On Fri, 2010-09-03 at 16:51 +1200, Jay Daley wrote:
On 3/09/2010, at 4:24 PM, Nathan Ward wrote:
I note that there are three servers - I am surprised that there is not a fourth to allow for redundancy. Is that a cost decision?
I've always understood that three is enough for redundancy. The client can tell when one goes awry by comparing with the other two. Admittedly if one goes down then the client can't tell that but we can pursue that logic ad infinitum no matter how many servers there are.
Do you see it differently?
Yes, and so does NTP :-!. You need four servers to be able to detect a single byzantine failure. This extra resilience is needed because NTP allows one server in a network of NTP servers to change what the other servers think. This really messes up the naive best-of-three type algorithm that most people think will work. If the servers are set to trust only their own GPS (and not the other GPS clocks), then you may not be vulnerable to byzantine failures. You won't be able to protect against GPS hacking though, but you have to stop somewhere. Cheers, Lloyd This email and any attachment may contain confidential information. If you have received this email or any attachment in error, please delete the email / attachment, and notify the sender. Please do not copy, disclose or use the email, any attachment, or any information contained in them. Consider the environment before deciding to print: avoid printing if you can, or consider printing double-sided.