NTP: the rebirth of ailing, failing core network infrastructure

Network Time Protocol is how the computers you depend on know what time it is (this is critical to network operations, cryptography, and many other critical functions); NTP software was, until recently, stored in a proprietary format on a computer that no one had the password for (and which had not been updated in a decade), and maintained almost entirely by one person.

NTP's precarity was the whole internet's problem: NTP servers could be used to amplify denial of service attacks with devastating consequences, and failures in NTP endangered the many systems that depended on it.

The Internet Civil Engineering Institute and Indiana University's Center for Applied Cybersecurity Research assumed control over the project, undertaking a massive refactoring of the code, its maintenance infrastructure, the organization around it, and its culture and norms.

The result was a new version of NTP, robust, secure, and stable, with a long-term, sustainable future ahead of it.

Susan Sons led the NTP project, and she sat down with O'Reilly's Mac Slocum to discuss it. I really recommend watching it and supporting her work.

O'Reilly's Mac Slocum speaks with Susan Sons, Senior Systems Analyst at the Center for Applied Cybersecurity Research at Indiana University. They discuss:

Why Susan gravitated toward security (it all started when she broke into a computer at four years old). (00:04)

Her work to fix the Network Time Protocol (NTP), an essential part of the Internet's infrastructure. "It was just a moment of panic," she said, recalling her first evaluation of the NTP. "The Internet is going to fall down if I don't fix this." (01:53)

How the Internet's infrastructure can remain up to date and secure. (05:34)

How organizations can balance security with the need to move quickly. (09:43)

The single most important security issue we're facing is the battle between sound bites and first principles. (12:21)

The people and projects she's following. (16:49)

Notable Replies

  1. Maybe this is a good place to mention this?

    Don't run NTP clients on virtual machines. Seriously. Don't. It just mucks up your logs.

    Run a solid, efficient NTP client on each of the hypervisor nodes hosting the virtual machines, and let the VMs get their time from the fake hardware clock that exists as part of their virtualized environment.

    If you control large networks, take the time to design a real NTP hierarchy, with a few canonical servers (one per site usually suffices) that sync to high value servers on the Internet (such as NIST), and everything else syncing from them.

Continue the discussion bbs.boingboing.net

24 more replies

Participants