New Offender Using NTP-Pool without Vendorzone: Vodafone Germany

Hi,

I am tasked with configuring a Firewall for a Vodafone Phone System. I noticed, that for time, Vodafone is simply using the Pool, without Vendorzone, by simply CNAMEing to the DE Pool.

dig bntp.one.vodafone-ip.de
[…]
;; ANSWER SECTION:
bntp.one.vodafone-ip.de. 43200 IN CNAME 0.de.pool.ntp.org.
0.de.pool.ntp.org. 27 IN A 162.159.200.1
0.de.pool.ntp.org. 27 IN A 5.199.135.170
0.de.pool.ntp.org. 27 IN A 82.100.248.10
0.de.pool.ntp.org. 27 IN A 81.169.199.94
[…]

Does anyone have a proper Contact at Vodafone, to get them to register a Vendorzone or use internal NTP Servers?

Does anyone have a proper Contact at Vodafone, to get
them to register a Vendorzone or use internal NTP Servers?

a. Feel free to contact me on (technical) matters of NTP Vodafone Germany. We have a project ongoing to create our own infrastructure in order to migrate that away. Unfortunately in large companies, that proceeds on a glacial speed. Servers are already bought and in place, the rest is still being worked on. We hope to complete the project within this calendar year.

b. In order to compensate this interim use you noted (and to learn about high load NTP) we (VF Engineering) have been running 2 server in the pool, for several years now, one of which with very high load. We currently serve a sustained load of 5-10k pool queries per second, with frequent micro-peaks jumping up into the 70k range.

Here is a view of the traffic over the last year…

ntpo1.vflab.de.ntpload

Regards, Chris

2 Likes

Glad your company is doing that. But just to provide additional perspective, that’s not a lot of load, nor probably proportional compensation. I’m just an individual running a couple of Linode VMs (that I use for other things in addition to NTP) for $30/month handling the same load as your company’s servers. I would expect a big company deploying a lot of devices configured to use the pool should be contributing back to the pool a lot more than that. But it’s better than nothing, and I know how difficult these things are to accomplish in big corporations.

that’s not a lot of load, nor probably proportional compensation.

Well, we contribute substantially more capacity than our devices consume.
Given what I know about how many devices we have out there and how they work, I am quite confident that were I to redirect all our boxes to those servers and in turn unlink those servers from the pool, I would see something like a tenth of the load I see now. To me, that seems to qualify as “full compensation”.

Furthermore, on a side note, what you see on that graphic is the result of a server set to “Net Speed 2 Mbit” in the pool admin GUI. That can not even be set in the GUI, I needed Ask’s manual intervention to get that configured when we set that server up a few years ago. I’m a bit mystified how you would claim to get substantial higher load using standard settings and can dismiss ours as “not a lot of load”.

Regards, Chris

1 Like

The (public) servers I setup with my company serve the CN pool. They receive an average traffic of ~80Mbits/s from millions of hosts. However, ou clients (if they’d ask time to the public pool) would use way less traffic. Yet we still serve the pool happily.

Everybody contributes with what they can; IMHO no need to throw the blame on anybody :slight_smile:

Ah … so, different pool w less resources overall produces more load per server. How do you deal with such sustained loads? 80 Mbits should be something like 100k qps. Is that doable with a modern ntpd?

We use chrony instead of ntpd, so can’t really help you there. I found that most of the work went into tweaking iptables/netfilter rules in order to not overload the conntrack tables (and thus drop UDP packets).
Compute wise, the servers (Xeon 4116) are living a good life (load ~1).

It is worthwhile to fully switch off connection tracking:

[root@skitty ~]# iptables -t raw -v -n -L
Chain PREROUTING (policy ACCEPT 900M packets, 69G bytes)
 pkts bytes target     prot opt in     out     source               destination
 888M   67G CT         udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:123 CT notrack

Chain OUTPUT (policy ACCEPT 385M packets, 30G bytes)
 pkts bytes target     prot opt in     out     source               destination
 379M   29G CT         udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:123 CT notrack
[root@skitty ~]#
1 Like

Just dig a bit here in the forum :slight_smile:


If your NTP server have a multicore cpu you could take a look at rsntp (works with chrony)

Or replacing software ntp with a hardware ntp repsonder.

I have some sympathy with this. In September 2018 I put in a request for a new vendorzone for my employer. I’ve followed up a few times and hear precisely nothing. We still don’t have a vendor zone. I expect Vodafone are similarly frustrated.

I would really like to get our vendorzone registered so treat this as yet another attempt to get it sorted out.

Great, thank you!

Nice to see, that you have acknowledged the Problem and are working on a solution. Thank you for the Heads-Up!