NTP service

1. About

TL;DR

The Network Time Protocol (NTP) is used for clock synchronization between computers. It can synchronize all participating computers over the network to within a few milliseconds of Coordinated Universal Time (UTC) using accurate time servers.

2. Systems

2.1 Frontend

FQDN IPv6 IPv4
ntp.bfh.info
ipv6.ntp.bfh.info
ipv4.ntp.bfh.info

2.2 Backend

Warning
Always use the frontend DNS record

Never use the backend nodes directly:

  • backend may change without notice at any time (e.g. IP addresses, DNS records, configuration, etc.)
  • backend has no legacy support or grace periods, changes are implemented instantly
  • backend can be rebootet without notice at any time
  • backend access will soon be restricted

FQDN IPv6 IPv4
node1.ntp.bfh.info 2a07:6b40::41 147.87.0.41
node2.ntp.bfh.info 2a07:6b40::42 147.87.0.42
node3.ntp.bfh.info 2a07:6b40::43 147.87.0.43
node4.ntp.bfh.info 2a07:6b40::44 147.87.0.44

3. Features

3.1 Protocols

  • NTPv4 (UDP) on port 123 (frontend and backends)

  • NTS with NTS-KE (TCP) on port 4460 (frontend and backends)

3.2 ACLs

  • queries are accepted from 2a07:6b40::/29, 147.87.0.0/16 and 10.0.0.0/8 only, everything else is denied

3.3 Time sources

  • using vendor zone from pool.ntp.org as time source

3.4 Details

  • hardware timestamping on network cards for better accuracy of synchronization

  • leap smearing for leap seconds (on 30th of June and 31th of December)

4. Backlog

4.1 Legacy

  • 2023-03-31: remove ntp.bfh.ch container and records

4.2 Features

  • 2023: creating proxy.ntp.bfh.info

  • 2023: load balancing proxy.ntp.bfh.info

  • 2023: enabling rate limiting

  • 2023: restricting backend subnet access to frontend and management only

  • 2023: anycasting ntp.bfh.info

  • ????: adding additional alternative time sources for resilience

  • ????: benchmarking

4.3 Known issues

  • downstream: chrony operation needs special handling for TLS certificates (see #1013882)