[ntp:questions] Authenticated time

Harlan Stenn stenn at ntp.org
Thu Mar 3 03:06:12 UTC 2016

Juhasz Gabor writes:
> Hi All,
> I am newbie in NTP world so it is possible that my question
> has been already answered. Sorry for it.
> The latest openNTP (openntpd-5.7p4) contains a very
> useful feature: CONSTRAINTS
> openntpd.conf.5:
> "openntpd(8) can be configured to query the =91Date=92 from trusted
> HTTPS servers via TLS. This time information is not used
> for precision but acts as an authenticated constraint, thereby
> reducing the impact of unauthenticated NTP man-in-the-middle
> attacks. Received NTP packets with time information falling
> outside of a range near the constraint will be discarded and
> such NTP servers will be marked as invalid."
> More details are here :
> http://www.undeadly.org/cgi?action=3Darticle&sid=3D20150210103656
> http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man5/ntpd.conf.5?que=
> ry=3Dntpd&apropos=3D1
> Is there any plan that NTP will contain this or similar feature?

Maybe.  But that *assumes* the target https machine is really who it
claims to be, and without accurate time one cannot be certain of this.

If there is a MITM this won't help much.

So yes, it's useful, and Ntimed does this now, and we'll be looking at
it for ntpd as well.

But ntpd will also soon have Network Time Security, which is the new
proposed IETF method for clients and servers to authenticate each other.

Regardless, the better answer is to have "enough" sources of time, and
to do a proper job of monitoring your ntpd instances.


More information about the questions mailing list