On Fri, 2010-09-03 at 16:51 +1200, Jay Daley wrote:
On 3/09/2010, at 4:24 PM, Nathan Ward wrote:
I note that there are three servers - I am surprised that there is not a fourth to allow for redundancy. Is that a cost decision?
I've always understood that three is enough for redundancy. The client can tell when one goes awry by comparing with the other two. Admittedly if one goes down then the client can't tell that but we can pursue that logic ad infinitum no matter how many servers there are.
Do you see it differently?
Yes, and so does NTP :-!. You need four servers to be able to detect a single byzantine failure. This extra resilience is needed because NTP allows one server in a network of NTP servers to change what the other servers think. This really messes up the naive best-of-three type algorithm that most people think will work. If the servers are set to trust only their own GPS (and not the other GPS clocks), then you may not be vulnerable to byzantine failures. You won't be able to protect against GPS hacking though, but you have to stop somewhere. Cheers, Lloyd This email and any attachment may contain confidential information. If you have received this email or any attachment in error, please delete the email / attachment, and notify the sender. Please do not copy, disclose or use the email, any attachment, or any information contained in them. Consider the environment before deciding to print: avoid printing if you can, or consider printing double-sided.
On 6/09/2010, at 8:56 AM, Lloyd Parkes wrote:
Yes, and so does NTP :-!. You need four servers to be able to detect a single byzantine failure. This extra resilience is needed because NTP allows one server in a network of NTP servers to change what the other servers think. This really messes up the naive best-of-three type algorithm that most people think will work.
I think we are talking about slightly different things. If the servers were synchronised to each other then yes you would need four for the remote case of one being hostile (or appearing hostile) by giving different info to each other server, for the others to detect and isolate the hostile one. But these servers are not synchronised, they are independent and so the issue becomes how many a client needs to be able to contact to get correct info even if one fails.
If the servers are set to trust only their own GPS (and not the other GPS clocks), then you may not be vulnerable to byzantine failures. You won't be able to protect against GPS hacking though, but you have to stop somewhere.
Ah Ok, should have read that first before writing the above. Yes they are quite deliberately set to only trust their own clocks and not synchronise with each other. cheers Jay
Cheers, Lloyd
This email and any attachment may contain confidential information. If you have received this email or any attachment in error, please delete the email / attachment, and notify the sender. Please do not copy, disclose or use the email, any attachment, or any information contained in them. Consider the environment before deciding to print: avoid printing if you can, or consider printing double-sided.
-- Jay Daley Chief Executive .nz Registry Services (New Zealand Domain Name Registry Limited) desk: +64 4 931 6977 mobile: +64 21 678840
participants (2)
-
Jay Daley -
Lloyd Parkes