Paf
Patrik "paf" Fältström
Netnod blog summer reading

Everything you need to know about Network Time Security

A lot of the Internet’s most important security tools are dependent on accurate time. But until recently there was no way to ensure that the time you were getting came from a trusted source. The new Network Time Security (NTS) standard has been designed to fix that. In this post, we will summarise the most important NTS developments and link to a range of recent Netnod articles providing more information on the background, the NTS standard and the latest implementations.

What is NTS and why is it important?
NTS is an essential development of the Network Time Protocol (NTP). It has been developed within the Internet Engineering Task Force (IETF) and adds a much needed layer of security to a protocol that is more than 30 years old and is vulnerable to certain types of attack. Netnod has played an important role in the development of Network Time Security (NTS) from the standardisation effort in the IETF to the development of several implementations and the launch of one of the first NTS-enabled NTP services in the world.

NTS consists of two protocols, a key exchange and extended NTP. This ensures that clients can validate that the time that they receive has been sent from the correct server. More detailed information about how NTS works and why it is important is available here and in a guest post recently published on RIPE Labs here

The NTS standard in the IETF
In March 2020, the Internet Draft ‘Network Time Security for the Network Time Protocol’ was approved as a Proposed Standard which describes NTS as: "a mechanism for using Transport Layer Security (TLS) and Authenticated Encryption with Associated Data (AEAD) to provide cryptographic security for the client-server mode of the Network Time Protocol (NTP).” It's currently in the RFC editor queue awaiting publication as an RFC proper. 

NTS implementations
Netnod launched one of the first NTS-enabled NTP services in the world on 28 October 2019. It's available to the public at:

  • nts.ntp.se (for users anywhere in the world)
  • nts.sth1.ntp.se & nts.sth2.ntp.se (for users close to Stockholm)

More information on this service is available here. Netnod has also published a HOWTO explaining how to set up an NTS client and to connect to Netnod’s NTS servers here.

Some current NTP clients supporting NTS (two of which were written by Netnod staff) include:

Joachim Strömbergson and Peter Magnusson from Assured have been asked by Netnod to work on a Verilog implementation of the extended NTP. More information about this will be available later in the year. 

Why take time from Netnod?

On behalf of the Swedish Post and Telecom Authority (PTS) Netnod keeps a Verilog implementation of NTP with attached atomic clocks running in locations across Sweden. This means you speak NTP directly to the FPGA chip! As there is no software involved, you get the most accurate time possible. The service is available to the general public worldwide for free on ntp.se, which resolves to anycast IPv4 and IPv6 addresses. 

In a recent blogpost, Patrik Fältström, Technical Director and Head of Security, Netnod, looked at some of the fundamentals in providing accurate time. These include looking at what makes a clock, how to ensure accuracy down to the level of nanoseconds and what Netnod is doing to ensure accurate time throughout Sweden.

 

Related blog articles

Show all blog articles