{"id":115,"date":"2013-06-17T16:16:46","date_gmt":"2013-06-17T06:16:46","guid":{"rendered":"https:\/\/www.icemoonprison.com\/blog\/?p=115"},"modified":"2014-07-06T23:05:39","modified_gmt":"2014-07-06T13:05:39","slug":"join-the-ntp-pool-on-ipv6","status":"publish","type":"post","link":"https:\/\/www.icemoonprison.com\/blog\/archives\/115","title":{"rendered":"Join the NTP Pool on IPv6"},"content":{"rendered":"

Here at Ice Moon Prison we bill by the second. Hence it is important that we always have the exact time.\u00a0 To this end, we are longtime users of the NTP Pool Project<\/a>, a distributed network of Network Time Protocol-enabled servers around the world. As firm believers in paying one’s debt to society, Ice Moon Prison has joined the NTP Pool with one of its spare servers.<\/p>\n

Since Ice Moon Prison is too cheap to have more than a single IPv4 address, and since we are IPv6 evangelists, the Ice Moon Prison NTP server is accessible over IPv6 only.\u00a0 Doing this is easier than messing around with NAT and port forwarding of UDP packets.\u00a0 (And, we might add, the following recipe is a testament to how easy setting up a service is without the burden of NAT. The same process can be followed for just about any service, not just NTP.)<\/p>\n

<\/p>\n

Choose a server<\/h1>\n

Choosing a machine to run the NTP daemon is pretty simple.\u00a0 It needs to be always on; it needs to have a static IP address; it ought to be a physical, rather than a virtual, machine. Ice Moon Prison has a Mac mini running Ubuntu 13.04 that fits the bill.<\/p>\n

The NTP Pool is, at its heart, a DNS server.\u00a0 Each time you query the address of pool.ntp.org, you get a different list of four servers.\u00a0 For this to work, the hosts must be at permanent, static, IP addresses.\u00a0 Fortunately, Ice Moon Prison’s ISP provides static IPv6 prefixes for everyone<\/a>.<\/p>\n

Assign an IPv6 address<\/h1>\n

Some operating systems have enabled IPv6 privacy extensions<\/a> by default, which is reasonable enough for laptops and mobile devices, but counterproductive for servers.\u00a0 An NTP Pool host needs a static IP address, not a randomized one. We could have simply disabled IPv6 privacy extensions and used the stateless autoconfigured IPv6 address<\/a> of the server based on its MAC address, but that would have to be changed if we switched the server’s hardware. We bit the bullet and set a completely static IPv6 address, one a little shorter and visually manageable.<\/p>\n

Setting a static IPv6 address entails putting a section like this into the \/etc\/network\/interfaces<\/strong> file:<\/p>\n

iface eth0 inet6 static\r\n  # Prefix 2001:44b8:41bd:c40x::\/56 is from ISP.\r\n  # Subnet xxxx:xxxx:xxxx:xxx1::\/64 is from router.\r\n  # Host part ::50 is chosen to be nice and short.\r\n\u00a0 address 2001:44b8:41bd:c401::50\r\n  # May as well still accept RFC 4862 router advertisements.\r\n\u00a0 accept_ra 1\r\n\u00a0 autoconf 1\r\n  # Disable source address randomization.\r\n\u00a0 privext 0\r\n\u00a0 netmask 64<\/pre>\n
Bring the interface down then up:<\/p>\n
# ifdown eth0; ifup eth0<\/pre>\n
The IPv6 address should be present:<\/p>\n
# ip -6 addr show eth0\r\n2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qlen 1000\r\n\u00a0\u00a0\u00a0 inet6 fd30:a67b:b56:1:216:cbff:feab:43b0\/64 scope global dynamic \r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 valid_lft forever preferred_lft forever\r\n\u00a0\u00a0\u00a0 inet6 2001:44b8:41bd:c401:216:cbff:feab:43b0\/64 scope global dynamic \r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 valid_lft 86389sec preferred_lft 14389sec\r\n\u00a0\u00a0\u00a0 inet6 2001:44b8:41bd:c401::50\/64 scope global <\/strong>\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 valid_lft forever preferred_lft forever<\/strong>\r\n\u00a0\u00a0\u00a0 inet6 fe80::216:cbff:feab:43b0\/64 scope link \r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 valid_lft forever preferred_lft forever<\/pre>\n
Configure the NTP daemon<\/h1>\n
NTP is installed by default on Ubuntu, but even on stock Debian it’s only a single apt-get command away:<\/p>\n
# apt-get install ntp<\/pre>\n
The NTP Pool has recommendations for configuring a pool server<\/a>, which basically boil down to: Don’t mention pool.ntp.org in your configuration, or you’ll cause positive feedback loops.\u00a0 So remove any existing server entries in \/etc\/ntp.conf<\/strong> and put in a few servers from their handy list<\/a>:<\/p>\n
server ntp.ragingfist.net\r\nserver ntp.au.zoidial.com\r\nserver ntp2.tpg.com.au\r\nserver ntp.mazzanet.id.au\r\nserver ntp.internode.on.net<\/pre>\n
Reload the NTP daemon configuration:<\/p>\n
# service ntp reload<\/pre>\n
Open a hole in the firewall<\/h1>\n
Ice Moon Prison’s Mac mini is behind a firewall, so it is necessary to allow unsolicited UDP traffic on port 123 through the firewall.\u00a0 How to do this depends on the firewall.\u00a0 Ice Moon Prison runs OpenWrt 10.03.1, which uses the standard Linux iptables firewall.\u00a0 With OpenWrt’s LuCI interface this is pretty easy.<\/p>\n
\"Firewall<\/a>
Firewall configuration<\/figcaption><\/figure>\n
Register on pool.ntp.org<\/h1>\n
Registering your server’s IP address on pool.ntp.org is done through its home page<\/a>. The NTP Pool provides a Statistics page<\/a> for each server so you can see how yours is performing.<\/p>\n
 <\/p>\n","protected":false},"excerpt":{"rendered":"
Here at Ice Moon Prison we bill by the second. Hence it is important that we always have the exact time.\u00a0 To this end, we are longtime users of the NTP Pool Project, a distributed network of Network Time Protocol-enabled servers around the world. As firm believers in paying one’s debt to society, Ice Moon […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"activitypub_content_warning":"","activitypub_content_visibility":"","activitypub_max_image_attachments":3,"activitypub_interaction_policy_quote":"anyone","activitypub_status":"","footnotes":""},"categories":[23],"tags":[24],"class_list":["post-115","post","type-post","status-publish","format-standard","hentry","category-ipv6","tag-ntp"],"_links":{"self":[{"href":"https:\/\/www.icemoonprison.com\/blog\/wp-json\/wp\/v2\/posts\/115","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.icemoonprison.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.icemoonprison.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.icemoonprison.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.icemoonprison.com\/blog\/wp-json\/wp\/v2\/comments?post=115"}],"version-history":[{"count":9,"href":"https:\/\/www.icemoonprison.com\/blog\/wp-json\/wp\/v2\/posts\/115\/revisions"}],"predecessor-version":[{"id":198,"href":"https:\/\/www.icemoonprison.com\/blog\/wp-json\/wp\/v2\/posts\/115\/revisions\/198"}],"wp:attachment":[{"href":"https:\/\/www.icemoonprison.com\/blog\/wp-json\/wp\/v2\/media?parent=115"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.icemoonprison.com\/blog\/wp-json\/wp\/v2\/categories?post=115"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.icemoonprison.com\/blog\/wp-json\/wp\/v2\/tags?post=115"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}