1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
<html>
<head>
<meta name="generator" content="HTML Tidy, see www.w3.org">
<title>NTP Version 4 Release Notes</title>
</head>
<body>
<h3>NTP Version 4 Release Notes</h3>
<img align="left" src="pic/hornraba.gif" alt="gif"><a href=
"http://www.eecis.udel.edu/~mills/pictures.htm">from <i>Alice's
Adventures in Wonderland</i>, Lewis Carroll</a>
<p>The rabbit toots to make sure you read this.<br clear="left">
</p>
<hr>
<p>This document was last updated 4 May 2001</p>
<h4>NTP Version 4 Release Notes</h4>
<p>This release of the NTP Version 4 (NTPv4) daemon for Unix, VMS
and Windows (NT4 and 2000) incorporates new features and
refinements to the NTP Version 3 (NTPv3) algorithms. However, it
continues the tradition of retaining backwards compatibility with
older versions, except for symmetric mode in NTPv1. Client/server
mode continues to be supported in NTPv1. The NTPv4 version has been
under development for quite a while and isn't finished yet. In
fact, quite a number of NTPv4 features have already been
retrofitted in the current NTPv3, although this version is not
actively maintained by the NTPv4 developer's group.</p>
<p>The primary purpose of this release is to verify the remaining
new code compiles and runs in the various architectures, operating
systems and hardware complement that can't be verified here. Of
particular interest are Windows 2000, VMS and various reference
clock drivers. As always, corrections and bugfixes are warmly
received, especially in the form of context diffs.</p>
<p>This note summarizes the differences between this software
release of NTPv4, called ntp-4.x.x, and the previous NTPv3 version,
called xntp3-5.x.x. Additional information on protocol
compatibility details is in the <a href="biblio.htm">Protocol
Conformance Statement</a> page.</p>
<ol>
<li>
<p>Most calculations are now done using 64-bit floating double
format, rather than 64-bit fixed point format. The motivation for
this is to reduce size, improve speed and avoid messy bounds
checking. Workstations of today are much faster than when the
original NTP version was designed in the early 1980s, and it is
rare to find a processor architecture that does not support
floating double. The fixed point format is still used with raw
timestamps, in order to retain the full precision of about 212
picoseconds. However, the algorithms which process raw timestamps
all produce fixed point differences before converting to floating
double. The differences are ordinarily quite small so can be
expressed without loss of accuracy in this format.</p>
</li>
<li>
<p>The clock discipline algorithm has been redesigned to improve
accuracy, reduce the impact of network jitter and allow an increase
in poll intervals to well over one day with only moderate sacrifice
in accuracy. The NTPv4 design allows servers to increase the poll
intervals even when synchronized directly to the peer. In NTPv3 the
poll interval in such cases was clamped to the minimum, usually 64
s. For those servers with hundreds of clients, the new design can
dramatically reduce the network load.</p>
</li>
<li>
<p>This release includes support for the <a href=
"http://www.eecis.udel.edu/~mills/resource.htm"><i>
nanokernel</i></a> precision time kernel support, which is now in
stock Linux and FreeBSD kernels. If a precision time source such as
a GPS timing receiver or cesium clock is available, kernel
timekeeping can be improved to the order less than one microsecond.
The older precision time kernel for the Alpha continues to be
supported.</p>
</li>
<li>
<p>This release includes support for Autokey public-key
cryptography, which is the preferred scheme for authenticating
servers to clients. It uses NTP header extensions fields documented
in: Mills, D.L. Public-Key cryptography for the Network Time
Protocol. Internet Draft draft-ietf-stime-ntpauth-00.txt,
University of Delaware, June 2000, 36 pp. <a href=
"http://www.eecis.udel.edu/~mills/database/memos/draft-ietf-stime-ntpauth-00.txt">
ASCII</a> and implemented in this release. The design provides for
orderly key refreshment and does not require public keys and
related media to be copied from one machine to another. Specific
information about Autokey cryptography is contained in the <a href=
"authopt.htm">Authentication Options</a> page and links from
there.</p>
</li>
<li>
<p>NTPv4 includes two new association modes which in most
applications can avoid per-host configuration altogether. Both of
these are based on IP multicast technology and Autokey
cryptography. They provide for automatic discovery and
configuration of servers and clients without identifying servers or
clients in advance. In multicast mode a server sends a message at
fixed intervals using specified multicast group addresses, while
clients listen on these addresses. Upon receiving the message, a
client exchanges several messages with the server in order to
calibrate the multicast propagation delay between the client and
server. In manycast mode a client sends a message to a specified
multicast group address and expects one or more servers to reply.
Using engineered algorithms, the client selects an appropriate
subset of servers from the messages received and continues in
ordinary client/server operation. The manycast scheme can provide
somewhat better accuracy than the multicast scheme at the price of
additional network overhead. See the <a href="assoc.htm">
Association Management</a> page for further information.</p>
</li>
<li>
<p>There are two burst mode features available where special
conditions apply. One of these is enabled by the <tt>iburst</tt>
keyword in the <tt>server</tt> configuration command. It is
intended for cases where it is important to set the clock quickly
when an association is first mobilized. The other is enabled by the
<tt>burst</tt> keyword in the <tt>server</tt> configuration
command. It is intended for cases where the network attachment
requires an initial calling or training procedure. See the <a href=
"assoc.htm">Association Management</a> page for further
information.</p>
</li>
<li>
<p>The reference clock driver interface is smaller, more rational
and more accurate. Support for pulse-per-second (PPS) signals has
been extended to all drivers as an intrinsic function. Most of the
drivers in NTPv3 have been converted to this interface, but some,
including the PARSE subinterface, have yet to be overhauled. New
drivers have been added for several GPS receivers now on the market
for a total of 39 drivers. Drivers for the Canadian standard time
and frequency station CHU, the US standard time and frequency
stations WWV/H and for IRIG signals have been updated and
capabilities added to allow direct connection of these signals to
the Sun audio port <tt>/dev/audio</tt>.</p>
</li>
<li>
<p>In all except a very few cases, all timing intervals are
randomized, so that the tendency for NTPv3 to self-synchronize and
bunch messages, especially with a large number of configured
associations, is minimized.</p>
</li>
<li>
<p>In NTPv3 a large number of weeds and useless code had grown over
the years since the original NTPv1 code was implemented almost
twenty years ago. Using a powerful weedwacker, much of the
shrubbery has been removed, with effect a substantial reduction in
size of almost 40 percent.</p>
</li>
<li>
<p>The entire distribution has been converted to gnu <tt>
automake</tt>, which should greatly ease the task of porting to new
and different programming environments, as well as reduce the
incidence of bugs due to improper handling of idiosyncratic kernel
functions.</p>
</li>
</ol>
<h4>Nasty Surprises</h4>
<p>There are a few things different about this release that have
changed since the latest NTP Version 3 release. Following are a few
things to worry about:</p>
<ol>
<li>
<p>As required by Defense Trade Regulations (DTR), the
cryptographic routines supporting the Data Encryption Standard
(DES) have been removed from the base distribution. These routines
are readily available in most countries from RSA Laboratories.
Directions for their use are in the <a href="build.htm">Building
and Installing the Distribution</a> page.</p>
</li>
<li>
<p>As the result of the above, the <tt>./authstuff</tt> directory,
intended as a development and testing aid for porting cryptographic
routines to exotic architectures, has been removed. Developers
should note the NTP authentication routines use the interface
defined in the <tt>rsaref2.0</tt> package available from RSA
laboratories.</p>
</li>
<li>
<p>The enable and disable commands have a few changes in their
arguments see the <tt>ntpd</tt> <a href="confopt.htm">Configuration
Options</a> page for details. Note that the <tt>authenticate</tt>
command has been removed.</p>
</li>
<li>
<p>The <tt>ppsclock</tt> line discipline/streams module is no
longer supported. This function is now handled by the <a href=
"driver22.htm">PPS Clock Discipline</a> driver, which uses the new
PPSAPI application program interface proposed by the IETF. Note
that the <tt>pps</tt> configuration file command has been obsoleted
by the driver. See the <a href="pps.htm">Pulse-per-second (PPS)
Signal Interfacing</a> page for further information.</p>
</li>
<li>
<p>Several new options have been added for the <tt>ntpd</tt>
command line. For the inveterate knob twiddlers several of the more
important performance variables can be changed to fit actual or
perceived special conditions. It is possible to operate the daemon
in a one-time mode similar to <tt>ntpdate</tt>, which program is
headed for retirement. See the <a href="ntpd.htm"><tt>ntpd</tt> -
Network Time Protocol (NTP) daemon</a> page for the new
features.</p>
</li>
<li>
<p>To help reduce the level of spurious network traffic due to
obsolete configuration files, a special control message called the
kiss-of-death packet has been implemented. If enabled and a packet
is denied service or exceeds the client limie, a compliant server
will send this message to the client. A compliant client will cease
further transmission and send a message to the system log. See the
<a href="accopt.htm">Authentication Options</a> page for further
information.</p>
</li>
<li>
<p>An experimental filter algorithm called huff-n'-puff has been
implemented to reduce errors under conditions of severe assymetric
delays characteristic of <tt>ppp</tt> connections with telephone
modems and downloading or uploading considerable traffic. See the
<a href="ntpd.htm">ntpd - Network Time Protocol (NTP) daemon</a>
page for further information.</p>
</li>
</ol>
<h4>Caveats</h4>
<p>This release has been compiled and tested on several systems,
including SunOS 4.1.3, Solaris 2.5.1-2.8, Alpha 4.0, Ultrix 4.4,
Linux, FreeBSD and HP-UX 10.02. It has been compiled and tested on
Windows NT, but not yet on any other Windows version or for VMS. We
are relying on the NTP volunteer corps to do that. Known problems
are summarized below:</p>
<ol>
<li>
<p>The latest NTPv4 <tt>ntpdc</tt> does not work with previous
versions of <tt>ntpd</tt> and previous versions of <tt>ntpdc</tt>
do not work with latest <tt>ntpd</tt>. This situation is
regrettable and may be fixed in future; however, it is necessary in
order for the autokey function to retrieve canonical names and
certificates from directory services such as Secure DNS.</p>
</li>
<li>
<p>The precision time support in stock Solaris 2.6 has bugs that
were fixed in 2.7. A patch is available that fixes the 2.6 bugs.
The 2.6 kernel discipline has been disabled by default. For
testing, the kernel can be enabled using the <tt>enable kernel</tt>
command either in the configuration file or via <tt>ntpdc</tt>.</p>
</li>
<li>
<p>The HTML documentation has been partially updated. However, most
of the NTPv3 documentation continues to apply to NTPv4. Until the
update happens, what you see is what you get. We are always happy
to accept comments, corrections and bug reports. However, we are
most thrilled upon receipt of patches to fix the dang bugs.</p>
</li>
</ol>
<hr>
<a href="index.htm"><img align="left" src="pic/home.gif" alt=
"gif"></a>
<address><a href="mailto:mills@udel.edu">David L. Mills
<mills@udel.edu></a></address>
</body>
</html>
|