Re: NTP Sync Issue Across Tata (Europe)

[William Herrin <bill () herrin us>]

On Sun, Aug 6, 2023 at 1:19 PM Royce Williams <royce () techsolvency com> wrote:
> Wouldn't a robust implementation of peering - say, seven peers, with the NTP algorithm handily selecting a subset to 
> peer with for each cycle - require an attacker to know and overwhelm not just one, but a majority of the peer IPs?

Hi Royce,

More or less, yes. There are some corner cases where that may not be
true, but in terms of designing a useful attack, the attacker has to
be able to figure out which NTP servers you're talking to, flood you
with enough packets forged from all of them that the forged packet
arrives ahead of the real one, generally no more than 10s of
milliseconds behind the sent packet that only happens once every 15
minutes or so. And then it has to move you off real time gradually
enough for the NTP daemon not to decide the peer has become a false
ticker.

It's like DNS cache poisoning but a few orders of magnitude harder.


> This is *not* to say that I'm advocating against maintaining local stratum 0s as part of a proper operator-grade NTP 
> mesh. (My definition of "robust implementation" would include both local stratum 0 and a healthy serving of Internet 
> stratum 1s). I'm just suggesting "don't peer with public servers" seems draconian given the deliberate design choices 
> of the protocol.
>
> For this audience, this would recommend a tiered system where multiple mixed-stratum internal stratrum 0+1s would 
> peer with each other, and maintain internal-facing consensus for all other downstream internal devices - such that 
> the vast majority of internal peers would indeed not be talking to the public Internet (but the "parent" peers would, 
> and have the mesh and mix that I describe).


Well, it's not really one-size-fits-all.

Some systems consist of a well defined network containing routers and
servers with clear boundaries between self and Internet. Your approach
would work well there.

Some systems consist of equipment scattered at various data centers,
interconnected by the Internet itself. Implementing a GPS time
receiver at every one could get very expensive very fast. Standard
security rules apply: don't spend more protecting yourself than the
risk-cost. Risk is threat times vulnerability. Given the complexity of
the attack, you have to consider whether you're enough of a target
(threat) for anyone to bother.

Some systems are heavily virtualized, scattered over many vendors and
locations. You could -try- to track down a "secured" NTP source from
the vendor at each location, but that way lies configuration insanity.

Some systems are air-gapped from the Internet. You're going to get
time from GPS or the cellular phone network. GPS devices like the one
Mel pointed out are probably cheaper and more accurate.

Regards,
Bill Herrin


-- 
William Herrin
bill () herrin us
https://bill.herrin.us/