This article was first published on Netnod’s Blog. It is reposted here with permission of Netnod.
A lot of the Internet’s most important security tools are dependent on accurate time. But until recently there was no way to ensure that the time you were getting came from a trusted source. The new Network Time Security (NTS) standard has been designed to fix that. In this post, we will summarise the most important NTS developments and link to a range of recent Netnod articles providing more information on the background, the NTS standard and the latest implementations.
What is NTS and why is it important?
NTS is an essential development of the Network Time Protocol (NTP). It has been developed within the Internet Engineering Task Force (IETF) and adds a much needed layer of security to a protocol that is more than 30 years old and is vulnerable to certain types of attack. Netnod has played an important role in the development of Network Time Security (NTS) from the standardization effort in the IETF to the development of several implementations and the launch of one of the first NTS-enabled NTP services in the world.
NTS consists of two protocols, a key exchange and extended NTP. This ensures that clients can validate that the time that they receive has been sent from the correct server. More detailed information about how NTS works and why it is important is available here and in a guest post recently published on RIPE Labs here.
The NTS standard in the IETF
In March 2020, the Internet Draft ‘Network Time Security for the Network Time Protocol’ was approved as a Proposed Standard, which describes NTS as: “a mechanism for using Transport Layer Security (TLS) and Authenticated Encryption with Associated Data (AEAD) to provide cryptographic security for the client-server mode of the Network Time Protocol (NTP).” It’s currently in the RFC editor queue awaiting publication as an RFC proper.
Netnod launched one of the first NTS-enabled NTP services in the world on 28 October 2019. It’s available to the public at:
- nts.ntp.se (for users anywhere in the world)
- nts.sth1.ntp.se & nts.sth2.ntp.se (for users close to Stockholm)
More information on this service is available here. Netnod has also published a HOWTO explaining how to set up an NTS client and to connect to Netnod’s NTS servers here. Some current NTP clients supporting NTS (two of which were written by Netnod staff) include:
- ntpsec (written by Eric Raymond)
- A Python implementation (written by Christer Weinigel, Netnod)
- A Go implementation (written by Michael Cardell Widerkrantz (Netnod), Daniel Lublin and Martin Samuelsson)
Joachim Strömbergson and Peter Magnusson from Assured have been asked by Netnod to work on a Verilog implementation of the extended NTP. More information about this will be available later in the year.
Why take time from Netnod?
On behalf of the Swedish Post and Telecom Authority (PTS) Netnod keeps a Verilog implementation of NTP with attached atomic clocks running in locations across Sweden. This means you speak NTP directly to the FPGA chip! As there is no software involved, you get the most accurate time possible. The service is available to the general public worldwide for free on ntp.se, which resolves to anycast IPv4 and IPv6 addresses.
In a recent blogpost, Netnod looked at some of the fundamentals in providing accurate time. These include looking at what makes a clock, how to ensure accuracy down to the level of nanoseconds and what Netnod is doing to ensure accurate time throughout Sweden.
The Internet Society believes that the security of the Internet’s time synchronization infrastructure has a direct impact on the overall trustworthiness of the global Internet. We’re working to promote global deployment of time security protocols and to encourage operational best practices. Take a look at our Time Security project homepage to find out more about our work.