Network Time Protocol Year 2000 Conformance Statement
The Mad Hatter and the March Hare are discussing whether the Teapot
serial number should have two or four digits.
The universal timescale can be implemented using a binary counter of indefinite width and with the unit seconds bit placed somewhere in the middle. The counter is synchronized to UTC such that it runs at the same rate and the units increment coincides with the UTC seconds tick. The NTP timescale is constructed from 64 bits of this counter, of which 32 bits number the seconds and 32 bits represent the fraction. With this design, the counter runs in 136-year cycles, called eras, the latest of which began with a counter value of zero at 0h 1 January 1900. The design assumption is that further low order bits, if required, are provided by local interpolation, while further high order bits, when required, are provided by external means. The important point to be made here is that the high order bits must ultimately be provided by astronomers and disseminated to the population by international means. Ultimately, should a need exist to align a particular NTP era to the current calendar, the operating system in which NTP is embedded must provide the necessary high order bits, most conveniently from the file system or flash memory.
The NTP timescale is almost never used directly by system or application programs. The generic Unix kernel keeps time in seconds and microseconds (or nanoseconds) to provide both time of day and interval timer functions. In order to synchronize the Unix clock, NTP must convert to and from its representation and Unix representation. Unix kernels implement the time of day function using two 32-bit counters, one representing the seconds since Unix life began and the other the microseconds or nanoseconds of the second. In principle, the seconds counter will wrap around in 136-year eras, the next of which will begin in 2106. How the particular Unix semantics interprets the counter values is of concern, but is beyond the scope of discussion here.
While incorrect time values due to the NTP timescale and protocol design or reference implementation upon the epoch of the next century are highly unlikely, hazards remain due to incorrect software external to NTP. These hazards include the Unix kernel and library routines which convert Unix time to and from conventional civil time in seconds, minutes, hours, days and years. Although NTP uses these routines to format monitoring data displays, they are not used to read or set the NTP clock. They may in fact cause problems with certain application programs, but this is not an issue which concerns NTP correctness.
While it is extremely unlikely that NTP will produce incorrect time values upon the epoch, it is possible that some external source to which NTP synchronizes may produce a discontinuity which could then induce a NTP discontinuity. The NTP primary (stratum 1) time servers, which are the ultimate time references for the entire NTP population, obtain time from various sources, including radio and satellite receivers and telephone modems. Not all sources provide year information and not all of these provide time in four-digit form. In point of fact, the NTP reference implementation does not use the year information, even if available. Instead, the year information is provided from the file system, which itself depends on the Unix clock.
The NTP protocol specification requires the apparent NTP time derived from external servers to be compared to the file system time before the clock is set. If the discrepancy is over 1000 seconds, an error alarm is raised requiring manual intervention. This makes it very unlikely that even a clique of seriously corrupted NTP servers will result in incorrect time values. In the case of embedded computers with no file system, the design assumption is that the current era be established from flash memory or a clock chip previously set by manual means.
It is essential that any clock synchronization protocol, including NTP, include provisions for multiple-server redundancy and multiple- route diversity. Past experience has demonstrated the wisdom of this approach, which protects clients against hardware and software faults, as well as incorrectly operating reference sources and sometimes even buggy software. For the most reliable service, we recommend multiple reference sources for primary servers, including a backup radio or satellite receiver or telephone modem. We also recommend that primary servers run NTP with other primary servers to provide additional redundancy and mutual backup should the reference sources themselves fail or operate incorrectly.