1482
10, OCTOBER 1991
Internet Time Synchronization:
The Network Time Protocol
David L. Mills, Member, IEEE
Abstruct- This paper describes the network time protocol
(NTP),which is designed to distribute time information in a large, Internet refers to this particular system, while the uncapitalized
diverse internet system operating at speeds from mundane to
lightwave. It uses a symmetric architecture in which a distributed
subnet of time servers operating in a self-organizing, hierarchical
configuration synchronizes local clocks within the subnet and
to national time standards via wire, radio, or calibrated atomic
clock. The servers can also redistribute time information within
a network via local routing algorithms and time daemons.
This paper also discusses the architecture, protocol and algo-
rithms, which were developed over several years of implementa-
tion refinement and resulted in the designation of NTP as an
Internet Standard protocol. The NTP synchronization system,
which has been in regular operation in the Internet for the
last several years, is described along with performance data
which shows that timekeeping accuracy throughout most portions
of the Internet can be ordinarily maintained to within a few
milliseconds, even in cases of failure or disruption of clocks, time
servers or networks.
I. INTRODUCTION
A CCURA", reliable time is necessary for financial and
legal transactions, transportation and distribution systems
and many other applications involving widely distributed
resources. How do hosts in a large, dispersed networking com-
munity know what time it is? How accurate are their clocks? In
a recent survey involving 94 260 hosts of the Internet system,
20 758 provided local time using three time-transfer protocols
[24]. About half of the replies had errors greater than 2 min,
while 10% had errors greater than 4 h. A few had errors
over two weeks. Most local clocks are set by eyeball-and-
wristwatch to within a minute or two and rarely checked after
that. Many of these are maintained by some sort of battery-
backed clock-calendar device using a room-temperature quartz
oscillator that may drift as much as a second per day and
can go for weeks between manual corrections. For many
applications, especially distributed internet applications, much
greater accuracy and reliability is required.
This paper presents an overview of the architecture, protocol
and algorithms of the network time protocol (NTP) used
in the Internet system to synchronize clocks and coordinate
time distribution. The Internet consists of over 100000 hosts
on over 1500 packet-switching networks interconnected by
Paper approved by the Editor for Network Protocols of the IEEE Communi-
cations Society. Manuscript received February 10, 1989; revised January 29,
1990 and July 18, 1990. This work was supported in part by the Defense
Advanced Research Projects Agency under Contract N00140-87-C-8901 and
by the National Science Foundation under Grant NCR-89-13623.
The author is with the Department of Electrical Engineering, University of
Delaware, Newark, DE 19716.
IEEE Log Number 9101515.
009&6778/91$01.00 0 1991 IEEE
IEEE TRANSACTIONS ON COMMUNICATIONS, VOL. 39, NO.
a similar number of gateways. In this paper the capitalized
internet refers to any generic system of multiple networks
interconnected by gateways. While the Internet backbone
networks and gateways are carefully engineered for good
service, operating speeds, and service reliability vary consid-
erably throughout the system. This places severe demands
on NTP, which must deliver accurate and reliable time in
spite of component failures, service disruptions and possibly
mis-engineered implementations.
In the remainder of this introductory Section I, issues in
the requirements, approaches, and comparisons with previ-
ous work are discussed. The architecture of the NTP syn-
chronization system, including the primary reference sources
and distribution mechanisms, is described in Section 11. An
overview of the NTP protocol and modes of operation is given
in Section 111. Section IV describes the algorithms used to im-
prove the accuracy of measurements made over Internet paths
and to select the best from among a set of available clocks
for synchronization. Section V describes a local-clock design
based on a type of phase-lock loop and capable of long-term
accuracies to the order of a few milliseconds. The international
NTP synchronization system of time servers now operating
in the Internet is described and its performance assessed in
Section VI. Section VI1 discusses further development and
issues for future research. This paper itself is an updated and
condensed version of [23].
A. Definitions
In this paper, the stability of a clock is how well it can
maintain a constant frequency, the accuracy is how well its
time compares to national standards and the precision is how
precisely time can be resolved in a particular timekeeping
system. The offset of two clocks is the time difference between
them, while the skew is the frequency difference between them.
The reliability of a timekeeping system is the fraction of the
time it can be kept operating and connected in the network
(without respect to stability and accuracy). Local clocks are
maintained at designated time servers, which are timekeeping
systems belonging to a synchronization subnet, in which each
server measures the offsets between its local clock and the
clocks of its neighbor servers or peers in the subnet. In this
paper to synchronizefrequency means to adjust the clocks in
the subnet to run at the same frequency, to synchronize time
means to set them to agree at a particular epoch with respect
to coordinated universal time (UTC), as provided by national
standards, and to synchronize clocks means to synchronize
them in both frequency and time.
MILLS: INTERNET TIME SYNCHRONIZATION
B. Performance Requirements
Internet transmission paths can have wide variation in delay
and reliability due to traffic load, route selection, and facil-
ity outages. Stable frequency synchronization requires stable
local-clock oscillators and multiple offset comparisons over
relatively long periods of time, while reliable time synchro-
nization requires carefully engineered selection algorithms and
the use of redundant resources and diverse transmission paths.
For instance, while only a few offset comparisons are usually
adequate to determine local time in the Internet to within a
few tens of milliseconds, dozens of measurements over some
days are required to reliably stabilize frequency to a few
milliseconds per day. Thus, the performance requirements of
an intemet-based time synchronization system are particularly
demanding. A basic set of requirements must include the
following.
1) The primary reference source(s) must be synchronized to
national standards by wire, radio, or calibrated atomic clock.
The time servers must deliver continuous local time based
on UTC, even when leap seconds are inserted in the UTC
timescale.
2) The time servers must provide accurate and precise time,
even with relatively large delay variations on the transmission
paths. This requires careful design of the filtering and com-
bining algorithms, as well as an extremely stable local-clock
oscillator and synchronization mechanism.
3) The synchronization subnet must be reliable and sur-
vivable, even under unstable network conditions and where
connectivity may be lost for periods up to days. This requires
redundant time servers and diverse transmission paths, as well
as a dynamically reconfigurable subnet architecture.
4) The synchronization protocol must operate continuously
and provide update information at rates sufficient to compen-
sate for the expected wander of the room-temperature quartz
oscillators used in ordinary computer systems. It must operate
efficiently with large numbers of time servers and clients in
continuous-polled and procedure-call modes and in multicast
and point-to-point configurations.
5) The system must operate in existing internets including
a spectrum of machines ranging from personal workstations
to supercomputers, but make minimal demands on the oper-
ating system and supporting services. Time-server software
and especially client software must be easily installed and
configured.
In addition to the above, and in common with other generic,
promiscuously distributed services, the system must include
protection against accidental or willful intrusion and provide
a comprehensive interface for network management. In NTF'
address filtering is used for access control, while encrypted
checksums are used for authentication. Network management
presently uses a proprietary protocol with provisions to migrate
to standard protocols where available.
C . Discussion of Approaches
There are many ways that time servers distributed through-
out a large geographic area can synchronize clocks to UTC.
In North America, the U.S. and Canada operate broadcast
1483
radio services with a UTC timecode modulation which can
be decoded by suitable receivers. One approach to time
synchronization is to provide timecode receivers at every
site where required. However, these receivers are specialized,
moderately expensive and subject to occasional gross errors
due to propagation and equipment failures. A comprehensive
summary of radio synchronization techniques can be found in
[41.
The U.S. National Institute of Standards and Technology
(NIST) (formerly National Bureau of Standards), recently
announced a computer time service available to the general
public by means of a standard telephone modem [26]. The
service is intended for use by personal workstations to set
clock-calendars, for example, but would not be suitable for a
large population of clients calling on a frequent, regular basis
without further redistribution.
In principle, it is possible to use special network facilities
designed for time synchronization, such as timecode rebroad-
casts on a dedicated FM or TV subcarrier or cable system.
For many years AT&T has synchronized digital switching
equipment to the basic synchronization reference frequency
(BSRF), which consists of a master oscillator synchronized to
UTC and a network of dedicated 2048-kHz links embedded in
the transmission plant. AT&T and other carriers are planning
to use the global positioning system and the LORAN-C radio
navigation system to synchronize switches in various areas
of the country. However, neither of these methods would be
economically viable for widespread deployment in a large,
diverse internet system.
Current network clock synchronization techniques have
evolved from both linear systems and Byzantine agreement
methodologies. Linear methods for digital telephone network
synchronization are summarized in [161, while Byzantine
methods for clock synchronization are summarized in [15].
While reliable clock synchronization has been studied using
agreement algorithms [15], [33], in practice it is not possible to
distinguish the truechimer clocks, which maintain timekeeping
accuracy to a previously published (and trusted) standard, from
the falseticker clocks, which do not, on other than a statistical
basis. In addition, the algorithms discussed in the literature
do not necessarily produce the most accurate and precise time
on a statistical basis and may produce unacceptable network
overheads and instabilities in a large, diverse internet system.
In an internet system involving many networks and gate-
ways a useful approach is to equip a few strategically located
hosts or gateways with timecode receivers or calibrated atomic
clocks and coordinate time distribution using a suitable proto-
col. Various Internet protocols have been used to record and
transmit the time at which an event takes place, including the
daytime protocol [28], time protocol [29], ICMP timestamp
message [7], and IP timestamp option [34]. The Unix 4.3 bsd
time daemon timed uses an elected master host to measure
offsets of a number of slave hosts and send periodic correc-
tions to them [113. While addressing no particular protocol
architecture, the schemes proposed in [6] have features in
common with NTP, including master-slave synchronization
with provisions for failures and changing system load. How-
ever, none of these protocols includes engineered algorithms
1484 IEEE TRANSACTIONS ON COMMUNICATIONS, VOL. 39, NO. 10, O O B E R 1991

to compensate for the effects of statistical delay variations The NTP system consists of a network of primary and
encountered in wide-area networks and are unsuitable for secondary time servers, clients, and interconnecting transmis-
precision time distribution throughout the Internet. sion paths. A primary time server is directly synchronized
It became evident, as the algorithms used in NTP evolved to a primary reference source, usually a timecode receiver
over a nine-year period of experiment and stepwise refinement, or calibrated atomic clock. A secondary time server derives
that accurate and reliable internet time synchronization can synchronization, possibly via other secondary servers, from a
be achieved only through an integrated approach to sys- primary server over network paths possibly shared with other
tem design, including the primary reference sources, time services. Under normal circumstances clock synchronization is
servers, synchronization subnets, protocols and synchroniza- determined using only the most accurate and reliable servers
tion mechanisms which are at the heart of this paper. From and transmission paths, so that the actual synchronization
an analytical point of view the distributed system of NTP paths usually assumes a hierarchical configuration with the
time servers operates as a hierarchically organized subnet primary reference sources at the root and servers of decreasing
of loosely coupled time servers which exchange periodic accuracy at increasing levels toward the leaves.
update messages containing precision timestamps to adjust Following conventions established by the telephone in-
local oscillator phase and frequency. The principal features dustry, the accuracy of each time server is defined by a
of this design, described in more detail later in this paper, can number called the stratum, with the reference level (primary
be summarized as follows. servers) assigned as one and each succeeding level towards
1) The synchronization subnet consists of a self-organizing, the leaves (secondary servers) assigned as one greater than the
hierarchical network of time servers configured on the preceding level [2]. Using existing stations and available time-
basis of estimated accuracy, precision and reliability. code receivers with computed propagation-delay corrections,
2) The synchronization protocol operates in connectionless accuracies in the order of a millisecond can be achieved at the
mode in order to minimize latencies, simplify implemen- network interface of a primary server. As the stratum increases
tations and provide ubiquitous interworking. from one, the accuracies achievable will degrade depending on
3) The synchronization mechanism uses a symmetric de- the network paths and local-clock stabilities.
sign which tolerates packet loss, duplication and misor- The synchronization subnet is organized using a variant of
dering, together with filtering, selection and combining the Bellman-Ford distributed routing algorithm to compute
algorithms based on maximum-likelihood principles. the minimum-weight spanning trees rooted at the primary
4) The local-clock design is based on a type 11, adaptive- reference sources [3]. The distance metric is determined first
parameter, phase-lock loop with corrections computed by stratum, then by total roundtrip path delay to the root,
using timestamps exchanged along the arcs of the syn- called the synchronization distance. The timekeeping quality
chronization subnet. at a particular peer is determined by a sum of weighted offset
5 ) Multiply redundant time servers and multiply diverse differences, called the dispersion. The total dispersion to the
transmission paths are used in the synchronization sub- root due to all causes is called the synchronization dispersion.
net, as well as engineered algorithms which select the
most reliable synchronization source(s) and path@)using
weighted-voting procedures. 111. NETWORKTIME PROTOCOL
6) System overhead is reduced through the use of dynamic The network time protocol (NTP), now established as
an Internet standard protocol [22], is used to organize and
control of phase-lock loop bandwidths, poll intervals and
association management. maintain a set of time servers and transmission paths as a
synchronization subnet. NTP is built on the Internet protocol
(IP) [8] and user datagram protocol (UDP) [27], which provide
a connectionless transport mechanism, however, it is readily
11. TIME STANDARDS AND DISTRIBUTION adaptable to other protocol suites. It is evolved from the
Since 1972 the time and frequency standards of the world time protocol [29] and the ICMP timestamp message [7], but
have been based on International Atomic Time (TAI), which is is specifically designed to maintain accuracy and reliability,
currently maintained using multiple cesium-beam clocks to an even when used over typical Internet paths involving multiple
accuracy of a few parts in 10l2 [l]. The International Bureau gateways and unreliable networks.
of Weights and Measures uses astronomical observations pro- There are no provisions for peer discovery, configuration
vided by the U.S. Naval Observatory and other observatories or acquisition in NTP itself, although some implementations
to determine corrections for small changes in the mean solar include these features. Data integrity are provided by the
rotation period of the Earth, which results in Coordinated IP and UDP checksums. No circuit-management, duplicate-
Universal Time (UTC). UTC is presently slow relative to detection or retransmission facilities are provided or necessary.
TA1 by a fraction of a second per year, so corrections in The protocol can operate in several modes appropriate to dif-
the form of leap seconds must be inserted in TA1 from time ferent scenarios involving private workstations, public servers
to time in order to maintain agreement. The U.S. and many and various network configurations. A lightweight association-
other countries operate standard time and frequency broadcast management capability, including dynamic reachability and
stations covering most areas of the world, although only a few variable poll-interval mechanisms, is used to manage state in-
utilize a timecode modulation suitable for computer use. formation and reduce resource requirements. Optional features
MILLS: INTERNET TIME SYNCHRONIZATION
include message authentication based on crypto-checksums
and provisions for remote control and monitoring. Since only
a single NTP message format is used, the protocol is easily
implemented and can be used in a variety of operating-system
and networking environments.
In NTP, one or more primary servers synchronize directly
to external reference sources such as timecode receivers.
Secondary time servers synchronize to the primary servers and
others in the synchronization subnet. A typical subnet is shown
in Fig. l(a), in which the nodes represent subnet servers, with
normal stratum numbers determined by the hop count to the
root, and the heavy lines the active synchronization paths and
direction of timing information flow. The light lines represent
backup synchronization paths where timing information is
exchanged, but not necessarily used to synchronize the local
clocks. Fig. l(b) shows the same subnet, but with the line
marked x out of service. The subnet has reconfigured itself
automatically to use backup paths, with the result that one of
the servers has dropped from stratum 2 to stratum 3.
The following subsections contain an overview of the data
formats, entities, state variables and procedures used in NTP.
Further detains are contained in the formal specification [22].
The specification is based on the information model illustrated
below, but it is not intended that this model be the only one
upon which a specification can be based. In particular, the
specification is intended to illustrate and clarify the intrinsic
operations of NTP and serve as a foundation for a more
rigorous, comprehensive and verifiable specification.
A. Determining Time and Frequency
Fig. 2 shows the overall organization of the NTP time-
server model. Timestamps exchanged between the server and
possibly many other subnet peers are used to determine indi-
vidual roundtrip delays and clock offsets, as well as provide
reliable error estimates. Fig. 3 shows how the timestamps
are numbered and exchanged between server A and peer B.
Let Ti, Ti-1, Ti-2, Ti--3 be the values of the four most
recent timestamps as shown and let a = Ti-2 - Ti-3 and
b = Ti-1 - Ti. Then, the roundtrip delay 6; and clock offset
0i of B relative to A at time Ti are
a+b
Si = a - b and 8; = -
2 .
In the present NTP version (2) errors due to local-clock
resolution and skew are minimized by the control-feedback
design shown in Fig. 2. In practice, errors due to stochastic
network delays dominate, however, it is not usually possible
to characterize network delays as a stationary random process,
since network queues can grow and shrink in chaotic fashion
and arriving customer traffic is frequently bursty.
Nevertheless, it is a simple exercise to calculate bounds
on network errors as a function of measured delay. The true
offset of B relative to A is called 0 in Fig. 3. Let x denote the
actual delay between the departure of a message from A and
+
its arrival at B. Therefore, x 0 = Ti-2 - Ti-3 = a. Since
x must be positive in our universe, x = a - 6 2 0, which
requires 0 5 a. A similar argument requires that b 5 8, so
1485
Fig. 1. Subnet synchronization.
surely b 5 8 5 a. This inequality can also be expressed
a+b U-b a+b a-b
b=---
2 2
505 -
2
+-2
= a,
which is equivalent to
In other words, the true clock offset must lie in the interval
of size equal to the measured delay and centered about the
measured offset.
Each NTP message includes the latest three timestamps
Ti-1, Tz-2, and Ti--3, while the fourth timestamp Ti is
determined upon arrival of the message. Thus, both the server
and the peer can independently calculate delay and offset using
a single message stream. This can be described as a sym-
metric, continuously sampled, time-transfer method similar to
those used in some digital telephone networks [25]. Among
its advantages are that the transmission times and received
message orders are unimportant and that reliable delivery is not
required. Obviously, the accuracies achievable depend upon
the statistical properties of the outbound and inbound data
paths. Further analysis and experimental results bearing on
this issue can be found below and in [5], [19], and [20].
As shown in Fig. 2, the computed delays and offsets are
processed in the data filters to reduce incidental timing noise
and the most accurate and reliable subset determined by
the peer-selection algorithm. The resulting offsets of this
subset are first combined on a weighted-average basis and
then processed by a phase-lock loop (PLL). In the PLL the
combined effects of the filtering, selection and combining
operations are to produce a phase-correction term, which
is processed by the loop filter to control the local clock,
which functions as a voltage-controlled oscillator (VCO). The
VCO furnishes the timing (phase) reference to produce the
timestamps used in the above calculations.
B. Modes of Operation
NTP time servers can operate in one of three service classes:
multicast, procedure-call, and symmetric. These classes are
distinguished by the number of peers involved, whether syn-
chronization is to be given or received and whether state
information is retained. The multicast class is intended for
use on high speed LAN’s with numerous workstations and
where the highest accuracies are not required. In the typical
scenario one or more time servers operating in multicast mode
send periodic NTP broadcasts. The workstation peers operating
in client mode then determine the time on the basis of an
assumed delay in the order of a few milliseconds. By operating
in multicast mode the server announces its willingness to
1486 IEEE TRANSACTIONS ON COMMUNICATIONS, VOL. 39, NO. 10, OCTOBER 1991

-
--+
Clock Loop Filter
Combining

each message is received and dissolve the association and

recover state storage if this status has not been refreshed for
a considerable time.

C. Data Formats
All mathematical operations assumed in the protocol
Ti-3 A Ti are two’s-complement arithmetic with integer or fixed-point
operands. Since NTP timestamps are cherished data and, in
Fig. 3. Measuring delay and offset.
fact, represent the main product of the protocol, a special
format has been established. An NTP timestamp is a 64 b
provide synchronization to many other peers, but to accept unsigned fixed-point number, with the integer part in the first
NTP messages from none of them. 32 b and the fraction part in the last 32 b and interpreted in
The procedure-call class is intended for operation with file standard seconds relative to UTC. When UTC began at Oh
servers and workstations requiring the highest accuracies or on January 1, 1972 the NTP clock was set to 2 272 060 800.0,
where multicast mode is unavailable or inappropriate. In the representing the number of standard seconds since this time at
typical scenario a time server operating in client mode sends Oh on January 1, 1900 (assuming no prior leap seconds).
an NTP message to a peer operating in server mode, which This format allows convenient multiple-precision arithmetic
then interchanges the addresses, inserts the requested time- and conversion to other formats used by various protocols
stamps, recalculates the checksum and optional authenticator of the Internet suite. The precision of this representation is
and returns the message immediately. By operating in client about 232 ps, which should be adequate for even the most
mode a server announces its willingness to be synchronized exotic requirements. Note that since some time in 1968 the
by, but not provide synchronization to a peer. By operating most significant bit of the 64 b field has been set and that
in server mode a server announces its willingness to provide the field will overflow some time in 2036. Should N T P be
synchronization to, but not be synchronized by a peer. in use in 2036, some external means will be necessary to
While the multicast and procedure-call classes may suffice qualify time relative to 1900 and subsequent 136 year cycles.
on LAN’s involving public time servers and perhaps many Historic timestamped data of such precision and requiring such
private workstation clients, the full generality of NTP requires qualification will be so precious that appropriate means should
distributed participation of a number of time servers arranged be readily conceived.
in a dynamically reconfigurable, hierarchically distributed con- Timestamps are determined by copying the current value of
figuration. This is the motivation for the symmetric modes the local clock to a timestamp variable when some significant
(active and passive). By operating in these modes a server event occurs, such as the arrival of a message. In some cases
announces its willingness to synchronize to or be synchronized a particular variable may not be available, such as when the
by a peer, depending on the peer-selection algorithm. Symmet- server is rebooted or the protocol is restarted. In these cases
ric active mode is designed for use by servers operating near the 64 b field is set to zero, indicating an invalid or undefined
the leaves (high stratum levels) of the synchronization subnet value. There exists a 232 ps interval, henceforth ignored, every
and with preconfigured peer addresses. Symmetric passive 136 years when the 64 b field will naturally become zero and
mode is designed for use by servers operating near the root thus be considered invalid.
(low stratum levels) and with a relatively large number of
peers on an possibly intermittent basis. D. State Variables
When a pair of servers operating in symmetric modes first Following is a summary description of the important vari-
exchange messages, a loosely coupled connection or associa- ables and parameters used by the protocol. In the symmetric
tion is created. Each server creates an instantiation of the modes a set of state variables is maintained for each associa-
NTP protocol machine with persistent state variables; however, tion. In other modes these variables have a fleeting persistence
the main purpose of the protocol machine is not to assure lasting only until the reply message has been formulated and
delivery but to preserve timestamps and related information. sent. Further discussion on some of these variables is given
In symmetric modes the servers refresh reachability status as later in this paper. A complete description is given in [22].
MILLS: INTERNET TIME SYNCHRONIZATION 1487

measured delay and offset associated with a single delay/offset

I LI bdModel Stratum I Poll I Precision I sample.
Delay, Offset, Dispersion: Indicate the current roundtrip
delay, clock offset and filter dispersion produced by the data-
Reference Timestamp (64bits) filtering algorithm.
Synchronization Source: Identifies the peer currently used
to synchronize the local clock, as determined by the peer-
selection algorithm.
Local Clock: The current local time as derived from the
local clock.

E. Procedures
Authenticator (optional) (96bits) The significant events of interest in NTP occur upon ex-
I J piration of a peer timer, one of which is dedicated to each
association, and upon arrival of an NTF' message. An event can
Fig. 4. NTP packet header.
also occur as the result of an operator command or detected
system fault, such as a primary reference source failure. This
Fig. 4 shows the NTP packet-header format, which follows subsection briefly summarizes the procedures invoked when
the IP and UDP headers. Following is a short description of these events occur.
the various fields. The transmit procedure is called when a peer timer decre-
Leap Indicator (LI): Warns of an impending leap second to ments to zero. When this occurs the peer timer is reset and an
be inserted or deleted in the UTC timescale at the end of the NTF' message is sent including the addresses, variables, and
current day. timestamps described above. The value used to reset the timer
Version Number (W): Identifies the present NTF' version is called the poll interval and is adjusted dynamically to reflect
(2). dispersive delays and reachability failures.
Mode, Stratum, Precision: Indicate the current operating The receive procedure is called upon arrival of an NTP
mode, stratum and local-clock precision. message, which is then matched with the association indicated
Poll Interval (Poll): The current desired interval between by its addresses and ports. This results in the creation of a
NTP messages sent. Each server uses the minimum of its own persistent association for a symmetric mode of a transient one
poll interval and that of the peer. for the other modes. Following a set of sanity checks the raw
Synchronization Distance, Synchronization Dispersion: In- roundtrip delay and raw clock offset sample are calculated as
dicates the total roundtrip delay and total dispersion, respec- described previously. A weighted voting procedure described
tively, to the primary reference source. in Section IV determines the best in a sequence of raw samples
Reference Clock Identijier, Reference Timestamp: Identifies and also an error estimator called the filter dispersion. The final
the type of reference clock and the time of its last update; values of roundtrip delay, clock offset and filter dispersion are
intended primarily for management functions. determined using the minimum-filter algorithm described in
Originate Timestamp: The peer time when the last received Section IV.
NTP message was originated, copied from its transmit time- The update procedure is called when a new set of estimates
stamp field upon arrival (z--3 above). becomes available. A weighted voting procedure described
Receive Timestamp: The local time when the latest NTP in Section IV determines the best peer, which may result in
message was received (TZ-2above). a new synchronization source, and also an error estimator
Transmit Timestamp: The local time when this NTP message called the select dispersion. If the synchronization source is
was transmitted (Ti-1 above). the peer for which the estimates have just been produced,
Authenticator (optional): The key identifier and encrypted
the estimated offset is used to adjust the local clock as
described in Section V. If due to a significant discrepancy the
checksum of the message contents.
local clock is reset, rather than gradually slewed to its final
The NTP protocol machine maintains state variables for
value, the procedure expunges all timing information, resets
each of the above quantities and, in addition, other state
the poll intervals and re-selects the synchronization source, if
variables, including the following:
necessary. A new synchronization source will be determined
Addresses and Ports: The 32 b Internet addresses and 16 b
when the data filters fill up again and the dispersions settle
port number of the server and peer, which serve to identify
down.
the association.
Peer Timer: A counter used to control the intervals between
transmitted NTP messages. F. Robustness Issues
Reachability Register: A shift register used to determine It has been the experience of the Internet community that
the reachability status of a peer. something somewhere in the system is broken at any given
Filter Register: A shift register used by the data-filtering time. This caveat applies to timecode receivers, time servers
algorithm, where each stage stores a tuple consisting of the and synchronization Faths, any of which can misbehave to
~

1488 IEEE TRANSACTIONS ON COMMUNICATIONS, VOL. 39, NO. 10, OCTOBER 1991

produce a bogus timestamp popularly known as a timewarp. used to improve the accuracy of the estimated delays and
The very nature of time synchronization requires that it be offsets between the various servers, as well as those used to
extremely robust against timewarps and capable of operation select a particular peer for synchronization. The complexity
even when major breakdowns or attempted break-ins occur. of these algorithms depends on the statistical properties of
This subsection describes some of the measures taken to deal the transmission path, as well as the accuracies and precisions
with these problems, including reachability, authentication and required. Since Internet paths often involve multiple hops over
poll control. networks of widely varying characteristics, it is not possible
As shown previously, reliable time synchronization does to design one set of algorithms optimized for a particular path.
not require reliable message delivery, however, in order to Another factor considered is to avoid the use of multiply/divide
minimize resource requirements, resist using very old data and operations in favor of simple shifts in order to facilitate
manage the memory resources required, a simple reachability implementation on dedicated microprocessors.
protocol is used in which a peer is considered unreachable A good deal of research has gone into mechanisms to
if no messages are received during eight consecutive poll synchronize clocks in a community where some clocks cannot
intervals. In the active modes the peer is marked unreachable, be trusted. Determining whether a particular clock can be
but polls continue; while, in the passive modes the association trusted is an interesting abstract problem which can be attacked
is dissolved and its resources reclaimed for subsequent use. using methods such as described in [14], [15], [MI, and [31]. A
Special sanity checks are provided to avoid disruptions number of algorithms for filtering, smoothing and classifying
due to system reboot, protocol restart or malfunction. For timekeeping data have been described in the literature [l],
instance, if the transmit timestamp of a message is identical [6], [12], [13], [19], including convergence algorithms, which
to one previously received, the message is a duplicate or attempt to reduce errors by repeatedly casting out statistical
replay and may contain bogus data. Since precision timestamps outlyers, and consistency algorithms, which attempt to classify
are difficult to spoof, the originate timestamp makes a fairly subsets of clocks as trusted or not by comparing statistics such
effective one-time pad. If a message contains an originate as mean and variance. The NTP data-filtering algorithm, which
timestamp that does not match the transmit timestamp of attempts to improve the offset estimate for a single clock, given
the last message transmitted, the message is either out of a series of observations, belongs to the former class. The NTP
order, from a previous association or bogus. Additional checks peer-selection algorithm, which attempts to find the best (i.e.,
protect against using very old time information and from the most reliable) clocks from a population, belongs to the
associations not completely synchronized. latter class.
Where security considerations require the highest level of
protection against message modification, replay and other overt A. Data-Filtering Algorithm
attacks, the NTP specification includes optional cryptographic
Interactive convergence algorithms use statistical clustering
authentication procedures. The procedures are used to insure
techniques such as the fault-tolerant average (FAT) algorithm
an unbroken chain of authenticated associations within theof [12], the CNV algorithm of [17], the majority-subset
synchronization subnet to the primary servers. An authenti-
algorithm of [19], the non-Byzantine algorithm of [30] and
cator, consisting of a key identifier and encrypted checksum,
the egocentric algorithm of [31]. A variation on the FAT
is computed using the DES encryption algorithm [9] and DESalgorithm suggested in a recent paper [6] attempts to bound
cipher block-chaining method [lo]. Some implementations the offset errors when reading a remote clock by casting
incorporate special provisions to compensate for the delays
out readings where the measured roundtrip delay is above a
inherent in the encryption computations. specified value. This algorithm has features in common with
Careful consideration was given during design to factors
the NTP data-filtering algorithm, but does not take advantage
affecting network overheads. Some of the present Internet of the improved accuracy possible using a statistical analysis
time servers operate with over 100 peers and a few operatesuch as described in this section.
with many more than that. Therefore, it is important that theThe NTP data-filtering algorithm, which has been evolved
longest poll intervals consistent with the required accuracy
over several years of experimentation and experience with
and stability be used. When reachability is first confirmed and
Internet paths, is designed specifically to provide high accu-
when dispersions are high it is necessary to use a relatively
racy together with low computational burden. Recall that the
wide PLL bandwidth, which requires a poll interval no greater
roundtrip delay 6 and clock offset 8 are computed from the
then about a minute. When the association has stabilized and
four most recent timestamps. Without making any assumptions
dispersions are low, the PLL bandwidth can be reduced to about the delay distributions due to packet queueing in either
improve stability, which allows the poll interval to be increased
direction along the path, but assuming the skew between the
substantially. In the present design the poll interval is increased
server and peer clocks is relatively small, let (6,O) represent
gradually from about one minute to about 17 min as long asthe delay and offset when the path is otherwise idle and
the filter dispersion is below an experimentally determined
thus the truf yalues. The problem is to produce an accurate
estimator (6,B ) from a sample population (Si,e;) collected
threshold; otherwise, it is decreased gradually to its original
value. for the path over an appropriate interval under normal traffic
conditions.
Iv. FILTERING, SELECTION, AND COMBINING OPERATIONS The approach used in the design of the data-filtering algo-
At the very heart of the NTP design are the algorithms rithm was suggested by the observation that packet-switching
MILLS: INTERNET TIME SYNCHRONIZATION
’
Cq
k0 0.2 0.4 0.6 0.8 1.o
Delay (sec)
Fig. 5. Offset versus delay.
networks are most often operated well below the knee of the
throughput-delay curve, which means that packet queues are
mostly small with relatively infrequent surges. In addition, the
routing algorithm most often operates to minimize the number
of packet-switch hops and thus the number of queues. Thus,
not only is the probability that an NTP packet finds a busy
queue in one direction relatively low, but the probability of
packets from a single exchange finding busy queues in both
directions is even lower. Therefore, the best offset samples
should occur at the lowest delays.
This observation suggests the design of a minimum fil-
ter, which selects from the n most recent samples (si,&),
(&-I, &-I), .. . , (&-n+1,8,-,+1) the sample- with lowest
delay 6, and produces (Sj,e,) as the estimator (6,e ) . Several
experiments were made to evaluate this design using mea-
surements between NTP primary servers, so that delays and
offsets could be determined independently of the measurement
procedure itself [24]. The experiments were performed over
several paths involving ARPANET, NSFNET and various
LAN’s and using minimum filters and various other algorithms
based on median and trimmed-mean statistics. The results
show consistently lower errors for the minimum filter when
compared the other algorithms. Perhaps the most dramatic
result with the minimum filter is the greatly reduced maximum
error under conditions of high levels of network traffic.
The delay/offset characteristics of a typical Internet path
are illustrated in Fig. 5, which is a scatter diagram plotting 8
versus S points for a path between primary servers on the east
and west coasts over an interval of about a week. This particu-
lar path involves seven networks and twelve gateways and is
among the most complex in the NTP synchronization subnet.
Under low-traffic conditions the points are concentrated about
the apex of the wedge and begin to extend rightward along
the extrema lines as the network traffic increases. As the traffic
continues to increase, the points begin to fill in the wedge as it
expands even further rightward. This behavior is characteristic
of typical Internet paths involving ARPANET, NSFNET and
regional neForks. From these data it is obvious that good
estimators (6,B ) are points near the apex, which is exactly
what the minimum filter is designed to produce.
In the reference implementation, samples (si,e,) are shifted
into an eight-stage shift register from one end, causing old
1489
samples to shift off the other. Then, all eight samples are
placed on a temporary list and sorted in order of increasing 6.
The first sample on the list (60,190)represents the estimators
(8,e ), which are recorded for each peer separately for later
processing by the selection and combining algorithms.
The filter dispersion is interpreted as a quality indicator,
with increasing values associated with decreasing quality
and weight in the selection and combining algorithms. A
good estimator which counts samples near the apex of the
wedge most heavily and is easily computable is the weighted
differences of the t9i in the sorted temporary list relative to Bo.
Assume the list has n > 1 entries (n = 8 in this case) with
(Sj,e,) ( j = 0,1, ,n - 1) samples in order of increasing
Si. The filter dispersion E is defined
n-1
j=O
where v is an experimentally adjusted weight factor, v = 0.5 in
the reference implementation. The filter dispersion is recorded
for each peer separately for later processing by the selection
and combining algorithms.
B. Peer-Selection and Combining Algorithms
The single most important contribution factor in maintaining
high reliability with NTP is the peer-selection and combining
algorithms. When new offset estimates are produced for a
peer or are revised as the result of timeout, this mechanism
is used to determine which peer should be selected as the
synchronization source and how to adjust the local-clock,
stratum, and related variables.
Interactive consistency algorithms are designed to tolerate
faulty clock processes which might indicate grossly inconsis-
tent offsets in successive readings or to different readers. These
algorithms use an agreement protocol involving successive
rounds of readings, possibly relayed and possibly augmented
by digital signatures. Examples include the fireworks algo-
rithm of [12] and the optimum algorithm of [33]. However,
these algorithms as described require an excessive burden
of messages, especially when large numbers of clocks are
involved, and require statistically awkward assumptions in
order to certify correctness.
While drawing upon the technology of agreement algo-
rithms, the NTP peer-selection algorithm is not strictly one
of them, but an adaptation based on maximum-likelihood
statistical principles and the pragmatic observation that the
highest reliability is usually associated with the lowest stratum
and synchronization dispersion, while the highest accuracy is
usually associated with the lowest stratum and synchronization
distance. A key design assumption is that truechimers are rela-
tively numerous and represented by random variables narrowly
distributed about UTC in the measurement space, while falset-
ickers are relatively rare and represented by random variables
widely distributed throughout the measurement space.
The peer-selection algorithm begins by constructing a list of
candidate peers sorted first by stratum and then by synchro-
nization dispersion. To be included on the candidate list a peer
must pass several sanity checks designed to detect blatant er-
 , #

1490 IEEE TRANSACTIONS ON COMMUNICATIONS, VOL. 39, NO. 10, OCTOBER 1991

rors and defective implementations. If no peers pass the sanity
checks, the existing synchronization source, if any, is cancelled
and the local clock free-runs at its intrinsic frequency. The list
is then pruned from the end to a predetermined maximum size
and maximum stratum.
The next step is designed to detect falsetickers or other
conditions which might result in gross errors. The candidate
list is resorted in the order first by stratum and then by
synchronization distance. Let m > 0 be the number of can-
didates remaining in the list and let 8, be the offset of the jth
candidate. For each j ( 0 5 j < m) the select dispersion ~j
relative to candidate j is defined
m-I
k=O
where w is a factor experimentally adjusted for the desired
characteristic (see below), Then discard the candidate with
maximum ~j or, in case of ties the maximum j, and repeat
the procedure. The procedure terminates when the maximum
accurate time and stable frequency over wide variations in
synchronization path delays. In the NTP local-clock model
the fundamental system time reference, or logical clock, in-
crements at some standard rate such as 1000 Hz and can be
adjusted to precise time and frequency by means of periodic
corrections determined by NTP, a timecode receiver or a
calibrated atomic clock.
The model shown in Fig. 6 can be described as a type-11,
adaptive-parameter, phase-lock loop (PLL), which continu-
ously corrects local oscillator phase and frequency variations
relative to received updates. The difference between the peer
time and server time TB - TA;that is, the offset 13 shown in
Fig. 3, is processed by the phase detector PD to produce the
output V d . The filtering, selection and combining algorithms
shown in Fig. 2 operate as a variable delay network to produce
the output V,. The loop filter produces the output V,, which is
used to adjust the frequency of the voltage-controlled oscillator
VCO in order to reduce the offset 8.
Using familiar techniques of analysis [32], the (open-loop)

z).-..
transfer function of the PLL can be approximated as
select dispersion over all candidates remaining on the list is
less than the minimum filter dispersion of any candidate or
until only a single candidate remains.
F ( s )= & (1 +
The above procedures are designed to favor those peers near where w, is the gain (crossover frequency), w z the comer
the beginning of the candidate list, which are at the lowest frequency of the lead network (necessary for PLL stability), T
stratum and lowest delay and presumably can provide the is the datq-filter delay and T is a parameter used for bandwidth
most accurate time. With proper selection of weight factor w, control. Simulation of the entire PLL with the variables and
outlyers will be discarded from the end of the list, unless some constants specified in [22] results in the following characteris-
other entry disagrees significantly with respect to the remain- tics: At the widest bandwidth (smallest T) and a 100-ms phase
ing entries, in which case that entry is discarded. For example, change the PLL reaches zero error in 39 min, overshoots 7 ms
with w = 0.75 as used in the reference implementation, a in 54 min and settles to less than 1 ms in about 6 h.
single stratum-2 server at the end of the candidate list will Bandwidth control is necessary to match the PLL dynamics
swing the vote between two stratum-1 servers that disagree to varying levels of timing noise due to the intrinsic stability
with each other. While these outcomes depend on judicious of the local oscillator and the prevailing delay variances in the
choice of w, the behavior of the algorithm is substantially the network. On one hand, the PLL must track room-temperature
same for values of w between 0.5 and 1.0. quartz oscillators found in common camputing equipment,
The offsets of the peers remaining on the candidate list are where the frequency may be accurate to only 0.01% and
statistically equivalent, so any of them can be chosen to adjust may vary several parts-per-million (ppm) as the result of
the local clock. Some implementations combine them using normal room-temperature variations. On the other hand, after
a weighted-average algorithm similar to that described in [l], the frequency errors have been tracked for several days, and
in which the offsets of the peers remaining on the list are assuming the local oscillator is appropriately compensated,
weighted by estimated error to produce a combined estimate. the loop must maintain stabilities to the order of 0.01 ppm.
In these implementations the error estimate is taken to be the The NTP PLL is designed to adapt automatically to these
reciprocal of synchronization dispersion. regimes by measuring the dispersions and adjusting T over
The update procedure also sets the local stratum to one a five-octave range. Design details are discussed in [22] and
greater than the stratum of the selected peer. In addition, performance assessed in [24].
the server synchronization distance-the sum of the total
roundtrip delays to the root of the synchronization subnet, as VI. NTP IN THE INTERNET SYSTEM
well as the server synchronization dispersion-the sum of the
The penetration of NTP in the Internet has steadily increased
total dispersions to the root of the synchronization subnet, are
over the last few years. It is estimated that well over 2000
calculated and recorded in a system state variable. All three
hosts presently synchronize local clocks to UTC using NTP
of these quantities are included in the NTP message header.
and the Internet primary servers. In this section an overview of
the various NTP implementations and subnet configurations is
V. LOCAL-CLOCKDESIGN presented along with an evaluation of performance expected
Precision timekeeping requires an exceptionally stable lo- in routine operation.
cal oscillator reference in order to deliver accurate time The Fuzzball [21] is a software package consisting of
when the synchronization path to a primary server has failed. a fast, compact operating system and an array of applica-
Furthermore, the oscillator and control loop must maintain tion programs for network protocol development, testing, and
MILLS: INTERNET TIME SYNCHRONIZATION 1491

The three campus servers in turn provide synchronization for

several stratum-3 department servers, each operating with all
and Combining three campus servers. Department servers, many of which also
function as file servers, then deliver time to possibly hundreds
of stratum-4 workstations in clientherver or multicast modes.
As part of normal operations the Fuzzball time servers
monitor delay and offset data from each of their peers.
Fig. 6. Phase-lock loop model. Periodically, these data are collected and analyzed to construct
scatter diagrams, time-series diagrams and distribution func-
tions. Scatter diagrams such as Fig. 5 have proven exquisitely
evaluation. It usually runs on a DEC LSI-11 personal work- sensitive indicators of network performance and possible mal-
station, which functions as an experiment platform capable functions. Time-series diagrams showing absolute offsets such
of millisecond timing accuracies and supports several types as Fig. 7, constructed from the same data as Fig. 5, are useful
of timecode receivers and precision timebases. Since NTP for assessing algorithm performance and systematic errors.
and its forebears were developed and tested on the Fuzzball, Distribution functions plotted on log-log axes such as Fig. 8,
the present implementation is the reference one for the NTP also constructed from the same data, are useful in evaluating
specification. An implementation of NTP for Unix systems the performance of data-filtering algorithms. The figure shows
was built by M. Petry and L. Mamakos at the University the absolute raw offsets (upper curve) and filtered offsets
of Maryland. An implementation of NTP for Unix systems (lower curve), from which it is apparent that the maximum
and for a dedicated Motorola 68000 microprocessor was built error after the filter is less than about 30 ms for all but about
by Dennis Ferguson at the University of Toronto. Both Unix one percent of the samples and less than about 50 ms for
implementations adjust the local-clock phase and frequency all samples. A companion paper [24] contains an extended
using kernel primitives designed for this purpose and support discussion of performance issues and concludes that, using
various types of timecode receivers. Other implementations the adaptive-parameter PLL model described above together
are in progress at Hewlett-Packard Laboratories, University with the new combining algorithm, timing accuracies to a few
College London and University of Delaware. milliseconds and frequency stabilities to a few milliseconds
The NTP primary synchronization subnet now operating per day are regularly achieved.
in the Internet consists of over two dozen Fuzzball and
Unix primary time servers located in the U.S., Canada, the
United Kingdom, and Norway. All servers are synchronized
to UTC via radio or satellite. Two servers use calibrated VII. FUTUREDIRECTIONS
atomic clocks and two use LORAN-C timing receivers as The IRIG-H timecode format established in 1970 and used
precision timebases. Six servers are connected directly to na- since then by NBS/NIST radio broadcast services does not
tional backbone networks, including NSFNET and ARPANET, include either year information or advance notice of leap-
and are intended for ubiquitous access, while the remainder second insertion. Currently, this information must be provided
are connected to regional networks and intended for regional at the primary servers by other means. It is reported (personal
and local access. All primary servers continuously exchange communication) that this information will soon be available
NTP messages with most of the other primary servers, which in at least some radio services. In fact, the recently introduced
provides an exceptional level of redundancy and protection NIST telephone time service [26] already includes both the
against failures. For instance, if a timecode receiver fails, a year and advance leap-second information.
primary (stratum-1) server synchronizes via NTP to the nearest The current mechanism of time delivery using dedicated
primary peer and continues operation as a secondary (stratum- radio systems and multifunction radio navigation and land-
2) server. If a primary server turns falseticker, discrepancies resources satellite systems requires relatively expensive
become apparent to its NTP peers, which then deselect the timecode receivers subject to occasional disruption due to
server as the result of the algorithms described previously. propagation path or radio failure. A plan once proposed by
The NTP secondary synchronization subnet presently in- NIST using national television networks for time transfer
cludes an estimated total of over 2000 secondary time servers has been generally thwarted by the growing use of buffered
using some thousands of transmission paths on hundreds of frame regeneration at the local stations. However, the growing
networks. A secondary server operating at stratum n > 1 penetration of cable television systems suggests a new
ordinarily operates with at least three peers, two at stratum opportunity for time distribution, such as providing incentives
n - 1 and one or more at stratum n. In the most robust for cable operators to rebroadcast WWV, for example. An
configuration a set of servers agree to provide backup service agenda should be pursued to promote the installation of
for each other, so run NTP with some of the stratum-(n - 1) NTP primary servers with Internet connectivity at various
servers and some of the other stratum-n servers in the same set. national standards laboratories. In fact, a pilot project is
In a typical example configuration used at the University of now in operation at the Norwegian Telecommunications
Illinois and the University of Delaware the institution operates Administration Research Establishment, in which Fuzzball
three stratum-2 campus servers, each operating with two out primary NTP servers are synchronized directly to the
of six different stratum-1 primary servers and with each other. Norwegian national standards.
1492
zz ACKNOWLEDGMENT
The author acknowledges the referees for valuable sugges-
Y
0 1 2 3 4 5 8 7 8
nme (NTP days)
Fig. 7. Error offsets.
2
n r -
2 [4] B. E. Blair, “Time and frequency dissemination: An overview of prin-
I
I Comput. J., vol. 31, no. 6, pp. 496-502, 1988.
0.001 0.01 0.1 1 10
offset (sec)
Fig. 8. Error distributions.
As experience accumulates, improvements are being made
continuously to the filtering and selection algorithms de-
scribed in this paper. Recent improvements now being tested
include engineered budgets for reading errors and skew-
error accumulation, as well as an improved peer-selection
algorithm based on the work of Marzullo and Owicki [18].
The goal is to provide reliable timing and timing-error infor-
mation while preserving correctness, stability and accuracy.
There may also be room for additional improvements in the
offset-combination algorithm recently introduced, for example,
as well as methods to compensate for asymmetric delays
commonly found on Internet paths. Other improvements be-
ing considered include automatic subnet configuration and
dynamic activation of peer associations when other peer asso-
ciations become unreachable. These features are intended to
reduce the network overhead when a large number of possible
peers are available, but only a few are needed for reliable
synchronization.
At present, NTP support is available only for Fuzzball
and Unix systems. Support is needed for other systems,
including mainframes and personal workstations of various
manufacture. While NTP has been evolved within the Internet
protocol suite, there is obvious application to the OS1 protocol
suite, in particular the protocols of the connectionless (CLNS)
branch of that suite. Perhaps the most attractive methodology
would be to integrate NTP functions directly into the ES-
IS and IS-IS routing functions and network management
systems.
IEEE TRANSACTIONS ON COMMUNICATIONS, VOL. 39, NO. 10, OCTOBER 1991
tions on this paper. Thanks are due to the tribe of volunteer
timetrekkers, too numerous to list here, who have assisted
in the implementation and testing projects leading to the
deployment of NTP.Thanks are also due to the U.S. Coast
Guard, who kindly provided a cesium clock and LORAN-C
receiver on loan, as well as the U.S. Naval Observatory, who
provided calibration assistance and much useful advice.
REFERENCES
[ l ] D. W. Allan, J. E. Gray, and H. E. Machlan, “The National Bureau of
Standards atomic time scale: generation, stability, accuracy and acces-
sibility,” in Time and Frequency Theory and Fundamentals, B. E. Blair,
E d Nat. Bureau of Stand. Monograph 140, US. Dep. Commerce,
1974, pp. 205-231.
[2] Bell communicationsResearch, “Digital Synchronization network plan,”
Tech. Advisory TA-NPG000436, Nov. 1, 1986.
131 D. Bertsekas and R. Gallager, Data Networks. Englewood Cliffs, NJ:
Prentice-Hall, 1987.
ciples and techniques,” in Time and Frequency Theory and Fundamen-
tals, B. E. Blair, Ed: Nat. Bureau of Stand. Monograph 140, U.S. Dep.
Commerce, 1974, pp. 233-313.
[5] R. Cole and C. Foxcroft, “An experiment in clock synchronization,”The
[6] F. Cristian, “A probabilistic approach to distributed clock synchroniza-
tion,” in Proc. Ninth ZEEE Int. Conj Distrib. Comput. Syst., June 1989,
pp. 288-296.
[7] Defense Advanced Research Projects Agency, Internet Control Message
Protocol, DARPA Network Working Group Rep. RFC-792, U.S.C.
Inform. Sci. Inst., Sept. 1981.
[8] Defense Advanced Research Projects Agency, Internet Protocol, DARPA
Network Working Group Rep. RFC-791, U.S.C. Inform. Sci. Inst., Sept.
1981.
[9] Data Encryption Standard, Federal Information Processing Standards
Publication 46, Nat. Bureau of Stand., U.S. Dep. Commerce, 1977.
[101 DES Modes of Operation, Federal Information Processing Standards
Publication 81, Nat. Bureau of Stand., US.Dep. Commerce, Dec. 1980.
[ l l ] R. Gusella and S. Zatti, “TEMPO-A network time controller for a
distributed Berkeley UNIX system,” IEEE Distrib. Processing Tech.
Committee Newsletter 6, NoSI-2, June 1984, pp. 7-15. Also in Proc.
Summer 1984 USENIX, Salt Lake City, UT, June 1984.
[I21 J.Y. Halpern, B. Simons, R. Strong, and D. Dolly, “Fault-tolerant clock
synchronization,”in Proc. ThirdAnnu. ACM Symp. Principles ofDistrib.
Comput., Aug. 1984, pp. 89- 102.
[131 H. Kopetz and W. Ochsenreiter, “Clock synchronization in distributed
real-time systems,”IEEE Trans. Comput., vol. C-36, pp. 933-939, Aug.
1987.
[14] L. Lamport, “Time, clocks and the ordering of events in a distributed
system,” Commun.ACM, vol. 21, no. 7, pp. 558-565, July 1978.
[15] L. Lamport and P.M. Melliar-Smith, “Synchronizing clocks in the
presence of faults,” JACM, vol. 32, no. 1, pp. 52-78, Jan. 1985.
[16] W. C. Lindsay and A. V. Kantak, “Network synchronization of random
signals,” IEEE Trans. Commun., vol. COM-28, pp. 1260-1266, Aug.
1980.
[17] J. Lundelius and N. A. Lynch, “A new fault-tolerant algorithm for clock
synchronization,” in Proc. Third Annu. ACM Symp. Principles Distrib.
Comput., Aug. 1984, pp. 75-88.
[18] K. Marzullo and S. Woicki, “Maintaining the time in a distributed
system,”ACM Oper. Syst. Rev., vol. 19, no. 3, pp. 44-54, July 1985.
[19] D. L. Mills, “Algorithms for synchronizing network clocks,” DARPA
Network Working Group Rep. RFC-956, M/A-COM Linkabit, Sept.
1985.
[20] -, “Experiments in network clock synchronization,” DARPA Net-
work Working Group Rep. RFC-957, WA-COM Linkabit, Sept. 1985.
[21] -, “The Fuzzball,” in Proc. ACM SIGCOMM 88 Symp., Palo Alto,
CA, Aug. 1988, pp. 115-122.
[22] -, “Network time protocol (version 2) specification and imple-
mentation,” DARPA Network Working Group Rep. RFC-1119, Univ.
Delaware, Sept. 1989.
MILLS: INTERNET TIME SYNCHRONIZATION
[23] -, “Internet time synchronization: The network time protocol,”
DARPA Network Working Group Rep. RFC-1129, Univ. Delaware,
Oct. 1989.
[24] -, “On the accuracy and stability of clocks synchronized by the
network time protocol in the Internet system,” ACM Comput. Commwl.
Rev., vol. 20, no. 1, pp. 65-75, Jan. 1990.
[25] D. Mitra, “Network synchronization: Analysis of a hybrid of master-
slave and mutual synchronization,” IEEE Trans. Corm”., vol. COM-
28, pp. 1245-1259, Aug. 1980.
[26] Automated Computer Time Service (ACTS), NBS Res. Material 8101,
U.S. Dep. Commerce, 1988.
[27] J. Postel, “User datagram protocol,” DARPA Network Working Group
Rep. RFC-768, U.S.C. Inform. Sci. Inst., Aug. 1980.
[28] -, “Daytimeprotocol,” DARPA Network Working Group Rep. RFC-
867, U.S.C. Inform. Sci. Inst., May 1983.
[29] -, “Time protocol,” DARPA Network Working Group Rep. RFC-
868, U.S.C. Inform. Sci. Inst., May 1983.
[30] N. W. Rickert, “Non Byzantine clock synchronization-A programming
experiment,” ACM Oper. Syst. Rev., vol. 22, no. 1, pp. 73-78, Jan.
1988.
[31] F. B. Schneider, “A paradigm for reliable clock synchronization,” De-
part. Comput. Sci. Tech. Rep. TR 86-735, Cornel1 Univ., Feb. 1986.
[32] J. Smith, Modern Communications Circuits. New York: McGraw-Hill,
1986.
[33] T. K. Srikanth and S. Toueg, “Optimal clock synchronization,”JACM,
vol. 34, no. 3, pp. 626-645, July 1987.
[34] 2. Su, “A specification of the Internet protocol (IP) timestamp option,”
DARPA Network Working Group Rep. RFC-781, SRI Int., May 1981.
1493
David L. Mills (S’59-M’90) received the Doctor-
ate in computer and communication sciences from
the University of Michigan in 1971 and has held
postdoctoral positions at the University of Edin-
burgh (Scotland) and U.S. Defense Communications
Agency.
He is Professor of Electrical Engineering at
the University of Delaware and presently leads
projects in high-speed networks and internetworking
research sponsored by the Defense Advanced
Research Projects Agency and National Science
Foundation. His research activities have been concentrated in the areas of
network architecture, protocol engineering and experimental studies using
the DARPA/NSF Internet system. He is a member of the Internet Research
Steering Group and formerly chaired the Internet Architecture Task Force. He
is also an advisor to the NSF networking program and was principal architect
of the NSFNET Phase-I Backbone network.
Before joining the faculty in 1986, Dr. Mills was a Director (Networks)
at MA-COM Government Systems Division (Lmkabit) and led DARPA-
sponsored R&D projects in packet-switching network architectures and
application protocols. Before that he was a Senior Research Scientist
at COMSAT Laboratories, where he worked in the areas of packet-
switching satellite and internetworking technologies, and Assistant Professor
of Computer Science at the University of Maryland, where he worked on
several research projects in distributed computer networks and operating
systems.
Dr. Mills has published and lectured extensively on data communications,
computer networks and operating systems and has been a consultant to a
number of corporations and government agencies. He is a member of Sigma
Xi, Association for Computing Machinery, and IEEE Computer Society.