NTP (Network Time Protocol)
Definition
NTP (Network Time Protocol, RFC 5905) is a networking protocol for synchronizing the clocks of computer systems over packet-switched data networks. It maintains time accuracy to within tens of milliseconds over the public Internet and sub-millisecond accuracy on a local area network.
NTP is critical for distributed systems, logging, security certificates, and database consistency.
NTP Hierarchy (Stratum)
Stratum 0: Reference clock (atomic clock, GPS, radio)
│
▼
Stratum 1: Directly connected to Stratum 0 (time server)
│
▼
Stratum 2: Syncs from Stratum 1
│
▼
Stratum 3: Syncs from Stratum 2
│
▼
...
Stratum 15: Last valid stratum
│
▼
Stratum 16: Unsynchronized (error)
NTP vs SNTP
| Feature |
NTP |
SNTP (Simple NTP) |
| Complexity |
Full algorithm, filtering |
Simplified, single sample |
| Accuracy |
Milliseconds |
Seconds (acceptable for most) |
| Use case |
Time servers, critical systems |
IoT, embedded, simple clients |
| Resource usage |
Higher |
Lower |
| Standard |
RFC 5905 |
RFC 4330 |
NTP in Infrastructure
| Component |
NTP Role |
| Servers |
Must have synchronized time for logs, auth, certificates |
| Databases |
Time consistency for replication, transactions |
| Kerberos |
Time-based authentication (5-minute clock skew limit) |
| TLS/SSL |
Certificate validity depends on correct time |
| Logging |
Correlate events across distributed systems |
| Kubernetes |
kubelet requires NTP sync |
| DNS |
DNSSEC validation requires accurate time |
NTP Configuration (Linux)
# Check NTP status
timedatectl status
chronyc tracking
# NTP servers to use
# Public pool: pool.ntp.org
# Google: time.google.com
# AWS: 169.254.169.123 (metadata service)
# Azure: 168.63.129.16 (metadata service)
# systemd-timesyncd (simple)
# /etc/systemd/timesyncd.conf
# [Time]
# NTP=time.google.com pool.ntp.org
# FallbackNTP=0.pool.ntp.org 1.pool.ntp.org
# chrony (production-grade)
# /etc/chrony.conf
# server time.google.com iburst
# server pool.ntp.org iburst
# driftfile /var/lib/chrony/drift
NTP Security
- NTP authentication: Key-based authentication (rarely used)
- NTP amplification attacks: NTP servers used in DDoS (monlist command)
- Mitigation: Disable monlist, restrict NTP access, use SNTP for clients
- Firewall: Allow UDP port 123 (outbound only for clients)
NTP Alternatives
| Protocol |
Accuracy |
Use Case |
| PTP (Precision Time Protocol) |
Microseconds |
Financial trading, telecom |
| GPS time |
Nanoseconds |
GPS-disciplined oscillators |
| NMEA |
Milliseconds |
GPS receiver data |
| IEEE 1588 (PTP) |
Sub-microsecond |
Industrial automation |
- Tls — Kerberos requires NTP-synced clocks
- Dns — NTP ensures consistent monitoring timestamps
- Backup — NTP ensures consistent backup timestamps
References
