NTP, possible solutions, and best implementation

  Assuming one wanted to provide a high profile (say, at the TLD level)

NTP

service, how would you go about it ?

First of all, NTP should be done at the geographical level, not the TLD
level. Generally, unless political reasons prevent it, you should try to
implement an NTP service that covers a region roughly as large as Europe
to avoid too much fate sharing caused by proximity.

  The possibilities I encountered are diverse, the problem is not the
back-end device (be it a GPS based NTP source + atomic clock backup,

based on

cesium or similar),

Beware the single point of failure. If all your clocks come from GPS, then
GPS is the SPOF. If they all come fram brand X manufacturer then that is
the SPOF. A commercial service should be robust and use a combination of
atomic clocks, GPS, radio time services, CDMA/GSM clocks combined with a
sanity checker to watch all the clocks and detect bad timekeepers.

   However, when you put such a device on a network, you want to have

some

kind of clue about the investment made in that product when security

comes to

mind,

Indeed.
Hide this clock behind a packet filtering firewall or else use udprelay
and an application layer gateway on UNIX to block everything except NTP.
In fact, if this is a commercial service you should hack udprelay so that
it knows about the NTP protocol and can block non-customer traffic or
malformed traffic or high volumes of traffic. That way, the UNIX
server/firewall in between the NTP device and the net protects it from
abuse, but since this UNIX server is a pass-through device from the point
of view of NTP, it does not change the stratum level of the service any
more than an IP router does.

--Michael Dillon

Beware the single point of failure. If all your clocks come from GPS, then
GPS is the SPOF. If they all come fram brand X manufacturer then that is
the SPOF. A commercial service should be robust and use a combination of
atomic clocks, GPS, radio time services, CDMA/GSM clocks combined with a
sanity checker to watch all the clocks and detect bad timekeepers.

Yes, this is definetly an issue, and thus the clocks are at least one
cesium, and the other two are different vendors.

Indeed.
Hide this clock behind a packet filtering firewall or else use udprelay
and an application layer gateway on UNIX to block everythingexcept NTP.
In fact, if this is a commercial service you should hack udprelay so that
it knows about the NTP protocol and can block non-customer traffic or
malformed traffic or high volumes of traffic. That way, the UNIX

So what you are suggesting basically is to add an application layer sanity
checker and DoS preventer, am I right ?

--Ariel

Can you describe what would be involved to cause this sort of single point of failure to fail?

Eliot

Can you describe what would be involved to cause this sort of single
  point of failure to fail?

  Eliot

- Antenna failure
- Radio failure
- Unforseen GPS protocol issues
  see:
http://www.colorado.edu/geography/gcraft/notes/gps/gpseow.htm
http://www.sustainableworld.com/y2kgps/gpseng/

The basic idea is that putting all your eggs in one basket is rarely
a good plan.

--mghali@snark.net------------------------------------------<darwin><
   Flowers on the razor wire/I know you're here/We are few/And far
   between/I was thinking about her skin/Love is a many splintered
   thing/Don't be afraid now/Just walk on in. #include <disclaim.h>

Yo Elliot!

The Defense Department sometimes runs jamming tests on GPS just to see
what would happen. They did this in Phoenix last year. They also
have been known to do this in LA and San Diego for up to 15 minutes
at a time.

AOPA (Airplane Owners and Pilots Association) has written on this topis
a few times. Needless to say this really gets pilots agitated....

Lot's of GPSes also failed on Y2K and the GPS epoch rollover.

RGDS
GARY

Eliot Lear writes:

> Beware the single point of failure. If all your clocks come
> from GPS, then
> GPS is the SPOF.

Can you describe what would be involved to cause this sort of single
point of failure to fail?

  It depends upon how low a probability failure you're willing to consider
and how paranoid you are. For one thing, the U.S. National Command Authority
could decide that GPS represents a threat to national security and disable
or derate GPS temporarily or indefinitely over a limited or unlimited area.

  It is well known that GPS is vulnerable to deliberate attacks in limited
areas, perhaps even over large areas (see Presidential Decision Directive
63). Backup systems are officially recommended for "safety-critical
applications" and the US government is actively intersted in developing
low-cost backup systems (presumably because they're concerned about GPS as a
SPOF too).

  The US government, and other entities, do perform "GPS interference
testing". This basically means they interfere with GPS. The government is
also actively investigating "phase-over to private operation", which could
mean changes to operation, fee system, or reliability of the GPS system.

  One could also imagine conditions that would result in concurrent failures
of large numbers of satellites. Remember what happened to Anik E-1 and E-2
(space weather caused them to spin out of control).

  If you do develop a system with GPS as a SPOF, you should certainly be
aware of these risks and monitor any changes to the political and technical
climate surrounding GPS. I do believe that it is currently reasonable to
have GPS as a SPOF for a timing application that is not life critical (that
is, where people won't die if it fails).

  Aviators try very, very hard not to trust their lives to GPS.

  DS

okay. two valid cases to be concerned about:

The most valid case is when we all go and buy GPS receivers from the same vendor who turns out to have a bug or a vulnerability of some form.

The other valid case is if the defense department brought down the sattelite system for some odd reason. And they seem to not have a shortage of odd reasons.

Some sort of a backup, such as PPS, or WWV* is nice, but so long as there are a few of these in the network somewhere, life should go on. Many enterprise networks run with 0 stratum 1s.

Eliot

It depends upon how low a probability failure you're willing to consider
and how paranoid you are. For one thing, the U.S. National Command Authority
could decide that GPS represents a threat to national security and disable
or derate GPS temporarily or indefinitely over a limited or unlimited area.

Derating GPS wouldn't affect the time reference functionality. Turning off
GPS entirely would seriously affect military aviation operations.

It is well known that GPS is vulnerable to deliberate attacks in limited
areas, perhaps even over large areas (see Presidential Decision Directive
63). Backup systems are officially recommended for "safety-critical
applications" and the US government is actively intersted in developing
low-cost backup systems (presumably because they're concerned about GPS as a
SPOF too).

The US government, and other entities, do perform "GPS interference
testing". This basically means they interfere with GPS. The government is
also actively investigating "phase-over to private operation", which could
mean changes to operation, fee system, or reliability of the GPS system.

One could also imagine conditions that would result in concurrent failures
of large numbers of satellites. Remember what happened to Anik E-1 and E-2
(space weather caused them to spin out of control).

If you do develop a system with GPS as a SPOF, you should certainly be
aware of these risks and monitor any changes to the political and technical
climate surrounding GPS. I do believe that it is currently reasonable to
have GPS as a SPOF for a timing application that is not life critical (that
is, where people won't die if it fails).

Aviators try very, very hard not to trust their lives to GPS.

As opposed to LORAN ?

A military repositioning of the GPS sats for their own purposes, perhaps?
Or adjustment of the time being broadcast?

I know that a coworker of mine experienced this with a GPS-based tracking
system. The boat he was tracking moved from the middle of the atlantic,
to the middle of europe, then eventually back the middle of the atlantic.
(this was around the time of Desert Storm)

Or, of course, a more general failure of the GPS time system, for whatever
reason.

...david

Beware the single point of failure. If all your clocks come from GPS, then
GPS is the SPOF.

Can you describe what would be involved to cause this sort of single
point of failure to fail?

please don't!

i smell my kill-subkject key coming

> It depends upon how low a probability failure you're willing to consider
> and how paranoid you are. For one thing, the U.S. National
> Command Authority
> could decide that GPS represents a threat to national security
> and disable
> or derate GPS temporarily or indefinitely over a limited or
> unlimited area.

Derating GPS wouldn't affect the time reference functionality. Turning off
GPS entirely would seriously affect military aviation operations.

  Not so:

"Selective Availability (SA) is the deliberate introduction of error by
either altering the precise timekeeping of GPS satellites or the position of
the satellites in space, through the on-board software, thereby reducing
both positioning and timing accuracy for civilian users."

  GPS accuracy is generally reduced by adding noise to the timing. Now you
would have to derate GPS pretty significantly before timing accuracy would
be significantly affected. But it's possible that some time references would
refuse to lock on at all with sufficient derating. The affects of more
extreme derating than SA are, at least to some extent, unknown.

> Aviators try very, very hard not to trust their lives to GPS.

As opposed to LORAN ?

  Generally, aviators don't like SPOFs. So they try very hard not to trust
their life to any one thing. GPS is used in conjunction with VORs, pilotage
(navigation by reference to fixed objects), and dead reckoning.

  GPS is used for instrument approaches, but only under extremely controlled
conditions by very experienced pilots. A significant fraction of instrument
training is how to cross-check instruments and detect failures. GPS
approaches are individually approved by the FAA and factors such as runway
lighting are critical. FAA approved GPS units must be used and one of the
things these GPS units must do is monitor signal integrity (RAIM). From time
to time, you will read FAA accident reports of people who attempted to
perform GPS approaches with just a handheld GPS.

  DS

Two relevant points on GPS/LORAN

1 - GPS has two positioning systems
    
    1 - SPS Standard Positioning Service which is what all civillian
        uses of GPS utilize for positioning and timing uses and this can
        be degraded or disabled with no notice to the user community
        by the National Command Authority.

    2 - PPS Precision Positioning Service this is the military GPS system
        which uses encrypted signals on a different frequency to provide
        location services accurate to 30 cm. SPS can be disabled with no
        effect on PPS.

        I have no knowledge of why there are two systems since the system
        was initially designed for military use only but as a guess the
        SPS system was designed as a test system so GPS system
        functionality could be checked without the need to disclose keys.
        
2 - GPS is more accurate than LORAN however the SPS is much less
    repeatable by design than LORAN. A LORAN may not give you as accurate
    a Fix as the GPS but the LORAN will always bring you back to the
    same spot +/- a few feet which is why Aviators and Sailors like LORAN
    better than GPS.

2.5 - Both systems use atomic clocks for their time reference systems.

                            Scott C. McGrath

Derating GPS wouldn't affect the time reference functionality. Turning
off GPS entirely would seriously affect military aviation operations.

  Not so:

"Selective Availability (SA) is the deliberate introduction of error by
either altering the precise timekeeping of GPS satellites or the position
of the satellites in space, through the on-board software, thereby
reducing both positioning and timing accuracy for civilian users."

  GPS accuracy is generally reduced by adding noise to the timing. Now you
would have to derate GPS pretty significantly before timing accuracy would
be significantly affected. But it's possible that some time references
would refuse to lock on at all with sufficient derating. The affects of
more extreme derating than SA are, at least to some extent, unknown.

While this is true, the derating in common practice for SA when it was turned
on actually turned out to be somewhat less inaccurate than the combination
of atmospheric error and other issues in most GPS-based time sources. For
NTP, network jitter would exceed SA jitter in most implementations.

> Aviators try very, very hard not to trust their lives to GPS.

As opposed to LORAN ?

  Generally, aviators don't like SPOFs. So they try very hard not to trust
their life to any one thing. GPS is used in conjunction with VORs,
pilotage (navigation by reference to fixed objects), and dead reckoning.

Pilotage is _VERY_ difficult in IMC. Most IFR pilots don't rely much on
pilotage most of the time, and almost never attempt pilotage in IMC.
It is true that most of them use VORs and RADAR as their primary navigational
backups under IFR in IMC.

  GPS is used for instrument approaches, but only under extremely
controlled conditions by very experienced pilots. A significant fraction
of instrument training is how to cross-check instruments and detect
failures. GPS approaches are individually approved by the FAA and factors
such as runway lighting are critical. FAA approved GPS units must be used
and one of the things these GPS units must do is monitor signal integrity
(RAIM). From time to time, you will read FAA accident reports of people
who attempted to perform GPS approaches with just a handheld GPS.

Excuse me? GPS is used for instrument approaches by virtually any
instrument rated pilot. A pilot can conduct a GPS approach solo with
as little as 75 hours of PIC experience (35 hours part 141 private
course and 40 hours instrument training) (14CFR parts 61 and 141).
I would not consider a pilot with 75 hours or even 100 hours "very
experienced". Heck, I have over 650 hours and I don't consider myself
"very experienced". I haven't looked back at my logbook to be sure, but,
if memory serves, I got my instrument rating at about 225 hours, and,
shot my first solo GPS approach with around 250 hours of PIC experience.

You are right that a significant portion of instrument training is how
to cross-check instruments and detect failures. Mostly, however, this
focuses on failures of instruments related to keeping the airplane
right-side up. Some cursory coverage is given to detecting navigational
failurres, but, as much as I try to behave differently, and, as much
as I wish this weren't true, the primary mode of navigational failure
detection employed by most IFR pilots I've met is when the controller
says "Where the heck are you going?" (no, this isn't from the Pilot
Controller glossary, nor is it how they usually convey that message).

It is true that to begin a GPS approach, you must have an approach
certified (TSO'd) unit in an installation that the FAA FSDO has
signed off as an approach capable installation. It's also true that
you need RAIM, and, RAIM provides a certain amount of integrity more
than standard GPS and more than ILS. (Actually ILS glide-slope only
failues are the ones that scare me the most as an IFR pilot).

I'm not saying the system is unsafe. I think it's very safe. I also
agree about the accident reports regarding handhelds, however, I will
say that with a safety pilot on board, I occasionally do make sure that
I can do a panel-out (yes, that means put the sectional over the entire
panel) approach using my Garmin 195. I would never do this in actual
IMC, and, I would never do it without a safety pilot looking out the
window and watching what I was doing. However, I feel safer knowing
that I can, if evertyhing else goes to heck, get the plane down a
GPS approach using the handheld. It is a _VERY_ challenging approach.

Owen

I used to work with GPS navigation / calibration. The entire system is
designed to "free wheel" for at least a month, and probably many months,
giving adequate performance
even if all the ground control stations were destroyed. The only thing
I would worry about (besides failures of my own equipment) would be that
roof access might be blocked (say if debris fell on the roof), and thus
the signal could not be acquired, for some period of time.

Selective availability (SA, the jittering of the clocks on the public signal)
introduced timing errors only at the level of 100
nanoseconds. If you need timing better than that, you should worry
(a little) about having a backup time source, in case SA gets turned back
on in a dire national emergency.

Regards
Marshall Eubanks