S100 User Guide – Rev. D – June 2005 99
2
5
3
selecting these sources. Note that, while NTP detects and rejects loops involving neighboring
servers, it does not detect loops involving intervening servers.
It is strongly advised, and in practice for most primary servers today, to employ the
authentication or access-control features of the NTP specification in order to protect against
hostile intruders and possible destabilization of the time service. Using this or similar
strategies, the remaining hosts in the same administrative domain can be synchronized to the
three (or more) selected time servers. Assuming these servers are synchronized directly to
stratum-1 sources and operate normally as stratum-2, the next level away from the primary
source of synchronization, for instance various campus file servers, will operate at stratum 3
and dependent workstations at stratum 4. Engineered correctly, such a subnet will survive all
but the most exotic failures or even hostile penetrations of the various, distributed
timekeeping resources.
When planning your network, keep in mind a few generic don'ts, in particular:
• Don't synchronize a local time server to another peer at the same stratum,
unless the latter is receiving time from lower stratum sources the former
doesn't talk to directly. This minimizes the occurrence of common points
of failure, but does not eliminate them in cases where the usual chain of
associations to the primary sources of synchronization are disrupted due
to failures.
• Don't configure peer associations with higher stratum servers. Let the
higher strata configure lower stratum servers, but not the reverse. This
greatly simplifies configuration file maintenance, since there is usually
much greater configuration churn in the high stratum clients such as
personal workstations.
• Don't synchronize more than one time server in a particular
administrative domain to the same time server outside that domain. Such
a practice invites common points of failure, as well as raises the possibility
of massive abuse, should the configuration file be automatically
distributed do a large number of clients.
The following diagrams depict typical NTP configurations from large to small networks. Use
these as a guide when creating your own.