[Ntp] Re: NTP speed of synchronization question

Hal Murray <halmurray+ietf@sonic.net> Wed, 21 August 2024 10:30 UTC

Return-Path: <halmurray+ietf@sonic.net>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D9859C14F6BF for <ntp@ietfa.amsl.com>; Wed, 21 Aug 2024 03:30:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.807
X-Spam-Level:
X-Spam-Status: No, score=-2.807 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sonic.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F7sfV5AuSdBl for <ntp@ietfa.amsl.com>; Wed, 21 Aug 2024 03:30:21 -0700 (PDT)
Received: from d.mail.sonic.net (d.mail.sonic.net [64.142.111.50]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E75E1C14F69F for <ntp@ietf.org>; Wed, 21 Aug 2024 03:30:20 -0700 (PDT)
Received: from 107-137-68-211.lightspeed.sntcca.sbcglobal.net (107-137-68-135.lightspeed.sntcca.sbcglobal.net [107.137.68.135]) (authenticated bits=0) by d.mail.sonic.net (8.16.1/8.16.1) with ESMTPSA id 47LASS13001557 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT); Wed, 21 Aug 2024 03:28:29 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sonic.net; s=net23; t=1724236110; bh=hFFBv7pRPm6kxKNw2BaKRc/11RYjqiLctmGAHIrvknM=; h=To:From:Subject:Mime-Version:Date:Message-Id:From:Subject; b=Yfpd0JcJ5nVbhP5hw1KHxkw/Bijm4VRrGLKG4QNcCnZ6DK7Srqe2B10Kg+R+c0w8g GMVUlw3SJHTRukwLFBgLo6X8q5hkXu1nKH5Z/O+uV/5YAcNE/9SV/wmYayxhrWQFW0 zG5K3PoZ4e8mDWO9WSEtSmQhh8Y73VYuj3LDiz5s1OC2Sl3uV3NpLffNzdbaZ3Eb2R OT2KoG93tFdEkzN9WXgYkME5sI0NCWaM4NSM4jmwEN3hULUfu/FNGwiDgRhkM2IwH3 a9VVV8QkN6BpomdIKMzxmVWHEdJ01rT5bhwBbqwwEccqTn/eu8e1hY/CcfofgHNdll 5k54hF84dk+0A==
Received: from hgm (localhost [IPv6:::1]) by 107-137-68-211.lightspeed.sntcca.sbcglobal.net (Postfix) with ESMTP id 9398E62003D; Wed, 21 Aug 2024 03:28:28 -0700 (PDT)
X-Mailer: exmh version 2.9.0 11/07/2018 with nmh-1.8
To: Toerless Eckert <tte@cs.fau.de>
From: Hal Murray <halmurray+ietf@sonic.net>
In-Reply-To: Message from Toerless Eckert <tte@cs.fau.de> of "Wed, 14 Aug 2024 10:09:33 +0200." <ZrxmPeWAKqsIv86j@faui48e.informatik.uni-erlangen.de>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Wed, 21 Aug 2024 03:28:28 -0700
Message-Id: <20240821102828.9398E62003D@107-137-68-211.lightspeed.sntcca.sbcglobal.net>
X-Sonic-CAuth: UmFuZG9tSVYFu8mdC+6fxrYI5x6XuGV+NfKmCzOPqNDMJkoe9l7R8FK63zzYdMWQyx9oyz0OdoqkUyBa7KfHQClz50XH2d+OjmVLa7OzbYE=
X-Sonic-ID: C;1OMzG6hf7xGuFK5Sr7edkQ== M;GItDG6hf7xGuFK5Sr7edkQ==
X-Sonic-Spam-Details: -1.5/5.0 by cerberusd
Message-ID-Hash: PEP5LSGIPC5KUOTKTBU35DOIGUTKVSCN
X-Message-ID-Hash: PEP5LSGIPC5KUOTKTBU35DOIGUTKVSCN
X-MailFrom: halmurray+ietf@sonic.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-ntp.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: ntp@ietf.org, Hal Murray <halmurray+ietf@sonic.net>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Ntp] Re: NTP speed of synchronization question
List-Id: Network Time Protocol <ntp.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/y5LAWvb0r9YIcx3uYAlcn8dAA4s>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Owner: <mailto:ntp-owner@ietf.org>
List-Post: <mailto:ntp@ietf.org>
List-Subscribe: <mailto:ntp-join@ietf.org>
List-Unsubscribe: <mailto:ntp-leave@ietf.org>

tte@cs.fau.de said:
> Assuming typical high-end routers and their implementation of NTP:

> 1. Is there any reasonw why we should NOT be able to achieve
> synchronization of less than 5 msec ? 

> 2. Assuming synchronization only across some WAN connection...

I know roughly nothing about high-end routers.

The previous answers looked good.  Here is my 2 cents worth.


You need to ask the router venders what sort of NTP software they are 
running.  There is a lot of crapware out there claiming to be NTP.  It 
wouldn't surprise me if some vendor was still using their old 
works-well-enough software.  If it ain't broke, don't fix it.

If you want to get in the 5 ms range using servers on the WAN, you need to 
pick your servers carefully.  The server needs to be accurate and the 
routing needs to be symmetric and NTP traffic needs to not be filtered.

I'm in Silicon Valley with an AT&T fiber.  I have a good GPS setup to use 
as a reference.


>From here, the time from NIST servers in Boulder and Fort Colins is off by 
about 6 ms.  The round trip time is normally 45 ms.  It ccasionally drops 
to 33 ms for a while.  When that happens, the time is accurate.  The 
normal case is classic asymmetric routing.  Those servers look good from a 
cloud server in San Francisco -- 28 ms round trip.


Various ISPs, routers, and whatevers filter NTP packets.  That's leftover 
from a giant DDoS attack many years ago that used NTP's monlist option.  
That filtering is rarely documented.  It's a pain to debug and close to 
impossible for mere mortals to get fixed.

Google, Facebook, and Cloudflare all offer public NTP servers.  I think 
they all use anycast so you get the nearest server.  From here, I can't 
get to 1 of Google's IPv6 servers.  I can't get to any of Facebook's IPv4 
servers.  They were working several days ago.  I can't get to one of 
Cloudflare's IPv6 servers -- the TCP connection for NTS-KE times out.  All 
those missing servers work fine from San Francisco.


You can't tell how far off a system's clock is unless you have a good 
local clock to use as a reference.  You can't just ask the system.  If it 
knew it was off it would fix it.  With asymmetric routing, it will think 
it is good but will be off by half the difference in transit times.


What happens if the time is off a bit, say 10 ms?  How about 100 ms?

I suspect that even with a good setup, the clock will occasionally do 
somethng strange.  More often if you don't have nearby good servers or 
when you have a flakey link.  Will that just screwup the local system or 
explode and take down the whole net?


Odds and ends:

Do you know about bufferbloat?  To NTP, that looks like asymmetric 
routing.  How big can the queues get on the path from your router to/from 
the NTP servers you are using?

Will the NTP software get a CPU when it needs it?  (Or will the CPUs 
sometimes be busy doing more important things like routing packets?)

Do you know about leap seconds?  Leap smearing?

Do you have a database using time stamps for UIDs?  (aka something that 
will panic if time goes backwards)

Are you using time for security?  Basic NTP is easy to spoof with a MITM 
attack.  Servers supporting NTS are harder to find.


-- 
These are my opinions.  I hate spam.