On 12/02/14 00:14, Joel van Velden wrote:

It might also be a useful occasion to plug nz.pool.ntp.org. If you have a public ntp server please add it to the pool.
http://www.pool.ntp.org/zone/nz
Makes for sad reading. Currently only 11 NZ public servers, down from a high of 21 in 2011.
Only 4 IPv6 servers :( (yes, i'm one of them).

Right after major attacks on open NTP servers doesn't seems like the best time to plug opening your NTP servers ... 8-)

Seriously though, NTP is a service ISPs should be providing to customers. Doing local anycast of NTP service to well-run stratum 2 servers, (in turn talking to well-run stratum 1 servers, such as the NZRS ntp.net.nz servers and the MSL servers) is a far better idea than having punters querying random NTP pools of unknown quality, or opening up NTP servers to the whole world.

NTP is a pain in the arse to filter statelessly (both source and destination ports set to 123 in standard ntpd configurations, even when using "server" rather than "peer", so you can't tell from the port numbers whether a packet is a request or a reply), so I'm starting to wonder if redirecting customer NTP traffic to local NTP servers, and dropping all unauthorised inbound NTP queries at the perimeter isn't completely bad idea.

NTP is after all one of those bits of the plumbing that really needs to work and really needs not to be exposed to any more threats than necessary. Especially since crypto (notably DNSSec - there's a reason NZRS runs NTP servers) increasingly has a requirement for accurate-ish clocks.

-- don