Path: csiph.com!weretis.net!feeder9.news.weretis.net!news.misty.com!news.iecc.com!.POSTED.news.iecc.com!not-for-mail
From: "Miroslav Lichvar via questions Mailing List" <questions@lists.ntp.org>
Newsgroups: comp.protocols.time.ntp
Subject: Re: best current practices regarding "peer"?
Date: Mon, 23 Mar 2026 11:53:00 -0000 (UTC)
Organization: Taughannock Networks, Trumansburg NY
Message-ID: <acEop7FmCfxBZjYa@localhost>
References: <OPrK_ibu858KdMgqHuQYFfB0TH31AV-x@violet.siamics.net>
Reply-To: "Miroslav Lichvar" <mlichvar@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Injection-Date: Mon, 23 Mar 2026 11:53:00 -0000 (UTC)
Injection-Info: gal.iecc.com; posting-host="news.iecc.com:2001:470:1f07:1126:0:676f:7373:6970"; logging-data="48409"; mail-complaints-to="abuse@iecc.com"
To: questions@lists.ntp.org
Return-Path: <questions-owner@lists.ntp.org>
Delivered-To: ntpquestions@iecc.com
Errors-To: questions-owner@lists.ntp.org
X-Spam-Checker-Version: SpamAssassin 4.0.2 (2025-08-27) on gal.iecc.com
X-Spam-Status: No, score=-3.1 required=4.4 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS shortcircuit=no autolearn=ham autolearn_force=no version=4.0.2
Authentication-Results: iecc.com; spf=pass spf.mailfrom=questions-owner@lists.ntp.org spf.helo=mail0.chi1.ntfo.org smtp.remote-ip="204.93.207.17"; dkim=pass header.d=lists.ntp.org header.s=mail header.a=rsa-sha256 header.b="ec4m50J8"; dmarc=pass header.from=lists.ntp.org polrec.p=quarantine polrec.pct=100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lists.ntp.org; s=mail; t=1774266576; bh=Ku9l9OFE0SPmmIvdJt9j6PFGxB2g22Xk3pbmArdK2zo=; h=Date:From:To:Subject:Message-ID:References:MIME-Version: In-Reply-To:Content-Type:Content-Transfer-Encoding:Reply-To:Sender: List-Id:List-Help:List-Subscribe:List-Unsubscribe:List-Post: List-Owner:List-Archive; b=ec4m50J80IXHvrOA/+lktVEI9F+giKXhIi2WZjSuRBGTRg0yWLuxVbo6/6FiTcqQI gPZ8omddDuiot+8gNYX1gRtWPe0BAzfiiz7PlKJ+wJDNww+9rbPmll8ZeEnz1pMl8I h5pm8VwwTo
X-MC-Unique: bUEHWLfUObqTGlnfe97sBA-1
X-Mimecast-MFC-AGG-ID: bUEHWLfUObqTGlnfe97sBA_1774266539
In-Reply-To: <OPrK_ibu858KdMgqHuQYFfB0TH31AV-x@violet.siamics.net>
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: GJxdWK-LpuxY3KrDDQMceuPjOTKdn6WjqZbimpEZcd8_1774266539
X-Mimecast-Originator: redhat.com
Content-Disposition: inline
X-Loop: questions@lists.ntp.org
List-Id: <questions.lists.ntp.org>
List-Help: <https: //lists.ntp.org/sympa/help>, <mailto:sympa@lists.ntp.org?subject=HELP>
List-Subscribe: <https: //lists.ntp.org/sympa/subscribe/questions>, <mailto:sympa@lists.ntp.org?subject=SUB%20questions>
List-Unsubscribe: <https: //lists.ntp.org/sympa/signoff/questions>, <mailto:sympa@lists.ntp.org?subject=SIG%20questions>
List-Post: <mailto: questions@lists.ntp.org>
List-Owner: <mailto: questions-request@lists.ntp.org>
List-Archive: <https: //lists.ntp.org/sympa/arc/questions>
X-Original-DMARC-Record: domain=redhat.com; v=DMARC1; p=quarantine; rua=mailto: 5f1992045035946@rep.dmarcanalyzer.com; ruf=mailto:5f1992045035946@for.dmarcanalyzer.com; fo=1;
X-Original-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1774266543; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Ku9l9OFE0SPmmIvdJt9j6PFGxB2g22Xk3pbmArdK2zo=; b=DstFIxMbTFUy9eNiPTLq3RozkcGkG/aJHmoRjnFjkF9IN8QiB7ySxVeuXwj3/a24gMrMbR s3iYhkyy6W/GE4M2CPm6MnqThV12bdXYi
X-Original-From: Miroslav Lichvar <mlichvar@redhat.com>
X-DCC-iecc-Metrics: gal.iecc.com 1107; Body=1 Fuz1=1 Fuz2=1
Mail-to-news: iecc.com
Xref: csiph.com comp.protocols.time.ntp:164241

On Thu, Mar 19, 2026 at 01:25:23PM +0000, Ivan Shmakov wrote:
> 	To my surprise, I’ve found that as part of the ‘hardening’ effort
> 	for NTPsec (the version included in Debian Trixie) the ‘peer’
> 	association type got removed; this is what I get in syslog:
> 
> CONFIG: peer deprecated, treated as server: (peer-IP-address)
> 
> 	The question is: what is the best current practice for having 
> 	‘a clique of low-stratum peers operate as mutual backups for each
> 	other’?  Is ‘peer’ truly deprecated for any and all possible uses?

"peer" configures a symmetric association. "server" configures a
client-server association. A symmetric association can be fully
replaced by two client-server associations in the opposite directions.
It just doubles the network traffic. Basically, the client-server mode
is a special case of the symmetric mode. NTP originally had only
the symmetric mode, later was added client-server mode, and couple
decades later the symmetric mode might be removed from NTP completely.

The current best practice for "a clique of low-stratum peers operate
as mutual backups for each other" is the same except use "server"
instead of "peer".

The only interesting feature of the symmetric mode is that time can be
pushed to a host that doesn't specify the other peer in its config.
The disadvantages are much more difficult implementation, worse
security, and less accurate measurement of the network delay due to
much larger intervals between requests and responses.

-- 
Miroslav Lichvar