The Internet Society is pleased to see the publication of RFC 8915: Network Time Security for the Network Time Protocol by the Internet Engineering Task Force (IETF). This standard represents a new security mechanism for one of the oldest protocols on the Internet, the Network Time Protocol (NTP).
Secure and Accurate Time
NTP enables the synchronization of time on computers connected by a network. Time is very important for many vital everyday functions, such as financial transactions and the correct operation of electrical power systems and transportation systems. Secure and accurate time is also crucial for many Internet security technologies including basic website security. As everything becomes more distributed and more online, synchronized time in computers becomes even more important. But despite all this, security for NTP has lagged behind in development and deployment. Network Time Security (NTS) was developed to fill this gap.
The publication of the NTS protocol on 1 October, 2020 represents the culmination of many years of work by the IETF NTP Working Group. NTS adds cryptographic security for the client-server mode of NTP. So, what does this mean? It means that NTP can now confirm the identity of the network clocks that are exchanging time information and protect the transmission of that time information across the network.
NTS is basically two loosely coupled sub-protocols that together add security to NTP. NTS Key Exchange (NTS-KE) is based on TLS 1.3 and performs the initial authentication of the server and exchanges security tokens with the client. The NTP client then uses these tokens in NTP extension fields for authentication and integrity checking of the NTP protocol messages that exchange time information.
Global Collaborative Effort
Many organizations and individuals deserve credit for helping to get this new standard to publication. This includes those who helped write the document itself, those who developed the early open source implementations and provided feedback to the NTP Working Group, and those who participated in early hackathons and interoperability testing. While it is not possible to recognize everyone involved, I do think it is important to acknowledge the authors of the RFC:
- Dieter Sibold and Kristof Teichel of Physikalisch-Technische Bundesanstalt (PTB)
- Ragnar Sundblad and Marcus Dansarie of Netnod
- Daniel Franke of Akamai
These authors, in conjunction with the NTP working group, put in a great deal of time and effort over many years to get to this milestone.
Additionally, I would like to recognize the early implementors and the vital feedback that they provided. Martin Langer from Ostfalia University of Applied Sciences deserves special mention as the person who wrote the first prototype implementation demonstrating the viability of the NTS approach and bringing other developers to the table. Additional open source server implementations are now available from chrony (github) and NTPsec (github). Public open NTS-enabled time servers have been established by both Netnod and Cloudflare.
Congratulations to everyone involved in this effort! The Internet Society believes that the publication of RFC 8915 will be a significant step forward in addressing the significant gap in NTP security.
More Information
The Internet Society promotes the global deployment of network time security by collaborating with and supporting the open source development community, network time product vendors, time service providers, network operators, and policymakers to encourage implementation. Find out more about our work on time security, NTP and NTS, on the Time Security project homepage and in this blog post.
You can also find out more about the work that some of the organizations involved in getting the NTS protocol finalized are doing on Time Security:
- Cloudflare: NTS is now an RFC
- Netnod: New Proposed Standard to Ensure Secure Time on the Internet
Image by Ariel Pilotto via Unsplash