Secure NTP with NTS

Many computers use the Network Time Protocol (NTP) to synchronize their system clocks over the internet. NTP is one of the few unsecured internet protocols still in common use. An attacker that can observe network traffic between a client and server can feed the client with bogus data and, depending on the client’s implementation and configuration, force it to set its system clock to any time and date. Some programs and services might not work if the client’s system clock is not accurate. For example, a web browser will not work correctly if the web servers’ certificates appear to be expired according to the client’s system clock. Use Network Time Security (NTS) to secure NTP.

Fedora 331 is the first Fedora release to support NTS. NTS is a new authentication mechanism for NTP. It enables clients to verify that the packets they receive from the server have not been modified while in transit. The only thing an attacker can do when NTS is enabled is drop or delay packets. See RFC8915 for further details about NTS.

NTP can be secured well with symmetric keys. Unfortunately, the server has to have a different key for each client and the keys have to be securely distributed. That might be practical with a private server on a local network, but it does not scale to a public server with millions of clients.

NTS includes a Key Establishment (NTS-KE) protocol that automatically creates the encryption keys used between the server and its clients. It uses Transport Layer Security (TLS) on TCP port 4460. It is designed to scale to very large numbers of clients with a minimal impact on accuracy. The server does not need to keep any client-specific state. It provides clients with cookies, which are encrypted and contain the keys needed to authenticate the NTP packets. Privacy is one of the goals of NTS. The client gets a new cookie with each server response, so it doesn’t have to reuse cookies. This prevents passive observers from tracking clients migrating between networks.

The default NTP client in Fedora is chrony. Chrony added NTS support in version 4.0. The default configuration hasn’t changed. Chrony still uses public servers from the pool.ntp.org project and NTS is not enabled by default.

Currently, there are very few public NTP servers that support NTS. The two major providers are Cloudflare and Netnod. The Cloudflare servers are in various places around the world. They use anycast addresses that should allow most clients to reach a close server. The Netnod servers are located in Sweden. In the future we will probably see more public NTP servers with NTS support.

A general recommendation for configuring NTP clients for best reliability is to have at least three working servers. For best accuracy, it is recommended to select close servers to minimize network latency and asymmetry caused by asymmetric network routing. If you are not concerned about fine-grained accuracy, you can ignore this recommendation and use any NTS servers you trust, no matter where they are located.

If you do want high accuracy, but you don’t have a close NTS server, you can mix distant NTS servers with closer non-NTS servers. However, such a configuration is less secure than a configuration using NTS servers only. The attackers still cannot force the client to accept arbitrary time, but they do have a greater control over the client’s clock and its estimate of accuracy, which may be unacceptable in some environments.

Enable client NTS in the installer

When installing Fedora 33, you can enable NTS in the Time & Date dialog in the Network Time configuration. Enter the name of the server and check the NTS support before clicking the + (Add) button. You can add one or more servers or pools with NTS. To remove the default pool of servers (2.fedora.pool.ntp.org), uncheck the corresponding mark in the Use column.

Network Time configuration in Fedora installer

Enable client NTS in the configuration file

If you upgraded from a previous Fedora release, or you didn’t enable NTS in the installer, you can enable NTS directly in /etc/chrony.conf. Specify the server with the nts option in addition to the recommended iburst option. For example:

server time.cloudflare.com iburst nts
server nts.sth1.ntp.se iburst nts
server nts.sth2.ntp.se iburst nts

You should also allow the client to save the NTS keys and cookies to disk, so it doesn’t have to repeat the NTS-KE session on each start. Add the following line to chrony.conf, if it is not already present:

ntsdumpdir /var/lib/chrony

If you don’t want NTP servers provided by DHCP to be mixed with the servers you have specified, remove or comment out the following line in chrony.conf:

sourcedir /run/chrony-dhcp

After you have finished editing chrony.conf, save your changes and restart the chronyd service:

systemctl restart chronyd

Check client status

Run the following command under the root user to check whether the NTS key establishment was successful:

# chronyc -N authdata
Name/IP address             Mode KeyID Type KLen Last Atmp  NAK Cook CLen
=========================================================================
time.cloudflare.com          NTS     1   15  256  33m    0    0    8  100
nts.sth1.ntp.se              NTS     1   15  256  33m    0    0    8  100
nts.sth2.ntp.se              NTS     1   15  256  33m    0    0    8  100

The KeyID, Type, and KLen columns should have non-zero values. If they are zero, check the system log for error messages from chronyd. One possible cause of failure is a firewall is blocking the client’s connection to the server’s TCP port ( port 4460).

Another possible cause of failure is a certificate that is failing to verify because the client’s clock is wrong. This is a chicken-or-the-egg type problem with NTS. You may need to manually correct the date or temporarily disable NTS in order to get NTS working. If your computer has a real-time clock, as almost all computers do, and it’s backed up by a good battery, this operation should be needed only once.

If the computer doesn’t have a real-time clock or battery, as is common with some small ARM computers like the Raspberry Pi, you can add the -s option to /etc/sysconfig/chronyd to restore time saved on the last shutdown or reboot. The clock will be behind the true time, but if the computer wasn’t shut down for too long and the server’s certificates were not renewed too close to their expiration, it should be sufficient for the time checks to succeed. As a last resort, you can disable the time checks with the nocerttimecheck directive. See the chrony.conf(5) man page for details.

Run the following command to confirm that the client is making NTP measurements:

# chronyc -N sources
MS Name/IP address         Stratum Poll Reach LastRx Last sample               
===============================================================================
^* time.cloudflare.com           3   6   377    45   +355us[ +375us] +/-   11ms
^+ nts.sth1.ntp.se               1   6   377    44   +237us[ +237us] +/-   23ms
^+ nts.sth2.ntp.se               1   6   377    44   -170us[ -170us] +/-   22ms

The Reach column should have a non-zero value; ideally 377. The value 377 shown above is an octal number. It indicates that the last eight requests all had a valid response. The validation check will include NTS authentication if enabled. If the value only rarely or never gets to 377, it indicates that NTP requests or responses are getting lost in the network. Some major network operators are known to have middleboxes that block or limit rate of large NTP packets as a mitigation for amplification attacks that exploit the monitoring protocol of ntpd. Unfortunately, this impacts NTS-protected NTP packets, even though they don’t cause any amplification. The NTP working group is considering an alternative port for NTP as a workaround for this issue.

Enable NTS on the server

If you have your own NTP server running chronyd, you can enable server NTS support to allow its clients to be synchronized securely. If the server is a client of other servers, it should use NTS or a symmetric key for its own synchronization. The clients assume the synchronization chain is secured between all servers up to the primary time servers.

Enabling server NTS is similar to enabling HTTPS on a web server. You just need a private key and certificate. The certificate could be signed by the Let’s Encrypt authority using the certbot tool, for example. When you have the key and certificate file (including intermediate certificates), specify them in chrony.conf with the following directives:

ntsserverkey /etc/pki/tls/private/foo.example.net.key
ntsservercert /etc/pki/tls/certs/foo.example.net.crt

Make sure the ntsdumpdir directive mentioned previously in the client configuration is present in chrony.conf. It allows the server to save its keys to disk, so the clients of the server don’t have to get new keys and cookies when the server is restarted.

Restart the chronyd service:

systemctl restart chronyd

If there are no error messages in the system log from chronyd, it should be accepting client connections. If the server has a firewall, it needs to allow both the UDP 123 and TCP 4460 ports for NTP and NTS-KE respectively.

You can perform a quick test from a client machine with the following command:

$ chronyd -Q -t 3 'server foo.example.net iburst nts maxsamples 1'
2020-10-13T12:00:52Z chronyd version 4.0 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SIGND +ASYNCDNS +NTS +SECHASH +IPV6 +DEBUG)
2020-10-13T12:00:52Z Disabled control of system clock
2020-10-13T12:00:55Z System clock wrong by -0.001032 seconds (ignored)
2020-10-13T12:00:55Z chronyd exiting

If you see a System clock wrong message, it’s working correctly.

On the server, you can use the following command to check how many NTS-KE connections and authenticated NTP packets it has handled:

# chronyc serverstats
NTP packets received       : 2143106240
NTP packets dropped        : 117180834
Command packets received   : 16819527
Command packets dropped    : 0
Client log records dropped : 574257223
NTS-KE connections accepted: 104
NTS-KE connections dropped : 0
Authenticated NTP packets  : 52139

If you see non-zero NTS-KE connections accepted and Authenticated NTP packets, it means at least some clients were able to connect to the NTS-KE port and send an authenticated NTP request.

— Cover photo by Louis. K on Unsplash —


1. The Fedora 33 Beta installer contains an older chrony prerelease which doesn’t work with current NTS servers because the NTS-KE port has changed. Consequently, in the Network Time configuration in the installer, the servers will always appear as not working. After installation, the chrony package needs to be updated before it will work with current servers.

FAQs and Guides For System Administrators Using Software

19 Comments

  1. Osqui

    What about systemd-timesyncd? Is it compatible with NTS? Thanks!

  2. what’s the best practice to choose NTP server or the recommended one?
    any tips to check if NTP server already supports NTS ?

    • Some recommended NTS servers are mentioned in the article. NTS is still very new, so the selection is limited. To check if a server supports NTS, try the nts option and see if it works. Note that the server needs to be specified with a name and not just an IP address, so the certificate of the server can be verified.

  3. Anon Ymous

    Does NTS account for daylight savings time?

    • It would be nice to see this expanded into CentOS 8 as well. I just tried implementing it on my laptop with Fedora and confirm it is working as expected.

    • I am pretty sure it works the same with DST… I have it enabled and it shows regions normally in PST mode, are now in PDT mode to reflect the DST change. My own personal area, ofc, has no DST at all 🙂 We are magic.

      • Anon Ymous

        to : Alex Vanderveen

        Yeah i was just seeing if i could sneak the DST one through lol 🙂

    • Daylight savings time is handled locally by applications using system tzdata. NTP (with or without NTS) doesn’t care about timezones. It works in UTC.

      • Anon Ymous

        to : Miroslav Lichvar
        Okay, thanks that clears up my DST concerns 🙂

    • Christer Weinigel

      “Does NTS account for daylight savings time?”

      Yes and no. 🙂 NTP, and thus NTS, uses the UTC timescale. UTC does not change for DST. The timezone settings of the local computer specifies how it should translate UTC into local time and also how it should handle DST.

      For example: European countries will stop using DST from 2021. This means that all computers using an European timezone will have to update
      their timezone databases to account for this. The NTP/NTS protocols, servers or clients will not need any changes.

  4. efee

    fedora powinna postawić własny serwer z własnym zegarem a nie promować jakieś niepotrzebne programiki

  5. Sergey

    Will it also work with a self-signed certificate ?

    • Yes, you can use a self-signed certificate if the clients have the certificate specified in chrony.conf with the

      ntstrustedcerts

      directive.

  6. Thanks for implementing NTS!
    But wouldn’t it be better to have opportunistic NTS? I.e. try NTS with each specified

    server

    and fallback to classic NTP on failure. Then the keyword could be turned around to

    nonts

    to disable this for specific servers, but we would get NTS by default without special configuration.

    • Opportunistic NTS might be an interesting feature, but if there was no option to force NTS, or it wasn’t forced by default, it would enable a downgrade attack. A man-in-the-middle attacker could just block the NTS-KE connection.

      In any case, it would generate extra traffic and load for the servers. As an operator of several servers included in the pool.ntp.org pool, I probably wouldn’t be very happy with a large number of clients trying TLS with a wrong server name, which would fail in the certificate validation. If pool.ntp.org supports NTS at some point, it will probably have an NTS-specific zone. We cannot expect that all NTP servers will support NTS.

  7. Andrew

    couldnt get it working. I followed the instructions above but chronyc sources is empty with any individual server active or even all three of them. I comment them all out and use the standard fedora pool again and chronyc sources shows correct info again. what am i missing?

    • Andrew

      I got help with this from Miroslav (credit where credit’s due). I was doing it wrong, because i’d seen an article/howto on NetNods website explaining how to configure (primarily) ntpd for NTS and in their config example they’d listed the server with the port number at the end:

      https://www.netnod.se/time-and-frequency/how-to-use-nts

      server nts.ntp.se:3443 nts iburst
      server nts.sth1.ntp.se:3443 nts iburst
      server nts.sth2.ntp.se:3443 nts iburst

      with a update note below that informing of the port change to 4460. I hadnt engaged my brain when I just pasted that into chrony.conf. When I removed the “:4460” bit then everything worked perfectly.

      The article above is correct; I didn’t want to use Cloudfares server, but it didn’t click that the server entries below that were the Swedish servers, which were appropriate for me, so i’d been searching other sites for other NTS enabled servers and came across NetNod.

  8. Florencia Fotorello

    Great article!

Comments are Closed

The opinions expressed on this website are those of each author, not of the author's employer or of Red Hat. Fedora Magazine aspires to publish all content under a Creative Commons license but may not be able to do so in all cases. You are responsible for ensuring that you have the necessary permission to reuse any work on this site. The Fedora logo is a trademark of Red Hat, Inc. Terms and Conditions