https://fedoraproject.org/wiki/Changes/NetworkTimeSecurity

== Summary ==

Support for the Network Time Security (NTS) authentication mechanism
in the NTP client/server (chrony) and installer (anaconda).

== Owner ==
* Name: [[User:mlichvar| Miroslav Lichvar]], [[User:mkolman| Martin Kolman]]
* Email: mlich...@redhat.com, mkol...@redhat.com

== Detailed Description ==

NTP is a widely used protocol for synchronization of clocks over
network. Authentication of NTP packets is important to prevent a
Man-in-the-middle (MITM) attacker from taking full control over the
client's clock (e.g. force it to jump to a distant future or past).
Several different authentication mechanisms have been specified for
NTP. The oldest and simplest one uses secret keys, where each client
has its own key which needs to be securely distributed to the server
and client. This means it is mostly limited to local networks. Autokey
is a newer mechanism based on public-key cryptography, but it was
shown to be insecure and it is rarely supported on public servers.

NTS is a new authentication mechanism
[https://datatracker.ietf.org/doc/draft-ietf-ntp-using-nts-for-ntp
specified by the IETF] for NTP. NTS has an NTS-KE protocol using
Transport Layer Security (TLS) to establish the keys and provide the
client with cookies which allow the NTP server to not keep any
client-specific state. NTP packets are authenticated using
Authenticated Encryption with Associated Data (AEAD). NTS is expected
to scale well to a  large numbers of clients. There are already some
public NTP servers with NTS support.

The default NTP client and server on Fedora is `chrony`. Support for
NTS is added in version 4.0. It uses the GnuTLS library for TLS and
the Nettle library for AEAD.

NTS authentication can be enabled on the client by adding the `nts`
option to the `server` or `pool` directive in ''/etc/chrony.conf''.
Until a standard port is assigned for NTS by IANA, the port may need
to be specified with the `ntsport` option. For example

`
server time.example.com iburst nts ntsport 12123
`

When using NTS-enabled NTP sources, any NTP source that is not trusted
and reachable over a trusted network should be disabled. This includes
servers provided by DHCP. They should be disabled by adding
`PEERNTP=no` to ''/etc/sysconfig/network''.

We can consider changing the default ''/etc/chrony.conf'' to use some
trusted public NTP servers with NTS support. There are public servers
provided by [https://www.cloudflare.com/time/ Cloudflare] and
[https://www.netnod.se/time-and-frequency/how-to-use-nts Netnod]. Both
would be ok with Fedora using their servers by default (after some
testing and coordination). There is also a possibility that
pool.ntp.org will support NTS, although it is not very clear how
useful would NTS be in this case as the servers are owned by
individual contributors instead of a single trusted entity and
attackers can easily join the pool (some mitigations have been
proposed on the pool mailing list).

Potential issues with enabling NTS by default:
* Firewalls may block the NTS-KE port.
* ISPs may block or rate limit longer NTP packets as a mitigation for
amplification attacks using NTP mode 6 and 7. NTS-KE supports port
negotiation and an alternative port could be used to avoid this issue.
* Computers with no RTC (e.g. some ARM boards), or RTC that is too far
from the real time, will fail to verify TLS certificates. An option
could be added to disable the time checks before the first update of
the clock. This would have an impact on security.

== Benefit to Fedora ==

This change enables Fedora users to securely synchronize the system
clock to local or public NTP servers.

TBD: This change also makes the default configuration of the NTP client secure.

== Scope ==
* Proposal owners:

# Update `chrony` to 4.0 and enable the NTS support (adding dependency
on GnuTLS)
# TBD: Modify the default ''/etc/chrony.conf'' to use public servers
with NTS support
# Add an NTS option to the NTP settings in anaconda

* Other developers: N/A (not a System Wide Change)

* Release engineering: N/A (not needed for this Change)

* Policies and guidelines: N/A (not a System Wide Change)

* Trademark approval: N/A (not needed for this Change)

== Upgrade/compatibility impact ==

Fedora systems updated from a previous version will use the new
''/etc/chrony.conf'' automatically if the installed file was not
modified. If it was modified, the users will need to update the file
manually or  rename ''/etc/chrony.conf.rpmnew'' to
''/etc/chrony.conf'' in order to enable NTS.

== How To Test ==

If the default configuration is modified for this Change, it needs to
be tested that it works correctly on most systems where the previous
default configuration using pool.ntp.org servers worked.

The installer needs to be tested that it enables NTS in
''/etc/chrony.conf'' as expected and that it adds `PEERNTP=no` to
''/etc/sysconfig/network''.

The `chronyc -N sources` command can be used to verify that NTP
sources are responding. The `chronyc ntpdata` command can be used to
verify that the NTP sources are authenticated. For example:

    # chronyc -N sources
    MS Name/IP address         Stratum Poll Reach LastRx Last sample
    
===============================================================================
    ^* time.cloudflare.com           3   6   377    28   -115us[
-111us] +/-   13ms
    ^+ nts.ntp.se                    2   6   377    27   +212us[
+212us] +/-   22ms
    # chronyc ntpdata | grep Auth
    Authenticated   : Yes
    Authenticated   : Yes

== User Experience ==

Client NTS can be enabled in the NTP settings in the installer.

Client and server NTS can be enabled by editing ''/etc/chrony.conf''
as documented in the  `chrony.conf` man page.

== Dependencies ==
N/A (not a System Wide Change)

== Contingency Plan ==

* Contingency mechanism: N/A (not a System Wide Change)
* Contingency deadline: N/A (not a System Wide Change)
* Blocks release? N/A (not a System Wide Change)
* Blocks product?

== Documentation ==
N/A (not a System Wide Change)

== Release Notes ==
TBD


-- 
Ben Cotton
He / Him / His
Senior Program Manager, Fedora & CentOS Stream
Red Hat
TZ=America/Indiana/Indianapolis
_______________________________________________
devel-announce mailing list -- devel-announce@lists.fedoraproject.org
To unsubscribe send an email to devel-announce-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org

Reply via email to