What Network Time Protocol Is and Why You Should Care

What Network Time Protocol Is and Why You Should Care

If you manage a network and haven’t considered synchronizing your devices with the NTP protocol, this article is for you. Logs, BGP sessions, RADIUS accounting, DHCP leases, syslog, NetFlow, security alerts. Every one of them depends on accurate time. Network Time Protocol, usually called NTP, is the protocol that keeps clocks in sync across IP networks. It runs over UDP port 123.

What NTP Actually Does

NTP synchronizes system clocks to a reference time source. That source can be:

  • A GPS receiver
  • An atomic clock
  • A national time service
  • Another NTP server

NTP does not just “set the clock.” It continuously measures delay and jitter between client and server. It calculates offset. It disciplines the local clock so it stays aligned over time. That matters because crystal oscillators drift. All of them.

Stratum Explained

NTP uses a hierarchy called “stratum.”

  • Stratum 0 – Physical reference clocks. GPS, atomic clocks.
  • Stratum 1 – Servers directly connected to Stratum 0 sources.
  • Stratum 2 – Servers synchronized to Stratum 1.
  • Stratum 3+ – Further downstream layers.

A lower stratum number doesn’t mean better performance. It just means fewer steps from the main reference. What really matters is stability, latency, and path quality.

In an ISP network, you often see:

  • Core routers pointing to internal Stratum 1 or 2 servers
  • Access devices pointing to internal aggregation NTP servers
  • Nothing pointing directly to the public pool from customer-facing gear

If your access network depends on random public NTP servers, you are outsourcing a critical control plane function to the internet.

Why NTP Matters in Real Networks

1. Log Correlation

When a BGP flap happens at 14:03:22 and your firewall log shows a spike at 14:03:22, that only works if both devices agree on what 14:03:22 means. If one device is off by 90 seconds, or worse yet, defaulted to the factory set date and time.

2. Security

Certificates rely on valid time windows. If your clock drifts too far:

  • TLS handshakes fail
  • APIs break
  • RPKI validation can fail
  • Kerberos authentication can implode

3. Distributed Systems

Any clustered or replicated system depends on accurate time—databases, hypervisors, and container platforms included. If you’re connecting AI or large-scale workloads, precise time alignment is even more important.

NTP vs SNTP vs PTP

You will see related acronyms.

SNTP is a simplified version of NTP. It does basic synchronization but skips advanced filtering and selection logic. It is fine for low-impact devices. It is not what you want for core infrastructure.

PTP, defined by IEEE 1588, is a different protocol. It offers sub-microsecond accuracy and is used in:

  • Financial trading
  • Mobile backhaul
  • Power grid systems

If you only need reliable logs and stable routing, NTP is enough. For phase alignment in 5G, you’ll need something more advanced.

How NTP Actually Picks a Time Source

NTP does not blindly trust the first server that answers. It does the following:

  1. Queries multiple servers
  2. Measures round-trip delay
  3. Calculates offset
  4. Filters outliers
  5. Selects the best candidates
  6. Combines them

This protects you from problems caused by a single bad server or an uneven network path. That is also why best practice is to configure at least three upstream servers. One is risky. Two can deadlock. Three or more gives you a tiebreaker.

Best Practices for ISP and Enterprise Networks

If you manage infrastructure, treat time as you would DNS—make it both critical and redundant.

  • Deploy at least two internal NTP servers
  • Back them with GPS or diverse upstream sources
  • Point core and edge devices to internal servers
  • Restrict NTP queries from the public internet
  • Disable NTP control queries if not needed

Whether you use MikroTik, Cisco, Juniper, or Linux, the approach is the same: use internal authoritative time, have downstream clients, and avoid public exposure unless you’re running a public service Also, monitor it. If your NTP offset changes suddenly, that’s a warning sign of attacks.

A Quick Word on NTP Amplification Attacks

Older NTP configurations exposed “monlist” queries. Attackers abused that for reflection attacks. Modern NTP versions disable that by default. Still, don’t leave UDP/123 open to the world unless you’re intentionally running a public time server.

j2networks family of sites
https://j2sw.com
https://startawisp.info
https://indycolo.net
#packetsdownrange #routethelight

Terms and Conditions - Privacy Policy