Everything you need to know about Network Time Security
What is NTS and why is it important?
NTS is an essential development of the Network Time Protocol (NTP). It has been developed within the Internet Engineering Task Force (IETF) and adds a much needed layer of security to a protocol that is more than 30 years old and is vulnerable to certain types of attack. Netnod has played an important role in the development of Network Time Security (NTS) from the standardisation effort in the IETF to the development of several implementations and the launch of one of the first NTS-enabled NTP services in the world.
NTS consists of two protocols, a key exchange and extended NTP. This ensures that clients can validate that the time that they receive has been sent from the correct server. More detailed information about how NTS works and why it is important is available here and in a guest post recently published on RIPE Labs here.
The NTS standard in the IETF
In March 2020, the Internet Draft ‘Network Time Security for the Network Time Protocol’ was approved as a Proposed Standard which describes NTS as: "a mechanism for using Transport Layer Security (TLS) and Authenticated Encryption with Associated Data (AEAD) to provide cryptographic security for the client-server mode of the Network Time Protocol (NTP).” It's currently in the RFC editor queue awaiting publication as an RFC proper.
Netnod launched one of the first NTS-enabled NTP services in the world on 28 October 2019. It's available to the public at:
- nts.ntp.se (for users anywhere in the world)
- nts.sth1.ntp.se & nts.sth2.ntp.se (for users close to Stockholm)
Some current NTP clients supporting NTS (two of which were written by Netnod staff) include:
- ntpsec (written by Eric Raymond)
- A Python implementation (written by Christer Weinigel, Netnod)
- A Go implementation (written by Michael Cardell Widerkrantz (Netnod), Daniel Lublin and Martin Samuelsson)
Joachim Strömbergson and Peter Magnusson from Assured have been asked by Netnod to work on a Verilog implementation of the extended NTP. More information about this will be available later in the year.
Why take time from Netnod?
On behalf of the Swedish Post and Telecom Authority (PTS) Netnod keeps a Verilog implementation of NTP with attached atomic clocks running in locations across Sweden. This means you speak NTP directly to the FPGA chip! As there is no software involved, you get the most accurate time possible. The service is available to the general public worldwide for free on ntp.se, which resolves to anycast IPv4 and IPv6 addresses.
In a recent blogpost, Patrik Fältström, Technical Director and Head of Security, Netnod, looked at some of the fundamentals in providing accurate time. These include looking at what makes a clock, how to ensure accuracy down to the level of nanoseconds and what Netnod is doing to ensure accurate time throughout Sweden.