Securing Unprotected NTP Implementations Using an NTS Daemon

Abstract

This paper presents a method to secure the time synchronization messages of various Network Time Protocol (NTP) services. It uses the Network Time Security protocol (NTS), which is now in a final, pre-RFC state, without the necessity of changes of their underlying implementations. A dedicated NTS service – the so-called NTS daemon (NTSd) – captures the standard NTP messages of the client and passes them on to an NTS server (tunneling). Supplied with the respective timestamps the secured message travels back via the NTS daemon to the NTP client, a procedure completely transparent to the NTP services. The presented research and the implementation of the method show advantages and limitations of the approach. Furthermore, it offers limited correction of NTS related time message asymmetries. Measurements provide an insight into the achievable accuracy and show the differences to NTP services with integrated NTS capability.