NTS server for the TimeNL NTP service
Our NTP service gets a security upgrade
SIDN Labs' public NTP service has been upgraded: TimeNL now has an NTS server. NTS stands for Network Time Security, a new standard that's being developed. Only a few NTS systems are currently operating around the world. But we've recently boosted the number by adding our own experimental server (https://nts.time.nl) to the park. We'll be carrying out extensive tests with the new server, and the wider internet community is invited to make use of it as well. This blog post explains the background. If you're new to this field, please note that, while the abbreviations are easily confused, NTP and NTS are very different technologies.
The importance of accurate time measurement and synchronisation
In July 2019, we wrote about the launch of TimeNL, our public NTP service. We explained the importance of good time synchronisation and how our NTP service can contribute. However, as well as being a 'production platform' that's free for everyone to use, TimeNL is a research project.
One line of research involves looking at the new NTS security extension, because the existing NTP (version 4 of the protocol originally introduced in 1981) has certain vulnerabilities. With NTP, a client and a server exchange a series of UDP queries and responses. However, the system can be abused. For example, it's fairly easy to falsify the sender addresses in UDP packets. Packet contents can also be manipulated by a 'man-in-the-middle' (MitM) attack, so that the client receives incorrect information. Being aware of the issues, the NTP Working Group at the IETF has gradually extended the protocol to include authentication procedures, for example. First came an extension based on symmetrical keys, then one based on the Autokey functionality, utilising public/private certificate pairs. While symmetrical key authentication may be secure, it's also cumbersome. It necessitates the prior exchange of shared keys via a separate channel, and therefore introduces an additional administrative burden. Autokey was therefore developed to get around that problem. Unfortunately, though, Autokey turned out to be less secure than expected and its use was later discouraged.
Network Time Security (NTS)
NTS in the wild
Although there are now several NTS software implementations, there are relatively few operating NTS servers on the internet. For that and other reasons, we decided to set up our own. The move has been welcomed by, for example, the makers of an NTS client written in the Go programming language. Our experimental server, which is based on NTPsec, will provide us with a clear understanding of how the NTS protocol is developing. Indeed, it's already delivering results. Following the service launch announcement via our mailing list, Cloudflare contacted us to say that the software used for time.cloudflare.com didn't work with our NTS server. That prompted a detailed analysis by SIDN Labs, leading to the identification of an interoperability problem. A fix was developed and made available to Cloudflare as a simple patch. As a result, Cloudflare's software now works smoothly with NTPsec.
Give TimeNL a try!
If you fancy having a go with NTS, you'll find advice at https://nts.time.nl/.