Document toolboxDocument toolbox

Configuring Global NTP Settings

Owned by Gary Leicht
Oct 12, 2023
1 min read

To enable the NTP service on on-prem hosts, configure the global NTP service. All global NTP settings are inherited by on-prem hosts that have the NTP service enabled.

  • The NTP service supports only IPv4 networks.
  • The NTP service does not support the following deployment types of on-prem hosts: NIOS/CNIOS and bare-metal.

To configure the global NTP service for on-prem hosts, do the following:

  1. In the Cloud Services Portal, click Manage > NTP.
  2. On the Global NTP Service page, do the following:
    • UPSTREAM: In this section, configure external NTP servers with which on-prem hosts synchronize time. Click Add External NTP Servers, and specify the following in the table:
      • SERVER ADDRESS: Enter the IP address or the FQDN of the NTP server you want to use as the upstream NTP server.
      • AUTHENTICATION: To enable authentication for the NTP server, toggle the switch to Enabled (green). The default is Disabled.
      • AUTHENTICATION KEY: If you enable authentication for the NTP server, enter the trusted key here.
      • TYPE: If you enable authentication for the NTP server, select MD5 from the drop-down list. At this time, BloxOne supports only MD5 hashing as the cryptographic protocol for authentication.
      • POOL: Select this checkbox to add this NTP server to the pool of NTP servers. When you select this option, you can specify a pool of servers with which you can synchronize time.
      • BURST: Select this checkbox to configure the NTP client to send a burst of eight packets if the external NTP server is reachable and a valid source of synchronization is available. The NTP client transmits each packet every two seconds. When you clear this checkbox, the client sends a single packet to the server only once. A burst is used to accurately measure jitter with long-poll intervals.
      • IBURST: Select this checkbox to configure the NTP client to send a burst of eight packets if the external NTP server is not reachable when the client sends the first packet to the server. The NTP client transmits each packet every two seconds. If an NTP server is not responsive, the NTP client in IBURST mode continues to send frequent queries until the server responds and time synchronization starts. When you deselect this checkbox, the client sends a single packet to the server only once.
      • PREFERRED: Select this checkbox to mark this external NTP server as the preferred NTP server. You can select only one server as the preferred NTP server.
    • DOWNSTREAM: In this section, add trusted client keys to downstream NTP servers, if applicable. Click Add key and specify the following:
      • TYPE: Select MD5 from the drop-down list. At this time, BloxOne supports only MD5 hashing as the cryptographic protocol for authentication.
      • KEY: Enter the trusted key here.
    • ACCESS CONTROL & RATE MANAGEMNT: In this section, configure access control for the NTP service by enabling rate limiting and KOD (Kiss-O'-Death). The NTP access control list (ACL) specifies which clients can use an on-prem host as an NTP server. If you do not configure access control, then BloxOne allows access to all clients. You can configure access control globally and override it for specific on-prem hosts.
      You can use one or more existing ACLs to control which clients can use the NTP service. After specifying UPSTREAM or DOWNSTREAM, click Add ACL and specify the following in the table:
      • ACL NAME: Only the default ACL is currently supported. This ACL includes all clients.
      • RATE LIMIT STATUS: To enable rate limiting for the NTP service, toggle the switch to Enabled (green): that is, the system will not respond to time service requests if the packet violates the default values for rate limiting. The default is Disabled.
      • KOD STATUS: If you enable rate limiting, toggle the switch to Enabled (green), to send the KOD packet and to reduce the number of unwanted queries. The default is Disabled

The KOD packet contains the stratum field set to zero and the ASCII string (in the Reference Source Identifier field) set to RATE. This indicates that the packets sent by the client have been dropped by the server.

When you select the KOD STATUS checkbox, the NTP service sends a KOD packet to the NTP client if the client has exceeded the rate limit. When you clear the checkbox, the NTP service drops the packets but does not send any KOD packet to the client.  

    • INTER PACKET SPACING SECONDS: If you have enabled rate limiting for the ACL, you can override the default values of inter-packet gap intervals. An inter-packet gap is a pause (measured in seconds) required between NTP packets. 
      • Average: Specify the minimum average time for an inter-packet pause between two NTP packets. The default is 3.
      • Minimum: Specify the minimum time for an inter-packet pause between two NTP packets. The default is 1.
      • Monitor: Specify the time (in seconds) for the discard probability for packets once the permitted rate limits have been exceeded. The default is 3000. This option is intended for NTP servers that receive 1000 or more requests per second.
  2. Click Save & Close.

For more information, see NTP Service.