NTP Working Group                                            A. Malhotra
Internet-Draft                                         Boston University
Intended status: Informational                                K. Teichel
Expires: May 22, 2020                                                PTB
                                                             M. Hoffmann
                                                               W. Toorop
                                                              NLnet Labs
                                                       November 19, 2019


                          On Implementing Time
               draft-ietf-ntp-implementation-guidance-00

Abstract

   This document describes the properties of different types of clocks
   available on digital systems.  It provides implementors of
   applications with guidance on choices they have to make when working
   with time to provide basic functionality and security guarantees.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on May 22, 2020.

Copyright Notice

   Copyright (c) 2019 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must



Malhotra, et al.          Expires May 22, 2020                  [Page 1]


Internet-Draft            implementation-advice            November 2019


   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Scope of the document . . . . . . . . . . . . . . . . . . . .   3
   3.  Expressing Time . . . . . . . . . . . . . . . . . . . . . . .   3
     3.1.  Absolute Time . . . . . . . . . . . . . . . . . . . . . .   4
     3.2.  Relative Time . . . . . . . . . . . . . . . . . . . . . .   4
   4.  Keeping Time: Different Clocks  . . . . . . . . . . . . . . .   4
     4.1.  Native Clock  . . . . . . . . . . . . . . . . . . . . . .   4
     4.2.  World Clock . . . . . . . . . . . . . . . . . . . . . . .   5
   5.  Implementation Approaches . . . . . . . . . . . . . . . . . .   6
   6.  Accessing the Native Clock on Selected Operating Systems  . .   7
     6.1.  POSIX . . . . . . . . . . . . . . . . . . . . . . . . . .   7
     6.2.  Microsoft Window  . . . . . . . . . . . . . . . . . . . .   7
   7.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   7
   8.  Security Considerations . . . . . . . . . . . . . . . . . . .   7
   9.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   8
     9.1.  Normative References  . . . . . . . . . . . . . . . . . .   8
     9.2.  Informative References  . . . . . . . . . . . . . . . . .   8
   Appendix A.  Acknowledgements . . . . . . . . . . . . . . . . . .   8
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   8

1.  Introduction

   It is hard to overstate the importance of time in modern digital
   systems.  The functionality and security of applications (distributed
   or local to one system) and that of network protocols generally hinge
   on some notion of time.  For implementation, these applications and
   protocols have to choose one of the types of clocks available on
   their system, each of which has its own specific properties.
   However, currently many of these applications seem to be oblivious to
   the implications of choosing one or the other clock for
   implementation.  This behavior can be attributed to:

   a.  the lack of clear understanding of the distinct properties of
       these clocks,

   b.  trade-offs of using one or the other for an application, and

   c.  availability and compatibility of these clocks on different
       systems.

   This document discusses a) and b).




Malhotra, et al.          Expires May 22, 2020                  [Page 2]


Internet-Draft            implementation-advice            November 2019


   More specifically, in this document we first define different methods
   used by protocols and applications to express time.  We then define
   properties of clocks maintained by modern digital systems.  Next we
   describe how systems obtain these values from these clocks and the
   security considerations of using these values to implement protocols
   and applications that use time.  Finally we discuss trade-offs
   between security and precision of choosing a clock.  The document
   aims to provide guidance to the implementors make an informed choice
   with an example of POSIX system.

2.  Scope of the document

   This document aims to provide software developers implementing
   protocols and applications that have to deal with time with the
   knowledge and understanding to make informed decisions regarding the
   available clocks and their respective trade-offs.

   It does not describe functionality that is specific to the
   architecture of a PC, or other devices such as phones, IoT devices,
   switches, routers, base stations, or synchrophasors.  Nor is the
   document applicable to a specific operating system.  Throughout the
   document we assume that one or the other clock is available on most
   devices.  How these clocks are available on different PCs or other
   devices is out of scope of this document.

   We do not exactly recommend which clock should be used.  We discuss
   the available options and trade-offs.  The final decision would vary
   depending on the availability of clocks and the security requirements
   of the specific application under implementation.

   Note: Since there is a lack of standards on terminology related to
   time, we define some terms in the following section.  Also,
   throughout the document, we define the terms as they become relevant.
   Different systems, depending on their OS, may use different terms for
   the same types of clocks.  A survey on this is not in the scope of
   this document.  We provide a discussion on how to access these values
   on POSIX and Windows systems.  On other systems, implementors will
   have to determine themselves which of these values are available.

3.  Expressing Time

   Protocols and applications can express time in several forms,
   depending on whether they need to express a point in time or a time
   interval.







Malhotra, et al.          Expires May 22, 2020                  [Page 3]


Internet-Draft            implementation-advice            November 2019


3.1.  Absolute Time

   Absolute time expresses a universally agreed upon reference to a
   specific point in time.  Such a reference can be expressed in
   different ways.  For instance, Unix Time refers to the number of
   seconds since midnight UTC, January 1st, 1970, while in everyday
   life, we referenced such a point through year, month, day, and so on.

   Because absolute time expresses a shared view of time, a system needs
   to synchronize its clock with a common reference clock, for instance
   one base on UTC.

   Absolute time is often used to express the start or end of the
   validity of objects with a limited lifetime that are shared over the
   network.

3.2.  Relative Time

   Relative time measures the time interval that has elapsed from some
   well-defined reference point (e.g., 20 minutes from the time of your
   query).

   Relative time is commonly used in network protocols, for instance to
   determine when a packet should be considered dropped or to express
   Time To Live (TTL) values that govern the length of time for which an
   object is valid or usable.

   Since relative time does not express a point in time, it does not
   rely on synchronized clocks between systems but only on a shared
   clock rate.

4.  Keeping Time: Different Clocks

   In this section, we will have a look at the different clocks a system
   uses and how it maintains these clocks

4.1.  Native Clock

   Each system has its own perception of time.  It gains access it via
   its native clock.  Typcially, this clock counts cycles of an
   oscillator but some systems use process CPU times or thread CPU
   timers (via timers provided by the CPU).  The quality of the native
   clock therefore dependends on either the stability of the oscillator
   or the CPU timer.

   The timescale of the native clock is a purely subjective -- no
   general meaning can be attached to any specific clock value.  One can
   only obtain relative time by comparing two values.  Because the value



Malhotra, et al.          Expires May 22, 2020                  [Page 4]


Internet-Draft            implementation-advice            November 2019


   of the native clock always grows at a steady pace, never decreases,
   never make unexpected jumps, and never skips, the difference between
   two clock values provides the time intervall between the two
   measurements.

   The independence of the native clock from any external time sources
   renders it resistant to any manipulation but in return there is no
   guarantee that its clock rate is similar to that of any other system.
   This difference in rate, especially when compared to a reference
   clock, is called clock drift.

   Clock drift depends on the quality of the clock itself but also on
   factors such as system load or ambient temperatur which makes it hard
   to predict.

4.2.  World Clock

   The native clock only provides means to measure relative time.  In
   order to be able to also process absolute time, it needs to be
   synchronized with a global reference clock.  Since this clock strives
   to be the same on all systems, we call it the world clock.

   There are a number of ways to maintain the world clock based on the
   system's native clock.

   o  The first is to manually maintain an offset between values of the
      native clock and the reference world clock.  Because of the clock
      drift of the native clock, this offset needs to be updated from
      time to time if a minimal divergence from the reference clock is
      to be maintained.

   o  Secondly, a hardware clock provided by the system and set to be
      equivalent to the reference time can be used, allowing the system
      to retain the offset across reboots.

   o  Finally, the reference clock can be obtained from an external time
      source.  Typically, the Internet is used through a variety of
      timing protocols including the Network Time Protocol2 (NTP),
      Chrony, SNTP, OpenNTP and others.

   Each of these approaches has own problems attached to it.

   o  Manual configurations can be subject to errors and
      misconfiguration.

   o  Accessing the hardware clock requires an I/O operation which is
      resource intensive, therefore many systems use the hardware clock




Malhotra, et al.          Expires May 22, 2020                  [Page 5]


Internet-Draft            implementation-advice            November 2019


      only upon reboot, to initialize the clock offset; subsequent
      updates are made either manually or through timing protocols.

      Further, on many systems the quality of the hardware clock isn't
      very high, leading to a large clock drift if solely relying on it.
      Worse, systems like microcontrollers that operate within embedded
      systems (e.g., Raspberry Pi, Arduino, etc.) often lack hardware
      clocks altogether.  These systems rely on external time sources
      upon reboot and have no means to process absolute time until
      synchronization with these sources has completed.

   o  Relying on Internet timing protocols opens up the system time to
      attack.  Recent papers show vulnerabilities in NTP
      [ANTP][ANABM][SECNTP] and SNTP [BPHSTS] that allow attackers to
      maliciously alter system's world clock -- pushing it into the past
      or even into the future.  Moreover, many of these time-shifting
      attacks can be performed by off-path attackers, who do not occupy
      a privileged position on the network between the victim system and
      its time sources on the Internet.  Researchers have also
      demonstrated off-path denial of service attacks on timing
      protocols that prevent systems from synchronizing their clocks.

   In other words, the process of obtaining the offset necessary to
   provide a world clock creates dependencies that can be exploited.

5.  Implementation Approaches

   Because absolute time relies on a shared interpretation of a value
   expressing time, the world clock is necessary when processing such
   values.

   For relative time, however, where only the rate of passage of time
   needs to be close enough to that of the other systems involved, there
   is no need to rely on the world clock when determining whether an
   interval has passed.

   Instead, by obtaining a value from the native clock when the interval
   has started only the native clock is necessary to determine when this
   interval ends.  As the native clock does not rely on any external
   time sources, the implementation becomes resistant to the
   difficulties of coordinating with these sources.

   However, using the native clock in this way comes with a caveat.
   Since the native clock is not subject to any adjustments by timing
   protocols, it is not adjusted for the error introduced by clock
   drift.  While this is likely of little consequence for short
   intervals, it may become significant for intervals that span long
   periods of time.



Malhotra, et al.          Expires May 22, 2020                  [Page 6]


Internet-Draft            implementation-advice            November 2019


   The choice of clock to be used is situation-specific.  If a certain
   amount of clock drift can be tolerated or if time intervals are
   short, implementors may prefer to use the native clock.  However, if
   precise timing over long periods is required, then the implementors
   have no choice but to fall back to world clock

6.  Accessing the Native Clock on Selected Operating Systems

   In most operating systems, the standard functions to access time use
   the world clock since that is normally what users would expect.  This
   section provides an overview how the native clock can be accesses on
   some common operating systems.

6.1.  POSIX

   POSIX defines a system C API function which may provide native time:
   "clock_gettime()", when used with a "clock_id" of "CLOCK_MONOTONIC".

   Note that on some systems "CLOCK_MONOTONIC" is still influenced by an
   external time source (for syntonizing the clock rate) and the non-
   standard "CLOCK_MONITONIC_RAW" needs to be used for clock values not
   influenced by an external time source and not susceptible for time-
   shifting attacks.

6.2.  Microsoft Window

   In the Microsoft Windows operating system, native time is called
   'Windows Time' and can be accessed through the "GetTickCount" and
   "GetTickCount64" API functions.  The returned value is nomially the
   number of milliseconds since system start.  "GetTickCount" will
   return a 32 bit value while "GetTickCount64" returns a value 64 bits
   wide that will wrap around less

7.  IANA Considerations

   This memo includes no request to IANA.

8.  Security Considerations

   Time is a fundamental component for the security guarantees claimed
   by various applications.  A system that uses a time distribution
   protocol may be affected by the security aspects of the time
   protocol.  The security considerations of time protocols in general
   are discussed in [RFC7384].  This document discusses the security
   considerations with respect to implementing time values in
   applications in various sections.





Malhotra, et al.          Expires May 22, 2020                  [Page 7]


Internet-Draft            implementation-advice            November 2019


9.  References

9.1.  Normative References

   [RFC7384]  Mizrahi, T., "Security Requirements of Time Protocols in
              Packet Switched Networks", RFC 7384, DOI 10.17487/RFC7384,
              October 2014, <https://www.rfc-editor.org/info/rfc7384>.

9.2.  Informative References

   [ANABM]    Malhotra, A. and S. Goldberg, "Attacking NTP's
              Authenticated Broadcast Mode", 2016,
              <https://eprint.iacr.org/2016/055>.

   [ANTP]     Malhotra, A., Cohen, I., Brakke, E., and S. Goldberg,
              "Attacking the Network Time Protocol", 2015,
              <https://eprint.iacr.org/2015/1020>.

   [BPHSTS]   Jose, J., "Bypassing HTTP Strict Transport Security",
              2014, <https://www.blackhat.com/docs/eu-14/materials/eu-
              14-Selvi-Bypassing-HTTP-Strict-Transport-Security-wp.pdf>.

   [SECNTP]   Malhotra, A., Gundy, M., Varia, M., Kennedy, H., Gardner,
              J., and S. Goldberg, "The Security of NTP's Datagram
              Protocol", 2016, <http://eprint.iacr.org/2016/1006>.

Appendix A.  Acknowledgements

   We are thankful to Sharon Goldberg and Benno Overreinder for useful
   discussions.  Thanks to Dieter Sibold, Joachim Fabini and Denis
   Reilly, for value input and suggestions.

Authors' Addresses

   Aanchal Malhotra
   Boston University
   111 Cummington Mall
   Boston  02215
   USA

   Email: aanchal4@bu.edu










Malhotra, et al.          Expires May 22, 2020                  [Page 8]


Internet-Draft            implementation-advice            November 2019


   Kristof Teichel
   Physikalisch-Technische Bundesanstalt
   Bundesallee 100
   Braunschweig  D-38116
   Germany

   Email: kristof.teichel@ptb.de


   Martin Hoffmann
   NLnet Labs
   Science Park 400
   Amsterdam  1098 XH
   Netherlands

   Email: martin@nlnetlabs.nl


   Willem Toorop
   NLnet Labs
   Science Park 400
   Amsterdam  1098 XH
   Netherlands

   Email: willem@nlnetlabs.nl


























Malhotra, et al.          Expires May 22, 2020                  [Page 9]