The size of the NTP packet can vary depending on some things such as whether authentication data is included or not. So it is difficult to say exactly what size your packets are since we do not know the details of how your clients and servers are configured. But some generalizations are possible.

My reading of RFC 1305 (NTPv3) indicates that the data payload of NTP is about 60 bytes (then add headers for UDP and IP). I found one source that indicates that typical size is 68.

When you factor in that the poll interval will also vary and gets longer between polls as the relationship between client and server becomes more stable.

So it is difficult to come up with specific measures of the load of NTP. But I certainly agree with the assesssment from Leo that the amount of bandwidth used for NTP is pretty small.

HTH

Rick

Thanks leo and richard for you replies.

So, I take it : a normal ntp packet is around 60 bytes without udp and ip headers.

What about Authenticated packet header size?

And if i am configuring ntp on a device which uses public internet to access the ntp server, what types of security issues will be invovlved (i believe spoofing is one of them) and how to prevent them?

Do we have anymore methods other than authentication ?

Thanks for your help

I believe that using authentication adds 12 bytes to the packet size.

If you are using NTP learned from a server in the Internet then you may need to permit that traffic through your firewall. If you are concerned about the security aspects of it you can permit only NTP packets and only from that specific host. If you are really concerned about the security aspects of using NTP from the Internet then perhaps you should look into obtaining an NTP source that you can run inside your network and control the security aspects of using NTP.

HTH

Rick

Hello Richard,

If I have a device in my home but no firewall, how do i protect it?

I guess we can run authentication (which might increase overhead) and use server that supports authenticated packets, right?

and also if i am not using a dedicated ip address for the ntp server but using a pool name like pool.ntp.org

I do not believe that it changes very much if you use the name pool.ntp.org rather than specific IP addresses. When I just checked that name resolves with 4 addresses. So if you are building a filter to protect NTP then you put multiple permits for the multiple addresses.

If you have a connection to the Internet and do not have a firewall then what do you do to protect your network from the various bad things coming from the Internet. Whatever you are doing to control them might be the model of how you can protect NTP. And I would say that if you have no firewall then the potential weakness of NTP spoofing is not near the top of things that you need to worry about.

HTH

Rick

I have a device in my home (pc/ipod/set top box) which uses at&t internet and i want to synchronie the time using ntp public server. How is it secured?

if the time is messed up with stb, then the time displayed on tv and also recordings of tv shows would be an issue. I am trying to understand the security issues involved .

Thanks for your help

The security issues are extremely minimal in what you describe. You are configuring your device to send an NTP poll to a server that you trust. The server is going to send a response to you. That is pretty safe.

If you are concerned that a single NTP server might be compromised then there is an alternative which is to use multiple NTP servers. You get multiple responses (which should all reflect pretty much the same time). If one server diverges from the other servers then you do not use the output from that server.

HTH

Rick

Thanks Richard.

I have a question about Jitter calculation. How is it calculated and do we have better control of jitter with private ntp architecture and how ?

Thanks for your help

NTP isn't chatty.  You can set how often does a device go out to get sync.  Computing for jitter for S/NTP wouldn't make any difference.

For SNTP/NTP, what I'd do is get the basic first.  Make sure your device is able to get synchronize to a valid SNTP/NTP clock source before you add your authentication and/or encryption on top. 

I am not qualified to speak to the details of the calculation of jitter. In general the calculation looks at the timings of requests and responses, determines the average (or expected) response time, and jitter represents the variability of actual responses times compared to the expected timings.

It would be logical to assume that if your NTP source/server is inside your own network that you would be better able to control jitter. This is based on the assumption that if you care about it that you can configure QoS within your network to control jitter, but if you are going to the Internet for NTP server then you can not control the traffic going through the Internet.

HTH

Rick

I'm not sure how it's done in States, but ISPs here normally have their own (S)NTP servers.  So you do not need to go all the way out.  Just point to your ISP's SNTP/NTP server (if available). 

hi,

to secure your NTP traffic, it is recommended that you implement NTP version 3 (RFC 1305).

you could use NTP access control ("ntp access-group" command) and/or use authentication using the following commands on both your NTP master and the NTP client:

ntp authenticate

ntp authentication-key md5

ntp trusted-key