The NTP Security Project effort addresses a pressing problem in the Internet infrastructure, and tests a new model for supporting and maintaining its vital parts.
It has been known for some time that the authentication and security mechanisms used in Network Time Protocol (NTP) were aging, partly broken, and vulnerable to attack. Recently this concern has become reality through a string of serious security incidents involving NTP servers, in many of which the servers were exploited as amplifiers for DDoS (distributed denial of service) attacks.
An accurate common timebase is vitally important for a wide range of uses, from financial services to autonomous vehicular navigation. Accordingly, some months ago the Center for Trustworthy Scientific Cyberinfrastructure (CTSC) and Indiana University’s Center for Applied Cybersecurity Research (CACR) initiated rescue planning that included a range of individual experts on time service, senior NTP developers, and interested organizations such as the Network Time Foundation (NTF) the Internet Civil Engineering Institute (ICEI), and the National Science Foundation (NSF). The NSF approved seed funding for this work.
The rescue planning bore fruit in a detailed roadmap, beginning with breaking the NTP code base out of the proprietary BitKeeper revision control system into a Git repository, where it can benefit from regular examination and contributions by the wider community (this was not previously possible due to BitKeeper’s licensing requirements and logistical overhead).
NTF, which maintains the current reference NTP implementation, has declined to participate in these efforts to secure the NTP software. Thus, members of the NTP community have chosen to create a fork of that code base that will take advantage of and further iterate upon the remediation work funded by the NSF, CTSC, and CACR. The ongoing work is now substantially funded by the Linux Foundation’s Core Infrastructure Initiative (CII).
Thus, the NTP Security Project - familiarly, NTPsec. NTPsec will be a compatible upgrade from the NTF version, continuously evolved from that historical reference implementation.
As the project name indicates, NTPsec’s early focus will be on security improvements. We will also apply best practices in use of static-analysis tools, continuous integration, and automated testing. Down the road we plan deeper refactoring for security and simplicity, and to fully adapt the network time protocol to IPV6.
NTPsec begins with a core team of experienced and expert developers. You can read more about them on the Core Team page.
Have questions? Email us at firstname.lastname@example.org, or via IRC at Freenode channel #ntpsec.