`	association mobilized
`02`	`demobilize`	association demobilized
`03`	`unreachable`	server unreachable
`04`	`reachable`	server reachable
`05`	`restart`	association restart
`06`	`no_reply`	no server found (`ntpdate` mode)
`07`	`rate_exceeded`	rate exceeded (kiss code `RATE`)
`08`	`access_denied`	access denied (kiss code `DENY`)
`09`	`leap_armed`	leap armed from server LI code
`0a`	`sys_peer`	become system peer
`0b`	`clock_event`	see clock status word
`0c`	`bad_auth`	authentication failure
`0d`	`popcorn`	popcorn spike suppressor
`0e`	`interleave_mode`	entering interleave mode
`0f`	`interleave_error`	interleave error (recovered)

Clock Status Word

The clock status word consists of four fields: Unused (0-7), Count (8-11) and Code (12-15). It is reported in the first line of the clockvar associd display produced by the ntpq program.

- - - - - - -

Unused

Count

Code

The Count Field displays the number of events since the last lockvar command, while the Event Field displays the most recent event message coded as follows:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Code	Message	Description
`00`	`clk_unspe`	nominal
`01`	`clk_noreply`	no reply to poll
`02`	`clk_badformat`	bad timecode format
`03`	`clk_fault`	hardware or software fault
`04`	`clk_bad_signal`	signal loss
`05`	`clk_bad_date`	bad date format
`06`	`clk_bad_time`	bad time format

When the clock driver sets the code to a new value, a clock_alarm (11) peer event is reported.

Flash Status Word

The flash status word is displayed by the ntpq program rv command. It consists of a number of bits coded in hexadecimal as follows:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Code	Tag	Message	Description
`0001`	TEST1	`pkt_dup`	duplicate packet
`0002`	TEST2	`pkt_bogus`	bogus packet
`0004`	TEST3	`pkt_unsync`	server not synchronized
`0008`	TEST4	`pkt_denied`	access denied
`0010`	TEST5	`pkt_auth`	authentication failure
`0020`	TEST6	`pkt_stratum`	invalid leap or stratum
`0040`	TEST7	`pkt_header`	header distance exceeded
`0080`	TEST8	`pkt_autokey`	Autokey sequence error
`0100`	TEST9	`pkt_crypto`	Autokey protocol error
`0200`	TEST10	`peer_stratum`	invalid header or stratum
`0400`	TEST11	`peer_dist`	distance threshold exceeded
`0800`	TEST12	`peer_loop`	synchronization loop
`1000`	TEST13	`peer_unreach`	unreachable or nonselect

Kiss Codes

Kiss codes are used in kiss-o'-death (koD) packets, billboard displays and log messages. They consist of a string of four zero-padded ASCII charactes. In practice they are informal and tend to change with time and implementation. Some of these codes can appear in the reference identifier field in ntpq billboards. Following is the current list:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Code	Description
`ACST`	manycast server
`AUTH`	authentication error
`AUTO`	Autokey sequence error
`BCST`	broadcast server
`CRYPT`	Autokey protocol error
`DENY`	access denied by server
`INIT`	association initialized
`MCST`	multicast server
`RATE`	rate exceeded
`TIME`	association timeout
`STEP`	step time change

Crypto Messages

These messages are sent to the cryptostats file when an error is detected in the Autokey protocol.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Code	Message	Description
`01`	`bad_format`	bad extension field format or length
`02`	`bad_timestamp`	bad timestamp
`03`	`bad_filestamp`	bad filestamp
`04`	`bad_public_key`	bad or missing public key
`05`	`bad_digest`	unsupported digest type
`06`	`bad_identity`	unsupported identity type
`07`	`bad_siglength`	bad signature length
`08`	`bad signature`	extension field signature not verified
`09`	`cert_not_verified`	certificate signature not verified
`0a`	`cert_expired`	host certificate expired
`0b`	`bad_cookie`	bad or missing cookie
`0c`	`bad_leapseconds`	bad or missing leapseconds values
`0d`	`cert_missing`	bad or missing certificate
`0e`	`bad_group_key`	bad or missing group key
`0f`	`proto_error`	protocol error

Association Modes

This page describes the various modes of operation provided in NTPv4. There are three types of associations in NTP: persistent, preemptable and ephemeral. Persistent associations are mobilized by a configuration command and never demobilized. Preemptable associations, which are new to NTPv4, are mobilized by a configuration command which includes the preempt option or upon arrival of an automatic server discovery packet. They are are demobilized by timeout or when preempted by a "better" server, as described on the Automatic Server Discovery Schemes page. Ephemeral associations are mobilized upon arrival of broadcast or multicast server packets and demobilized by timeout.

Ordinarily, successful mobilization of ephemeral associations requires the server to be cryptographically authenticated to the client. This can be done using either symmetric key or Autokey public key cryptography, as described on the Authentication Support page.

There are three principal modes of operation in NTP: client/server, symmetric active/passive and broadcast/multicast. There are three automatic server discovery schemes in NTP: broadcast/multicast, manycast and pool described on the Automatic Server Discovery Schemes page. In addition, the burst options and orphan mode can be used in appropriate cases.

Following is a summary of the operations in each mode. Note that reference to option applies to the commands described on the Server Commands and Options page. See that page for applicability and defaults.

Client/Server Mode

Client/server mode is the most common configuration in the Internet today. It operates in the classic remote-procedure-call (RPC) paradigm with stateless servers and stateful clients. In this mode a host sends a client (mode 3) request to the specified server and expects a server (mode 4) reply at some future time. In some contexts this would be described as a "pull" operation, in that the host pulls the time and related values from the server.

A host is configured in client mode using the server (sic) command and specifying the server DNS name or IPv4 or IPv6 address; the server requires no prior configuration. The iburst option described later on this page is recommended for clients, as this speeds up initial synchronization from several minutes to several seconds. The burst option described later on this page can be useful to reduce jitter on very noisy dial-up or ISDN network links.

Ordinarily, the program automatically manages the poll interval between the default minimum and maximum values. The minpoll and maxpoll options can be used to bracket the range. Unless noted otherwise, these options should not be used with reference clock drivers.

Symmetric Active/Passive Mode

Symmetric active/passive mode is intended for configurations were a clique + of low-stratum peers operate as mutual backups for each other. Each peer operates + with one or more primary reference sources, such as a reference clock, or a set + of secondary (stratum, 2) servers known to be reliable and authentic. Should + one of the peers lose all reference sources or simply cease operation, the + other peers will automatically reconfigure so that time and related values + can flow from the surviving peers to all hosts in the subnet. In some contexts + this would be described as a "push-pull" operation, in that the + peer either pulls or pushes the time and related values depending on the particular + configuration.

A symmetric active peer sends a symmetric active (mode 1) message to a designated peer. If a matching configured symmetric active association is found, the designated peer returns a symmetric active message. If no matching association is found, the designated peer mobilizes a ephemeral symmetric passive association and returns a symmetric passive (mode 2) message. Since an intruder can impersonate a symmetric active peer and cause a spurious symmetric passive association to be mobilized, symmetric passive mode should always be cryptographically validated.

A peer is configured in symmetric active mode using the peer command and specifying the other peer DNS name or IPv4 or IPv6 address. The burst and iburst options should not be used in symmetric modes, as this can upset the intended symmetry of the protocol and result in spurious duplicate or dropped messages.

As symmetric modes are most often used as root servers for moderate to large subnets where rapid response is required, it is generally best to set the minimum and maximum poll intervals of each root server to the same value using the minpoll and maxpoll options.

Broadcast/Multicast Modes

NTP broadcast and multicast modes are intended for configurations involving one or a few servers and a possibly very large client population. Broadcast mode can be used with Ethernet, FDDI and WiFi spans interconnected by hubs or switches. Ordinarily, broadcast packets do not extend beyond a level-3 router. Where service is intended beyond a level-3 router, multicast mode can be used. Additional information is on the Automatic NTP Configuration Options page.

A server is configured to send broadcast or multicast messages using the broadcast command and specifying the subnet address for broadcast or the multicast group address for multicast. A broadcast client is enabled using the broadcastclient command, while a multicast client is enabled using the multicstclient command and specifying the multicast group address. Multiple commands of either type can be used. However, the association is not mobilized until the first broadcast or multicast message is actually received.

Manycast and Pool Modes

Manycast and pool modes are automatic discovery and configuration paradigms new to NTPv4. They are intended as a means for a client to troll the nearby network neighborhood to find cooperating willing servers, validate them using cryptographic means and evaluate their time values with respect to other servers that might be lurking in the vicinity. The intended result is that each client mobilizes ephemeral client associations with some number of the "best" of the nearby servers, yet automatically reconfigures to sustain this number of servers should one or another fail. Additional information is on the Automatic Server Discovery Schemes page.

Poll Interval Management

NTP uses an intricate heuristic algorithm to automatically control the poll interval for maximum accuracy consistent with minimum network overhead. The algorithm measures the incidental offset and jitter to determine the best poll interval. When ntpd starts, the interval is the default minimum 64 s. Under normal conditions when the clock discipline has stabilized, the interval increases in steps to the default maximum 1024 s. In addition, should a server become unreachable after some time, the interval increases in steps to the maximum in order to reduce network overhead. Additional information about the algorithm is on the Poll Program page.

The default poll interval range is suitable for most conditions, but can be changed using options on the Server Commands and Options and Miscellaneous Options pages. However, when using maximum intervals much larger than the default, the residual clock frequency error must be small enough for the discipline loop to capture and correct. The capture range is 500 PPM with a 64-s interval decreasing by a factor of two for each interval doubling. At a 36-hr interval, for example, the capture range is only 0.24 PPM.

In the NTPv4 specification and reference implementation, the poll interval is expressed in log₂ units, properly called the poll exponent. It is constrained by the lower limit minpoll and upper limit maxpoll options of the server command. The limits default to 6 (64 s) and 10 (1024 s), respectively, which are appropriate for the vast majority of cases.

As a rule of thumb, the expected errors increase by a factor of two as the poll interval increases by a factor of four. The poll interval algorithm slowly increases the poll interval when jitter dominates the error budget, but quickly reduces the interval when wander dominates it. More information about this algorithm is on the How NTP Works page.

There is normally no need to change the poll limits, as the poll interval is managed automatically as a function of prevailing jitter and wander. The most common exceptions are the following.

With fast, lightly loaded LANs and modern processors, the nominal Allan intercept is about 500 s. In these cases the expected errors can be further reduced using a poll exponent of 4 (16 s). In the case of the pulse-per-second (PPS) driver, this is the recommended value.
With symmetric modes the most stable behavior results when both peers are configured in symmetric active mode with matching poll intervals of 6 (64 s).
The poll interval should not be modified for reference clocks, with the single exception the ACTS telephone modem driver. In this case the recommended minimum and maximum intervals are 12 (1.1 hr) and 17 (36 hr), respectively.

Burst Options

Occasionally it is necessary to send packets temporarily at intervals less than the poll interval. For instance, with the burst and iburst options of the server command, the poll program sends a burst of several packets at 2-s intervals. In either case the poll program avoids sending needless packets if the server is not responding. The client begins a burst with a single packet. When the first packet is received from the server, the client continues with the remaining packets in the burst. If the first packet is not received within 64 s, it will be sent again for two additional retries before beginning backoff. The result is to minimize network load if the server is not responding. Additional details are on the Poll Program page.

There are two burst options where a single poll event triggers a burst. They should be used only with the server and pool commands, but not with reference clock drivers nor symmetric mode peers. In both modes, received server packets update the clock filter, which selects the best (most accurate) time values. When the last packet in the burst is sent, the next received packet updates the system variables and adjusts the system clock as if only a single packet exchange had occurred.

The iburst option is useful where the system clock must be set quickly or when the network attachment requires an initial calling or training sequence, as in PPP or ISDN services. In general, this option is recommended for server and pool commands. A burst is sent only when the server is unreachable; in particular, when first starting up. Ordinarily, the clock is set within a few seconds after the first received packet. See the Clock State Machine page for further details about the startup behavior.

The burst option is useful in cases of severe network + jitter or when the network attachment requires an initial calling or training + sequence. This option is recommended when the minimum poll exponent is larger than 10 (1024 s). A burst is sent only when the server is reachable. The number of packets in the burst is determined by the poll interval + so that the average interval between packets (headway) is no less than the minimum poll interval for the association.