The real-world challenges of trying to upgrade time-synchronization without TimeKeeper are described in an excellent 2012 technical paper about a project at the company IMC Global Finance [IMC]. The article documents a two year, highly resourced project run by an expert engineering team – a nice data point for perhaps best case time synchronization using the open source alternatives to TimeKeeper. The tradeoff evaluation, of course, will be different in every enterprise, but the blunt analysis of limits to the existing open source technology contained in the IMC article is refreshing:
In all, this paper contributes concrete examples where PTP’s byzantine robustness, scalability and efficiency characteristics range between absent to poor – and attempts to raise awareness on the steps needed to build PTP solutions with the characteristics that global users want.
PTP, as it is currently defined, is not (yet) a viable solution beyond smallish LANs
The cautionary statements in the IMC paper will come as a surprise to many in the industry because PTP has been aggressively marketed as the solution to time synchronization. In practice, PTP is just a protocol specification –it is the implementation that matters, and many of the limitations that confounded the IMC developers are not limitations of the protocol, but limitations of the implementation in the open source clock synchronization software they utilized.
Clock Synchronization Background
Let’s step back and look at the underlying issue of clock synchronization. Application programs running on separate computers rely on “clocks” that are found in each computer and adjusted by software. If those clocks are not synchronized it is impossible to consolidate records because we won’t know when events happened or even the order of events. Furthermore, without synchronized clocks, application programs that work together cannot determine how long collaborative transactions took or how long data takes to get from machine to machine. Clock synchronization is therefore essential to both data integrity and system management. Synchronizing clocks down to levels of microseconds or below has become a requirement in some parts of financial trading (down to milliseconds or below in cloud based computing) and, increasingly, in other areas as well. So the basic problem is how to synchronize these clocks and keep them synchronized – particularly because the hardware clocks on computers tend to accumulate errors rapidly. That challenge is compounded in a cloud compute environment.
To synchronize, each application server must continuously correct its clock relying on updates sent over the network from some reference time source. One common type of reference time source is a device that gets the time from a Global Positioning System (GPS) or other satellites and then shares that time with “clients” over the network. The older, ubiquitous, standard for sharing those time updates is called the Network Time Protocol (NTP) but there is a newer, heavily marketed, alternative called the IEEE 1588 Precision Time Protocol (PTP). The open source NTPd will consume and produce NTP packets while there are several open source variants of PTPd that do the same for PTP packets. TimeKeeper can work with both protocols – and with multiple PTP “profiles” - and also inter-operates with the open source implementations.
PTP limits and fault-detection and recovery
TimeKeeper is protocol agnostic – we provide sub-microsecond clock synchronization, fault-tolerance, scalability, and process documentation with either PTP (in several versions) or NTP. Each protocol has different advantages in different situations, and some problems are best solved above the network protocol layer – transparently to applications. And PTP is a standard that needs a lot of help in the enterprise. Perhaps the most important example is that PTP “best master clock” protocol makes fault-detection difficult or impossible and can easily put users in a state of violating existing regulations. The IMC developers discovered this problem mid-project and found it to be costly and difficult to meet regulatory and audit requirements.
The implications of this aspect of the PTP protocol only became clear after PTP was deployed worldwide, using multiple GMs to service thousands of clients. On several occasions, a GM bug caused the (single) time source to send time without leap seconds information, for two (!) hours. As the active GM continued to send “Announce” packets as normal, with the same BMC values (priority, clock class, etc.), the inactive GMs had no reason to take over. All clients, however, saw a 34 second offset without any indication that this time might be invalid or suspicious in any way. Consequently, they either “corrected” this situation by stepping (jumping) the clock backwards, or by slewing (slowing down) the clock at maximum speed to the “new” value. Both cases are unacceptable in our regulatory environment (namely FINRA rule 7430 )
TimeKeeper fixes this problem above the protocol layer. Sophisticated filtering methods dispose of bad updates, cross checks of time sources detect failing or compromised sources and there are configurable triggers of when to fail over to a backup source. TimeKeeper can also notify automated monitoring software and network operators when it sees problems. The number of independent sources monitored by TimeKeeper is essentially arbitrary: some customers have five sources to provide a very high level of reliability. Because we solve the unreliable source problem above the protocol layer, a TimeKeeper client can use PTP and NTP sources to cross-check each other. That is TimeKeeper has the property that the IMC developers eventually proposed as a future direction for PTP:
[and so, in the future] Therefore, the PTP client needs a heuristic to judge the ’trustworthiness’ of its current GM, as compared to the group, and to be able to switch when needed
TimeKeeper, as illustrated in the graphic above can track many sources and cross-check them. But there is currently no notion of independent clocks within the PTP standard so the IMC developers were constrained to less effective, higher overhead solutions:
These multiple issues were first controlled by deprecating clock stepping, and later by deprecating long (i.e., more than 2 seconds) slews. At the same time, the specific issues were addressed in cooperation with the vendor [the hardware vendors –vy]. In addition, the identified problems resulted in multiple improvements to the configuration of the production time infrastructure and the network itself, especially on the multicast-forwarding configuration.
While all these measures have objectively improved the situation, they are still insufficient to cover all known and unknown corner cases, as the slave clocks may still drift for long periods of time (at best), or be slowly slewed to any desired offset by a faulty, hacked or GPS-spoofed server (at worst). In all cases, this susceptibility introduces a significant operational overhead to keep the time synchronization system operating and monitored 24 hours/7 days a week.
Managers who choose to use the open source PTPd software in place of TimeKeeper are unknowingly betting that in the future PTP will develop some technology for addressing the problem of unreliable sources and that this future will materialize before their firms encounter a significant embarrassment.
A second look at PTP
The PTP standard has some advantages, but it is essential for technical management to understand the limitations of PTP which was originally intended to synchronize clocks on simple local area networks (LANs) that could not be more different than what we have in the enterprise. The protocol designers wanted to be able to synchronize clocks of control devices – sensors and actuators – connected to a single Ethernet network cable. They specified that the reference time sources should “multicast” time updates, essentially sending out time update packets that would be seen by all the devices on the cable. They located most of the intelligence in the time source – the grandly named GrandMaster – because they assumed the clients were simple control devices. As the IMC developers put it:
Acknowledging that PTP was initially designed as a LAN protocol[…], the issues can be broadly divided into a) issues on the PTPv2 standard itself, b) issues that have to be addressed when PTP is expanded to work over WANs, and c) issues that caused the biggest operational impact on the (tested) implementations.
Now compare this target network with, say, IMCs network, which is similar to many networks in financial trading and other enterprises.
IMC has built and continuously maintains a state-of-the-art technological infrastructure that keeps us competitive. In particular, IMC features a global network that directly connects to over 40 exchanges worldwide, in all major financial locations and spanning all time zones. This network has dozens of datacenters (DCs), either co-located or in proximity to the financial exchanges, all with state-of-the-art switching backbones and inter-connected with a variety of both leased and partially shared high-speed interconnection lines. Together, all these DCs host thousands of servers, most of them performing critical real-time activities and all of them requiring strict traceability of their clocks to UTC for both current (e.g.,) and anticipated regulatory/compliance reasons, for risk mitigation and for internal performance testing.
IMCs network was, before the project outlined in this paper, already set up to synchronize clocks using the older NTP protocol – which fits in the enterprise more easily. Because the widely used open source NTP implementation software (which is also used inside of most network clock appliances) cannot deliver the time accuracy required in modern transaction systems, it is sometimes claimed that the protocol is limited in accuracy. This is false. TimeKeeper can easily deliver sub-microsecond accuracy over NTP. In fact, the two protocols are quite similar – the biggest difference is that there is hardware support for PTP in some networking equipment. However, there is also hardware support for NTP in some widely available network equipment and excellent results are routinely produced by TimeKeeper in this instance too.
When firms like IMC use TimeKeeper to upgrade clock synchronization, they can stay with NTP or gradually migrate or use a mixture of NPT and PTP. The IMC paper describes a number of issues that could motivate network managers might to be cautious about a migration to PTP. For example consider this note about the PTP multi-cast specification.
Requiring a single multicast address and group caused severe operational problems for IMC, as it requires all hosts to be both senders and receivers of a single shared WAN multicast group (with the clock separation methods described in section III.B). This requires an “all-to-all” semantic that is, in practice, far more complex to build and maintain than the regular “one-to-many” multicast semantics, primarily because of asymmetric routing issue
Ironically, one of the methods the IMC developers used to try to control the effects of PTP multicast is to embrace one of the many non-standard “hybrid modes” that have proliferated in PTP implementation. With this mode, PTP acts a lot like NTP, partially abandoning the multicast base of PTP to use a unicast handshake that is identical to the base NTP update transaction.
Ultimately, infrastructure and network managers need to look at the business logic of their time synchronization requirements and then examine the cost/benefit tradeoffs of different possible solutions. For some, the absence of software licensing costs for PTPd variants will outweigh the higher engineering investment, weaker technology, and commitment to discuss what might be considered proprietary issues on the open source development mailing lists. The IMC paper provides some documentation on the results that can be expected.
For more information contact firstname.lastname@example.org
[IMC] Challenges deploying PTPv2 in a Global Financial Company. Pedro V Estrela, Jan L. Bonebakker, 2012 International IEEE Symposium on Precision Clock Synchronization for Measurement, Control and Communication