This chapter covers Network Time Protocol (NTP), a critical technology for synchronizing clocks across network devices. On the N10-009 exam, NTP questions appear in the Network Operations domain (Objective 3.3) and typically account for about 5-8% of the exam. Understanding NTP's hierarchy, timestamp exchange, and configuration ensures you can troubleshoot time-related issues that affect authentication, logging, and security protocols. This chapter provides the depth needed to answer any NTP question on the exam.
Jump to a section
Imagine a global company with thousands of employees working on critical projects. Everyone needs to know the exact time to coordinate meetings, deadlines, and processes. The company installs a single, ultra-precise atomic clock in the headquarters (the Stratum 0 source). This clock is so accurate it loses only one second every million years.
From this master clock, signals are sent to regional office clocks (Stratum 1 servers) via dedicated fiber lines. These regional clocks are extremely accurate but slightly less precise than the master. They then distribute time to local floor clocks (Stratum 2 clients) over the building's network. Each floor clock periodically asks the regional clock for the time and adjusts itself based on the measured network delay and offset. It's like each floor clock sends a message: 'What time is it?' and the regional clock replies, 'It's 10:00:00.000000.' The floor clock notes the time the request was sent (T1), the time the reply was received (T4), and uses the timestamps (T1, T2, T3, T4) to calculate the round-trip delay and the precise offset.
If the floor clock is off by more than a few milliseconds, it gradually slews its time (speeds up or slows down its own oscillator) to converge with the correct time. If the offset is too large (e.g., more than 1000 seconds), it will step the time immediately. The entire system forms a hierarchical tree, with each level (stratum) being one hop away from the master. The key is that each clock never trusts a single source blindly; it uses multiple sources and a sophisticated algorithm (Marzullo's algorithm) to detect faulty or falsified time sources. This prevents a single bad clock from corrupting the entire network's time.
What is NTP and Why Does It Exist?
Network Time Protocol (NTP), defined in RFC 5905, is a protocol used to synchronize the clocks of computers and network devices over a network. Accurate time is crucial for many network functions: - Logging and Auditing: Correlating logs from multiple devices requires timestamps that agree. - Authentication: Kerberos and other authentication protocols rely on time stamps to prevent replay attacks. - Certificate Validation: TLS/SSL certificates have validity periods; incorrect time can cause false expiration. - Scheduling: Cron jobs, backups, and automated tasks depend on accurate time. - Distributed Systems: Database transactions and consensus algorithms (e.g., Paxos) require synchronized clocks.
NTP is designed to achieve accuracy within milliseconds over the public Internet and sub-millisecond accuracy on local networks. It uses a hierarchical system of time sources, with each level called a stratum.
NTP Hierarchy and Stratum Levels
NTP organizes time sources into a tree-like hierarchy. The stratum level indicates the distance from the reference clock.
Stratum 0: These are high-precision timekeeping devices such as atomic clocks, GPS clocks, or radio clocks. They are not directly connected to the network; instead, they connect to a computer that acts as the time server.
Stratum 1: These are computers whose clocks are synchronized directly to a Stratum 0 device. They act as primary time servers for the network. They are considered the most accurate time sources available on the network.
Stratum 2: These servers synchronize with one or more Stratum 1 servers. They are one hop away from the primary source. They can, in turn, serve time to Stratum 3 clients.
Stratum 3 and below: Each subsequent stratum is one hop further from the reference clock. Stratum 16 is considered unsynchronized and is not used.
The stratum level is not a measure of accuracy but of distance from the reference. A Stratum 2 server can still be very accurate if its network connection to Stratum 1 is good. The maximum allowed stratum is 15; stratum 16 indicates an unsynchronized clock.
How NTP Works: The Algorithm and Packet Exchange
NTP uses a client-server model, but it also supports symmetric peering and broadcast modes. The core algorithm involves exchanging timestamps between the client and server.
#### Four Timestamps
The NTP protocol uses four timestamps to calculate the offset and delay: - T1: The time the client sends the request packet (originate timestamp). - T2: The time the server receives the request packet (receive timestamp). - T3: The time the server sends the reply packet (transmit timestamp). - T4: The time the client receives the reply packet (destination timestamp).
These timestamps are recorded in the NTP packet header. The client calculates: - Round-trip delay (δ): (T4 - T1) - (T3 - T2) - Clock offset (θ): ((T2 - T1) + (T3 - T4)) / 2
The offset represents the difference between the client's clock and the server's clock. If positive, the client is behind; if negative, the client is ahead. The client then adjusts its clock by the offset, but not always immediately.
#### Clock Discipline: Slewing vs. Stepping
NTP uses a discipline algorithm to adjust the clock gradually (slewing) or immediately (stepping). The decision depends on the magnitude of the offset and the system's configuration.
Slewing: If the offset is small (typically less than 128 milliseconds), NTP adjusts the clock by speeding up or slowing down the system clock's tick rate. This is the preferred method because it avoids discontinuities in time that could affect applications.
Stepping: If the offset is large (e.g., more than 128 ms), NTP may step the clock immediately to the correct time. This can cause problems for applications that expect time to move forward monotonically. Many systems have a threshold (e.g., 1000 seconds) above which they will not step automatically and require manual intervention.
#### Polling Interval
NTP clients poll servers at intervals that are power-of-two multiples of a base interval. The default poll interval is 64 seconds (2^6), but it can range from 16 seconds (2^4) to 1024 seconds (2^10). The client dynamically adjusts the poll interval based on the stability of the time source. The algorithm aims to reduce network traffic while maintaining accuracy.
NTP Packet Format
NTP packets are UDP packets on port 123. The packet header contains several fields:
Leap Indicator (LI): Warns of an impending leap second insertion or deletion.
Version Number (VN): Currently version 4.
Mode: Indicates the role of the sender: 3 = client, 4 = server, 1 = symmetric active, etc.
Stratum: The stratum level of the sender (0 for kiss-o'-death, 1-15 for valid, 16 for unsynchronized).
Poll: The poll interval as a power of 2 (e.g., 6 means 64 seconds).
Precision: The precision of the system clock, as a signed integer exponent of 2 (e.g., -18 means about 3.8 microseconds).
Root Delay: Total round-trip delay to the reference clock.
Root Dispersion: Total dispersion (error) to the reference clock.
Reference ID: A code identifying the reference clock (e.g., GPS, atomic clock, or IP address).
Reference Timestamp: The time when the system clock was last set or corrected.
Originate, Receive, Transmit Timestamps: T1, T2, T3 as described.
#### Kiss-o'-Death (KoD) Packets
If a server cannot or will not serve time, it sends a Kiss-o'-Death packet with stratum 0 and a reference ID that is a 4-character ASCII code explaining the reason, such as: - RATE: The client is polling too frequently. The client should back off. - DENY: The server denies access (access control). - RSTR: The server is not synchronized.
NTP Modes of Operation
Client/Server Mode: The client sends a request, and the server replies. This is the most common mode. The server does not need to maintain state.
Symmetric Active/Passive Mode: Two peers synchronize with each other. Both can be clients and servers. This is used for redundancy when both peers have reliable time sources.
Broadcast/Multicast Mode: The server sends unsolicited time updates to clients on a broadcast or multicast address. Clients listen and adjust their clocks without sending requests. This reduces network traffic but is less accurate because it does not account for network asymmetry.
Manycast Mode: A client broadcasts a request, and multiple servers respond. The client selects the best servers using the NTP algorithm.
NTP Security: Authentication and Access Control
NTP supports authentication using symmetric key cryptography or Autokey (now deprecated). The most common method is symmetric key authentication, where both client and server share a secret key. The NTP packet includes a message digest (MD5 or SHA-1) computed over the packet and key. This prevents time from being tampered with by an attacker.
Access control lists (ACLs) can be configured on NTP servers to restrict which clients can query or synchronize. This is important to prevent unauthorized use of the server and to mitigate amplification attacks.
NTP and the N10-009 Exam: Key Points
The exam expects you to know:
The stratum hierarchy and its meaning.
The four timestamps and how offset/delay are calculated.
Default port number: UDP 123.
The difference between slewing and stepping.
The purpose of the Kiss-o'-Death packet.
How NTP interacts with other services like logging and authentication.
Basic configuration commands on Cisco IOS and Windows.
Configuration Examples
#### Cisco IOS
To configure an NTP client on a Cisco router or switch:
ntp server 192.168.1.10
ntp server 192.168.1.11 preferThe prefer keyword indicates a preferred server.
To verify NTP status:
show ntp status
show ntp associations
show ntp statistics#### Windows Server
To configure an NTP client on Windows:
w32tm /config /manualpeerlist:"time.windows.com" /syncfromflags:manual /reliable:yes /updateTo verify:
w32tm /query /status#### Linux (chrony or ntpd)
For chrony:
server 0.pool.ntp.org iburstFor ntpd:
server 0.pool.ntp.orgNTP and Related Technologies
NTP is often used in conjunction with: - Syslog: Accurate timestamps are essential for log correlation. - SNMP: Traps and polls may use timestamps. - Kerberos: Requires time synchronization within a few minutes (typically 5 minutes) to prevent replay attacks. - Digital Certificates: Certificate validity checks rely on accurate time.
Common NTP Issues
Firewall blocking UDP 123: NTP uses UDP port 123. Firewalls must allow this port.
Large network delays: Asymmetric delays can cause inaccurate time. Using multiple servers helps mitigate this.
Stratum loops: Misconfiguration can cause a loop where servers synchronize with each other, creating a cycle. NTP's algorithm detects and avoids this.
Monotonic time requirements: Applications that require time to always move forward (e.g., databases) can break if NTP steps the clock backward. Use slewing or ntpd -g to allow a one-time step at boot.
NTP in Virtualized Environments
Virtual machines often have difficulty keeping accurate time because of CPU scheduling and clock interrupts. It is recommended to:
Use the hypervisor's time synchronization (e.g., VMware Tools) in addition to NTP.
Disable host time sync if using NTP inside the VM to avoid conflicts.
Dedicate CPU resources to avoid time drift.
NTP Best Practices
Use at least three NTP servers to provide redundancy and improve accuracy.
Use servers that are geographically close to reduce latency.
Use authentication to prevent spoofing.
Monitor NTP health using ntpq -p or chronyc sources.
For critical systems, use a local Stratum 1 server (e.g., GPS-based).
NTP Version Differences
NTPv4 (RFC 5905) is the current version. Improvements over NTPv3 include:
Better clock discipline algorithm.
Support for IPv6.
Autokey authentication (though now deprecated in favor of symmetric keys).
More precise timestamps (down to fractions of a nanosecond theoretically).
The exam may not distinguish between versions, but knowing that NTPv4 is current is useful.
NTP and Leap Seconds
Leap seconds are added to Coordinated Universal Time (UTC) to keep it in sync with astronomical time. NTP handles leap seconds by setting the Leap Indicator field in the packet to warn clients. The client then inserts or deletes a second at the end of the day. This can cause issues with some applications, but NTP handles it gracefully.
Client Sends NTP Request
The NTP client constructs a UDP packet with destination port 123 and source port 123. It sets the Mode field to 3 (client). It records the current system time as the originate timestamp (T1) in the packet header. The client then sends the packet to the NTP server's IP address. The client starts a timer to measure the round-trip time. The packet is typically 48 bytes for the header. The client may use a random source port if it is not running as a server, but typically both ports are 123 for client-server mode.
Server Receives and Responds
The NTP server receives the request on UDP port 123. It records the time of arrival as the receive timestamp (T2) using its own system clock. The server then constructs a reply packet. It copies the originate timestamp (T1) from the request, sets the receive timestamp (T2) and the transmit timestamp (T3) to the current time when the reply is sent. The server sets the Mode field to 4 (server). It also includes its stratum, root delay, root dispersion, and reference ID. The server sends the reply back to the client's IP address and port.
Client Receives Reply and Calculates Offset
The client receives the reply and records the time of arrival as the destination timestamp (T4). It now has all four timestamps: T1, T2, T3, T4. The client calculates the round-trip delay: δ = (T4 - T1) - (T3 - T2). It calculates the clock offset: θ = ((T2 - T1) + (T3 - T4)) / 2. The offset indicates how much the client's clock is ahead or behind the server's clock. The client also checks the server's stratum and other metrics to decide if the server is a suitable time source.
Client Adjusts Its Clock
Based on the calculated offset, the client decides how to adjust its clock. If the offset is less than the panic threshold (default 1000 seconds on many systems), the client will either slew or step. If the offset is small (e.g., <128 ms), the client slews by adjusting the frequency of its clock oscillator gradually. If the offset is larger, it steps immediately. The client updates its clock and records the new reference timestamp. It also updates its peer statistics for future selections.
Client Selects Best Server (Multiple Servers)
If the client is configured with multiple NTP servers, it runs the selection algorithm (Marzullo's algorithm) to choose the best server or combine results. The algorithm considers stratum, delay, dispersion, and jitter. It eliminates outliers and false tickers. The client may use a set of servers to compute a combined offset. The selected server is used for synchronization. The client continues to poll servers at intervals that adjust based on the clock stability.
Enterprise NTP Deployment Scenarios
Scenario 1: Financial Trading Firm
A high-frequency trading firm requires sub-millisecond accuracy across its servers to timestamp trades and ensure regulatory compliance. They deploy a Stratum 1 GPS-based NTP server in their data center. All trading servers (Stratum 2) synchronize to this server using NTPv4 with symmetric key authentication. The network is isolated with low-latency switches. The NTP server is configured with minpoll 4 (16 seconds) and maxpoll 6 (64 seconds) to reduce polling jitter. Monitoring with ntpq -p shows offsets under 100 microseconds. A firewall rule allows UDP 123 only from the trading subnet. Misconfiguration could lead to incorrect trade timestamps, resulting in fines or lost revenue.
Scenario 2: University Campus Network
A university has hundreds of routers, switches, servers, and workstations. They set up two Stratum 2 servers that sync to public NTP pools (e.g., pool.ntp.org). All network devices are configured via DHCP to obtain NTP server addresses. The servers are configured with ACLs to allow only campus subnets. Logging servers use NTP to correlate events across the network. Common issues include firewall misconfiguration blocking UDP 123, and some devices being unable to reach the servers due to routing issues. The IT team uses show ntp associations on Cisco devices to verify synchronization. They also monitor the NTP servers for 'Kiss-o'-Death' packets indicating misconfigured clients.
Scenario 3: Cloud Infrastructure
A company runs virtual machines in AWS, Azure, and on-premises. They use Amazon Time Sync Service (which uses NTP) for instances in AWS. For Azure, they use the host's time service. For on-premises VMs, they run a local NTP server on a VM with a GPS clock. They disable hypervisor time synchronization inside VMs to avoid conflicts. They use chrony on Linux instances because it handles virtualized environments better than ntpd. They configure refclock PHC /dev/ptp0 to use the Precision Time Protocol (PTP) hardware clock if available. Performance considerations include CPU steal time causing drift; they pin vCPUs and use dedicated hosts for critical systems.
N10-009 Exam Focus on NTP
Objective 3.3: Explain the purpose of network services. NTP is a key service under this objective. The exam tests your understanding of NTP's purpose, operation, and configuration.
Common Wrong Answers: 1. "NTP uses TCP port 123" – Candidates confuse NTP's UDP port 123 with other services. NTP uses UDP because it is connectionless and faster. TCP would add overhead and delay. 2. "Stratum 0 devices are directly connected to the network" – Stratum 0 devices (atomic clocks, GPS receivers) are not network-connected. They connect to Stratum 1 servers via serial or USB. 3. "NTP synchronizes clocks by averaging multiple timestamps without considering delay" – NTP calculates both offset and delay. It does not simply average timestamps; it uses the four-timestamp exchange to account for network delay. 4. "A higher stratum number means more accurate time" – Stratum indicates distance from the reference, not accuracy. Stratum 1 is more accurate than Stratum 2, but Stratum 2 can still be highly accurate.
Specific Numbers and Terms on the Exam:
- UDP port 123.
- Stratum levels 0-15 (16 = unsynchronized).
- Default poll interval: 64 seconds.
- Four timestamps: T1, T2, T3, T4.
- Kiss-o'-Death (KoD) packets.
- Slewing vs. stepping (threshold ~128 ms).
- ntp server command on Cisco.
- w32tm on Windows.
Edge Cases the Exam Tests: - What happens when the offset is very large? The clock steps, which can break applications. - What happens when a server sends a KoD packet? The client must back off. - How does NTP handle leap seconds? Via the Leap Indicator field. - What if multiple servers disagree? The selection algorithm picks the most reliable.
How to Eliminate Wrong Answers: - If a question mentions "TCP" for NTP, eliminate that answer. - If a question says "Stratum 0 is a server," eliminate it. - For calculation questions, remember the formula: offset = ((T2 - T1) + (T3 - T4)) / 2. - Focus on the fact that NTP is used for time synchronization, not for file transfer or DNS.
NTP uses UDP port 123.
Stratum 0 = reference clock, Stratum 1 = primary server, Stratum 2+ = secondary servers, Stratum 16 = unsynchronized.
Four timestamps (T1, T2, T3, T4) are used to calculate offset and round-trip delay.
Offset formula: θ = ((T2 - T1) + (T3 - T4)) / 2.
NTP slews for small offsets (<128 ms) and steps for larger offsets.
Kiss-o'-Death (KoD) packets indicate a server cannot serve time (e.g., RATE, DENY).
Default poll interval is 64 seconds (2^6).
On Cisco devices, use 'ntp server' to configure and 'show ntp status' to verify.
On Windows, use 'w32tm /config' to configure and 'w32tm /query /status' to verify.
NTP is critical for log correlation, authentication (Kerberos), and certificate validation.
These come up on the exam all the time. Here's how to tell them apart.
NTP
Uses UDP port 123.
Typically achieves millisecond accuracy over the Internet, sub-millisecond on LAN.
Uses a hierarchical stratum model (0-15).
Standardized in RFC 5905 (NTPv4).
Widely supported on most network devices and operating systems.
PTP (Precision Time Protocol)
Uses UDP port 319 (event) and 320 (general).
Achieves sub-microsecond accuracy with hardware timestamping.
Uses a master-slave hierarchy (Ordinary Clock, Boundary Clock, Transparent Clock).
Standardized in IEEE 1588-2008 (PTPv2).
Requires hardware support for highest accuracy; often used in financial trading and industrial automation.
Mistake
NTP uses TCP port 123.
Correct
NTP uses UDP port 123. UDP is used because it is connectionless and faster, which is important for time synchronization. TCP would introduce unnecessary delay and overhead.
Mistake
Stratum 0 devices are NTP servers on the network.
Correct
Stratum 0 devices are reference clocks (e.g., atomic clocks, GPS receivers) that are not directly connected to the network. They connect to Stratum 1 servers via serial or USB cables. Stratum 1 servers are the first network-accessible time sources.
Mistake
NTP immediately steps the clock for any offset.
Correct
NTP slews the clock for small offsets (typically <128 ms) to avoid discontinuities. It only steps the clock for larger offsets. Stepping can cause problems for applications that expect monotonic time.
Mistake
A higher stratum number means more accurate time.
Correct
Stratum number indicates the distance from the reference clock, not accuracy. A Stratum 2 server can be very accurate if it has a good connection to a Stratum 1 server. Stratum 16 means the clock is not synchronized.
Mistake
NTP can synchronize clocks to within microseconds over the public Internet.
Correct
NTP typically achieves millisecond accuracy over the Internet due to variable network delays. Sub-millisecond accuracy usually requires local network connections or specialized hardware (e.g., PTP).
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
NTP uses UDP port 123. UDP is used because it is connectionless and faster, which is essential for accurate time synchronization. TCP would add unnecessary delay and overhead. Both the client and server use port 123 in client-server mode.
Slewing adjusts the clock gradually by changing the frequency of the clock oscillator, avoiding time discontinuities. Stepping sets the clock immediately to the correct time. NTP slews for small offsets (typically less than 128 ms) and steps for larger offsets. Stepping can cause issues for applications that expect time to move forward monotonically. The panic threshold (default 1000 seconds) prevents automatic stepping beyond that limit.
A Kiss-o'-Death (KoD) packet is sent by an NTP server to indicate that it cannot or will not provide time service. It has stratum 0 and a reference ID that is a 4-character ASCII code explaining the reason. Common codes include RATE (client polling too fast), DENY (access denied), and RSTR (server not synchronized). The client should back off and reduce its polling rate.
NTP uses four timestamps: T1 (client send), T2 (server receive), T3 (server send), T4 (client receive). The offset is calculated as ((T2 - T1) + (T3 - T4)) / 2. This formula accounts for the network delay assuming symmetric paths. The round-trip delay is (T4 - T1) - (T3 - T2). The client then adjusts its clock by the offset.
The default NTP poll interval is 64 seconds, which is 2^6 seconds. The poll interval can range from 16 seconds (2^4) to 1024 seconds (2^10). The client dynamically adjusts the interval based on the stability of the time source to reduce network traffic while maintaining accuracy.
Yes, NTPv4 supports IPv6. The protocol operates over IPv6 using UDP port 123, just like IPv4. The NTP packet format is the same. When configuring NTP on dual-stack devices, you can specify IPv6 addresses for NTP servers. The exam may test that NTP works over both IPv4 and IPv6.
The maximum usable stratum level is 15. Stratum 16 indicates an unsynchronized clock. Stratum 0 is reserved for reference clocks. The stratum number increases by one for each NTP hop from the reference clock. A server at stratum 15 can synchronize clients at stratum 16, but those clients would be considered unsynchronized.
You've just covered NTP Time Synchronization — now see how well it sticks with free N10-009 practice questions. Full explanations included, no account needed.
Done with this chapter?