Network Time Protocol (NTP) is a UDP protocol that provides a reliable way of transmitting and receiving the time over TCP/IP networks. It has become the de facto standard for synchronizing Internet computers and other networked devices to Universal Coordinated Time (UTC). The Internet Engineering Task Force formalized NTP in RFC 1305.
For a complete time synchronization solution client software is required to read the NTP packets generated by an NTP time server and synchronize the local clock. (see "How do I configure NTP clients")
Simple Network Time Protocol (SNTP) is a simplified version of NTP, which is used in cases where a full implementation of NTP is not required. Because SNTP uses the same packet format as NTP, SNTP clients can utilize NTP servers. (SNTP is defined in RFCs 1361,2030 & 4330.)
NTP and SNTP allow you to synchronize the network to the millisecond range. Precision Time Protocol (PTP) is used for industrial networks that require microsecond accuracy such as automation and control systems, power generation, transmission and distribution as well as telecommunications.
A simple solution to synchronize clocks on an Ethernet network might be to simply send a message with the value of the time of the master clock to the slaves. Upon receipt of the message, the slaves would simply reset their own clocks to match the master clock value. However, because of the time it takes to send the message due to propagation delays in the Ethernet path, as well as delays introduced by processor queuing, IP message creation and latency, the actual time the message is received by the slave no longer accurately represents the time specified by the master. PTP addresses these affects through the use of protocol messages sent between various PTP nodes to determine the clock offsets and delays inherent in the network.
Internal clocks in electronic devices are not designed for accuracy and can drift more than one hour in a year. To correct for this, you can employ network time synchronization solution.
Time synchronization is an important criteria for efficient network operations. A network time synchronization implementation is simple and relies on a network time server. The characteristics of a network time server determine the security, reliability, and accuracy as well as the ease of manageability of the network time application.
Characteristics of a secure, reliable and accurate network time synchronization application:
- Network time synchronization occurs between servers and clients via network time protocol (NTP).
- A master time source known as an NTP time server is used to time synchronize a network.
- The time server must be behind the firewall for security.
- A stratum-1 time server is directly traceable to national standards for accuracy; typically through GPS transmissions.
- The time server must be available and accurate 24/7 for reliability.
- A hardware time server appliance greatly improves the manageability of the network.
Stratum levels are used to indicate the traceability path from the atomic clocks operated by national standards organizations. These “official time clocks” are defined as stratum-0 clocks as they are the most accurate. However stratum-0 time sources can not be used on a network. A time server that is linked to a stratum 0 device is called a stratum 1 server. The link itself is provided by a direct connection to the stratum 0 device usually through GPS transmissions, but long-wave radio signals such as WWV, or dial-up modem can also be used.
Stratum-1 time servers act as the primary network time standard. Stratum-2 time servers get their time from stratum 1 sources, and so on. Higher stratum levels (stratum-2, stratum-3, stratum-4, up to stratum 15) are deemed less accurate than their source due to transmission delays by about 10-100 milliseconds per stratum level. In essence, the stratum level defines the number of steps that a server is from a primary time source.
It’s also worth noting that NTP servers operating in the same stratum may be associated with one another in a peer-to-peer fashion. This is done so that a higher quality of time can be achieved and so that the servers can synchronize to the most accurate time setting amongst peers.
NTP servers are designed to maintain accuracy in the event of loss of the GPS signal due to severe weather (lightning strikes, high winds, etc.), physical damage to the antenna, GPS signal jamming and electromagnetic pulse (EMP), and even if the federal government disables the GPS signal. Internal oscillators ensure seamless operation if the GPS signal is lost by maintaining synchronization accuracy until the GPS signal is restored.
A choice of 3 oscillators are available depending on the needs of the application. A temperature-controlled crystal oscillator (TCXO) is standard. Optional oven-controlled crystal oscillators (OCXO) and Rubidium-stabilized (Rb) oscillators offer extended "holdover" accuracy.
|
Oscillator |
Drift Rate (nanosec/sec) |
Holdover Accuracy (millsec/day) |
Recommended Holdover |
|
TCXO |
2,000 |
172.8 |
Days |
|
OXCO |
20 |
1.728 |
Months |
|
Rb |
0.05 |
0.1296 |
Years |
Internet-based time servers operated by universities and government organizations are available for public use. However, NTP requires an open port (UDP port 123) in the firewall for the NTP packets to get through. As a network operator open ports in the firewall present a security risk and can effect the reliability and accuracy of public time servers as they are easily exploited in “Denial of Service” attacks even if inadvertent.
Accuracy is another concern of internet time servers. The latest survey of the NTP time server network from MIT uncovered two problems: the number of bad time servers on the internet, as well as the unbalanced load. Only 28% of the time servers indicated as stratum 1, appeared to be actually useful.
Using an internet based time server also exposes you to spoofing. Spoofing is the act by a third party to create IP packets using someone else’s IP address. Don’t take the chance of using fake NTP packets for your network synchronization.
When choosing a time server reliability is key some key factors to look at
- MTBF of 100,000 hours
- Warranty 5 years
- Be able to use multiple stratum-1 time servers for redundancy
- Support peering and stratum-2 operation to add resiliency
- Internal oscillator selection to achieve the accuracy and hold over time required
Time servers need to scale and can process more than 4,000 NTP requests per second. This capability can support hundreds of thousands of NTP clients on a network. More often than not, large NTP deployments utilize a distributed time servers in a hierarchy of stratum levels depending on the network topology.
Client software for network time protocol is widely available for a variety of operating systems and is typically pre-installed on servers, workstations, firewalls and routers. Configuring an NTP or SNTP client is straightforward.
Third-party software is available to improve the functionality of the NTP client application. PresenTense can improve on NTP clients such as WIN32 by improving the management and reliability of the time synchronization application through the use of real-time monitoring, extensive logging, email alerts, built-in redundancy, and higher accuracy.
Learn more about a free trial version of PresenTense NTP Software.
Network time synchronization supports many laws and standards requiring network accuracy, security, and reliability.
The following are examples of regulations that drive the need for time synchronization in the network.
|
Regulation |
Driver |
|
Sarbanes-Oxley |
accuracy of financial reporting |
|
HIPAA |
patient privacy in health care |
|
Order Audit Trail System (OATS) |
Elimination of fraudulent security trades |
|
Gramm-Leach-Bliley |
customer privacy |
|
CFR 21, Part 11 |
accuracy of electronic records for drug manufacturers and others |
|
Payment Card Industry - Data Security Standards |
security of cardholder data |
|
North American Electric Reliability Council (NERC) |
Requirements for a reliable and secure bulk power system |
SOX
The Sarbanes-Oxley Act “SOX” requires top executives of public companies to personally certify the accuracy of financial reports. Section 404 requires an organization to assess internal control systems for accuracy. Typically, you need to answer the following questions: who was in what system, what they did, why they were there, and how long they were there. The accuracy of log files and time stamps is important for the network control required to ensure compliance. Accurate time synchronization of the entire IT infrastructure supports SOX compliance.
HIPAA
Health Insurance Portability and Accountability Act “HIPAA” legislation was a wide ranging act to improve various aspects of the health care industry. In addition to ensuring portability and continuity of health insurance coverage, rules and standards have been added to ensure privacy of patient records and specifically for the security of health information. A network access control is crucial to show compliance to HIPAA. Accurate time stamps are particularly called out in the regulation as a contributing factor for appropriate access controls. Time synchronization of the network of health care providers helps ensure compliance to the HIPAA regulations.
NASD’s -OATS
National Association of Securities Dealers (NASD) order audit trail system (OATS) requires those involved with financial exchanges to track trades to within 3 seconds of the international time standard known as UTC, including latencies.
Gramm-Leach-Bliley Act
In an attempt to reduce identity theft, this 1999 law protects the privacy of customers of financial institutions. It is crucial that financial organizations take reasonable steps to secure the privacy of customer records from the inside and outside the network. Similar to other regulations, time synchronization of the business systems is an enabler for securing records such as customer data.
Code of Federal Regulations (FDA)
The code of federal regulations includes Food and Drug Administration’s guidelines for the development, manufacture and sale of products that can affect the health and safety of the public. Specifically title 21, part 11 requires businesses in certain industries such as pharmaceutical manufacturing to employ procedures and controls to ensure the authenticity, integrity and confidentiality of electronic records. To satisfy this requirement, organizations must ensure that computer generated time stamps are accurate.
PCI-DSS
Payment Card Industry – Data Security Standards “PCI-DSS” applies to all who store, process or transmit cardholder data. A requirement include data and time stamping with synchronized system clocks.
FERC - NERC
The Federal Energy Regulatory Commission (FERC) has backed North American Electric Reliability Council “NERC’s” requirements for all users, owners and operators of the bulk-power system including mandatory cyber security standards. NERC’s Control System Working Group lists inadequate or non-existent digital forensic and audit trails as a top 10 vulnerability of the power grid. Top mitigation requirements include time synchronization of system logs and sequence-of-event recorders.
Along with the benefits of new network applications, controls are required to ensure the accuracy and security of data. A stratum 1 time synchronization solution directly supports the mission of the network administrator.
