NTPSec, opinions?


I just noticed https://www.ntpsec.org/, and their goals look OK to me. Is anybody using their software on pool servers already?


Hadn’t heard of them previously but the idea of reducing attack surfaces and removing cruft is definitely a good one. Next time I’m adding or changing servers I’ll consider the option as an alternative.


I am, on 3 servers in the pool. One of them is Stratum 1, the other two are Stratum 2.

Works well.


Yes I use NTPSec, on both my Stratum-0 and Stratum-1. Functionally compatible to the base NTP daemon, and I like the included utilities for monitoring server performance and incoming queries.


I’m now using it on a stratum 1 and stratum 2 server. Looking good!


Has anyone given it a try under load, is it multi-threaded?

I’m interested in how it might perform at say 50,000 queries per second.


Earlier I have heard that ntpd development is lacking personnel. Why don’t those who behind ntpsec just join the original ntpd team and possibly take over the development?


Hello Alica. I’m the PM for the NTPsec Project. The relationship between NTPsec and the NTF is complex. We collaborate were we can, but we have no plans to “take over” the NTF.


So far, all I had to do is to build with refclocks and docs (since I like manpages):

./waf configure --refclock=generic,shm,pps,local --enable-doc
./waf build
./waf install

After that everything was functional; I then changed the reflock definition from:

server minpoll 4 maxpoll 4 iburst
fudge time1 0.001 refid shm0


refclock shm prefer minpoll 0 maxpoll 4

Still fiddling with new stuff to add, like statistics…


Do you have examples on how to set up the statistics stuff?


I looked into NTPsec too. Seems really nice from an admin perspective. I do however currently just lazily use the default ubuntu/debian provided daemons and just go with the flow. And i suspect that as long as the bigger distro’s have such low entry barrier I suspect i’m not the only one sticking with what they know :wink:


I don’t believe any of the open source NTP implementations are multi-threaded. Meinberg has a clever software solution to use multiple CPU cores in their SyncFire 1100.

They also have network cards that can do NTP “in hardware” for their IMS platform.


The appliance route can be expensive when compared to running VMs, however as you’ve noted there doesn’t yet seem to be any multithreaded NTP server implementations around.

I’ve had some success with running NTP in docker containers as a way of scaling out to use multiple cores on a box, however this assumes you are ok with using multiple IP’s to load balance the inbound requests.

Next up is to try running a load balancer to try scale NTP compute horizontally but behind the one IP.


Please check out: man ntpviz

My setup (I am running multiple Stratum 0 in the pool with ntpsec, git checkouts weekly:

logfile /var/www/html/ntp/ntpd.log
logconfig =syncall +clockall +peerall +sysall

statsdir /var/www/html/ntp/
filegen loopstats  type day link
filegen peerstats  type day link
filegen protostats type day link
filegen rawstats   type day link
filegen sysstats   type day link
filegen cryptostats   type day link

driftfile /var/lib/ntp/ntp.drift

# Enable this if you want statistics to be logged.
statistics loopstats peerstats clockstats

Then run ntpviz, passing it the /var/www/html/ntp directory