Mikrotik NTP Synchronization
Need help securing your MikroTik routers? A printable copy of our MikroTik Router Hardening Guide complete with a checklist, links to STIGs, and more in-depth discussions of best practices than will fit in a blog post are featured in the MikroTik Router Hardening Guide. Click here to find out more.
Syncing the clocks between all of your devices is a critical part of keeping your networks healthy. Time affects network security, VPN stability, and more.
Relying on NTP
Protocols like IPSEC and Kerberos exchange keys and tokens that are time-stamped with lifetime values that determine validity. If one router's clock is faster than another's those keys will expire sooner, causing IPSEC tunnels to bounce. If the clocks are far enough off each other IPSEC tunnels may not come up at all because keys from one side of the tunnel will never appear valid on the other side.
There are security implications as well - in the event of a security incident if the logs on your devices have inconsistent timestamps then event correlation will be impossible. When investigating an incident it's paramount that logs be reliable and accurate. Speaking of logging, it's also prudent to centralize your logging to a server, commonly with Syslog and The Dude. For Syslog events we want reported timestamps to be accurate across the board.
In terms of NTP servers you have a few choices - host an NTP server within your network, refer your devices to an external NTP server, or do both. For the purposes of this article we will simply use an external NTP service, hosted by the NTP.org project. This is a fantastic project that millions of internet users rely on, and if you have a spare server that you could volunteer to take part in their network please do.
One simple command will tell your routers to sync with the pool.ntp.org service, which is load-balanced and reliable:
/system ntp client set enabled=yes server-dns-names=time.google.com,0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org
Your router will sync its clock to the nearest NTP server participating in the pool, and continue to make small clock adjustments regularly over time as needed. Bear in mind that if you're running services that depend on timestamps (like IPSEC) this may cause a brief interruption if your clocks are off significantly.
There is one other issue of note, particularly if you have multiple networks across different time zones. Depending on your configuration it may be prudent to configure all your devices for the UTC timezone. This ensures that all devices have consistent time configurations, and log entry correlation between devices in different time zones you won't have to adjust for local time. If you have routers in different states or countries that observe daylight savings time differently UTC further simplifies things.
/system clock set time-zone-name=UTC
Be aware that changing timezones on your devices will most likely bounce VPN tunnels momentarily, and it's important that all devices be on UTC time.