Accurate and secure time is essential for the security and trustworthiness of the Internet. Many systems that we regularly interact with rely on accurate time to function properly. Accurate time also provides an essential foundation for online security, and many security mechanisms, such as digital certificates used for Transport Layer Security (TLS), depend on accurate timekeeping. The Network Time Protocol (NTP) provides time synchronization for clocks on computer networks.
NTP’s security mechanisms were designed back in an era when most Internet traffic was trusted, and the risk of attack was unlikely. Due to the continued exponential expansion of the Internet, these mechanisms became outdated and needed to be redesigned. The Internet Engineering Task Force (IETF) has been working on a specification for Network Time Security (NTS) for several years now. This specification was approved by the Internet Engineering Steering Group (IESG) in March of this year and is currently in the RFC editing process for the final publication. Over the course of the last couple of years, there have been a series of NTS projects held as part of the IETF Hackathons. These projects have worked to identify mistakes and ambiguities in the specification and to test and improve interoperability between implementations.
Time Community Collaboration
Recently, as part of the IETF 108 virtual hackathon, there was another successful event in this series. Representatives from several organizations including chrony, Cloudflare, Netnod, Orolia, Ostfalia University of Applied Sciences, Physikalisch-Technische Bundesanstalt (PTB), and the Internet Society took part in the project on Network Time Security (NTS) in July 2020. By the end of the week, there were 13 installations of six different NTS server implementations. These server implementations were tested against five different client implementations showing improvements in the maturity and interoperability of both the client and server implementations of NTS.
Additionally, a key highlight from the effort was the contribution of the first NTS test tool. This tool was contributed by Miroslav Lichvar and checked an implementation’s adherence to the specification as well as performing some basic performance tests. A short presentation on the outcomes of the NTS project at the IETF 108 virtual Hackathon is available here.
NTS Support
At this point, there are now two mainstream open source NTP implementations that have added NTS support: chrony and NTPsec. Additionally, there are open source NTS implementations from Netnod, Ostfalia, and Cloudflare. The Internet Society’s Time Security project is building a distributed testbed with some of these implementations to provide additional test and implementation opportunities for the wide community.
Find out more:
- Check our Time Security project home page for regular updates
- IETF 108 Virtual Hackathon Results
- IETF NTS document
- Everything you Need to Know about Time Security (Netnod)
- NTS Interoperability Results (2019, APNIC)
Image by Josh Redd via Unsplash