[Docs] [txt|pdf] [Tracker] [WG] [Email] [Nits]

Versions: 00 01

Network Time Protocol                                          D. Plonka
Internet-Draft                                   University of Wisconsin
Expires: January 11, 2006                                  July 10, 2005


            Requirements for Network Time Protocol Version 4
                         draft-ietf-ntp-reqs-00

Status of this Memo

   By submitting this Internet-Draft, each author represents that any
   applicable patent or other IPR claims of which he or she is aware
   have been or will be disclosed, and any of which he or she becomes
   aware will be disclosed, in accordance with Section 6 of BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on January 11, 2006.

Copyright Notice

   Copyright (C) The Internet Society (2005).

Abstract

   This document defines requirements for the Network Time Protocol
   (NTP) Version 4.  NTP provides the mechanisms to synchronize time and
   coordinate time distribution amongst internet hosts.









Plonka                  Expires January 11, 2006                [Page 1]


Internet-Draft             NTPv4 Requirements                  July 2005


Table of Contents

   1.  NTP Requirements Open Issues . . . . . . . . . . . . . . . . .  3
   2.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
   3.  Terminology  . . . . . . . . . . . . . . . . . . . . . . . . .  4
   4.  Algorithm Requirements . . . . . . . . . . . . . . . . . . . .  6
     4.1   Clock Discipline . . . . . . . . . . . . . . . . . . . . .  6
     4.2   Accuracy . . . . . . . . . . . . . . . . . . . . . . . . .  6
     4.3   Jitter . . . . . . . . . . . . . . . . . . . . . . . . . .  7
     4.4   Wander . . . . . . . . . . . . . . . . . . . . . . . . . .  7
   5.  Protocol Requirements  . . . . . . . . . . . . . . . . . . . .  7
     5.1   Configuration Requirements . . . . . . . . . . . . . . . .  7
       5.1.1   Manual Configuration . . . . . . . . . . . . . . . . .  7
       5.1.2   Automatic, Autonomous Configuration  . . . . . . . . .  7
       5.1.3   Vendor Pre-configuration . . . . . . . . . . . . . . .  7
       5.1.4   Administrative Domains . . . . . . . . . . . . . . . .  8
       5.1.5   Key Distribution . . . . . . . . . . . . . . . . . . .  8
     5.2   System Performance . . . . . . . . . . . . . . . . . . . .  8
       5.2.1   Scalability  . . . . . . . . . . . . . . . . . . . . .  8
       5.2.2   Client Performance Requirements  . . . . . . . . . . .  8
       5.2.3   Server Performance Requirements  . . . . . . . . . . .  8
     5.3   Security Requirements  . . . . . . . . . . . . . . . . . .  8
     5.4   Internet Protocol Version 6 Requirements . . . . . . . . .  8
     5.5   Robustness . . . . . . . . . . . . . . . . . . . . . . . .  8
       5.5.1   Authentication & Access Control  . . . . . . . . . . .  9
       5.5.2   Client/Peer Rejection  . . . . . . . . . . . . . . . .  9
     5.6   Longevity, Persistence . . . . . . . . . . . . . . . . . .  9
       5.6.1   Reconfiguration  . . . . . . . . . . . . . . . . . . .  9
   6.  Simple Network Time Protocol Requirements  . . . . . . . . . .  9
   7.  Operational Requirements . . . . . . . . . . . . . . . . . . . 10
     7.1   Client Poll Interval . . . . . . . . . . . . . . . . . . . 10
   8.  Security Considerations  . . . . . . . . . . . . . . . . . . . 10
   9.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 10
   10.   Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 11
   11.   References . . . . . . . . . . . . . . . . . . . . . . . . . 11
     11.1  Normative References . . . . . . . . . . . . . . . . . . . 11
     11.2  Informative References . . . . . . . . . . . . . . . . . . 11
       Author's Address . . . . . . . . . . . . . . . . . . . . . . . 11
       Intellectual Property and Copyright Statements . . . . . . . . 12












Plonka                  Expires January 11, 2006                [Page 2]


Internet-Draft             NTPv4 Requirements                  July 2005


   This Internet Draft's editor maintains the most current revision at
   http://net.doit.wisc.edu/~plonka/ntp-reqs/ [5].  You may find an
   updated document there if draft submission cut-offs have delayed its
   availability elsewhere.

   In this revision of this Internet Draft the keyword "FIXME" is used
   to mark locations where text will likely be added or modified.  In
   subsequent revisions these might be changed to XML comments in the
   original source file, but for now they indicate the early stage of
   this draft.

1.  NTP Requirements Open Issues

   1.  How can we best address SNTP?  Currently SNTP Version 4 is
       defined by its own Informational RFC (RFC 2030).  This editor's
       suggestion is that we either have our new NTP Version 4 documents
       each contain a SNTP section for the SNTP-pertinent content or to
       have a new standards-track SNTPv4 protocol document as a
       companion to the NTPv4 protocol document.  The intent is to make
       our documents as clear as possible to implementors only
       interested in SNTP, since it is likely to enjoy (or suffer
       from...) the largest number of distinct, home-grown
       implementations.  In either case, our new NTPv4 RFC(s) would then
       make RFC 2030 obsolete.

   2.  Should Operation Requirements be included in our NTP Requirements
       document?  One could argue this is BCP, but it also could have a
       major impact on the robustness of NTP as implemented, especially
       when utilizing public servers on the Internet.

   3.  The requirements draft editor needs some contributed text and
       review especially for the Algorithm Requirements section.


2.  Introduction

   This document defines requirements for the Network Time Protocol
   (NTP) Version 4.  NTP provides the mechanisms to synchronize time and
   coordinate time distribution amongst internet hosts.  NTP Version 4
   represents the latest improvements to NTP currently available and in
   use today.  Earlier versions and portions of NTP have been specified
   by RFCs 1305 [1], 1769 [2], and 2030 [3].

   Accurate and syncronized time is a requirement, or distinct
   advantage, for numerous applications.  These applications include
   distributed databases, stock market operations, document
   timestamping, aviation traffic control, multimedia program
   synchronization and teleconferncing, network measurement and control,



Plonka                  Expires January 11, 2006                [Page 3]


Internet-Draft             NTPv4 Requirements                  July 2005


   and many forms of event logging.

   NTP's stated goals include:

      Provide the best accuracy possible given network and server
      conditions.

      Resist failures including malicious attacks and implementation
      bugs.

      Be robust by utilizing Internet diversity and redundancy.

      Automaticaly organize the subnet topology for best accuracy and
      reliability.

      Perform host authentication, independent of non-NTP services.

   Furthermore, ancillary issues such as access control and non-
   repudiation are considered goals as well.

   The following requirements are prescribed or suggested by NTP
   applications, are direct consequences of NTP's goals, or are expected
   for interoperability and end-user experience with the versions of NTP
   that are in widespread use today.

   In this document, the words "must", "may", and "should" appear in
   lowercase since this is not a formal specification of the protocol.
   However, the use of these words here suggests that corresponding
   portions of the NTPv4 protocol specifications use these keywords in
   uppercase with the meanings defined by RFC 2119 [6].

3.  Terminology

   The following terms are used in this document:

      host - an internet host that runs an implementation of NTP.

      client - an NTP host that is the recipent of a disseminated time
      value.

      server - an NTP host that is the source of a disseminated time
      value.

      time - the value by which events are ordered in a given frame of
      reference.  For NTP, the frame of reference is an epoch, and the
      time value is expressed in whole and fractional seconds since that
      epoch.




Plonka                  Expires January 11, 2006                [Page 4]


Internet-Draft             NTPv4 Requirements                  July 2005


      oscillator - a generator capable of a precise frequency (relative
      to the given frame of reference) to a specified tolerance.

      clock - an oscillator together with a counter which records the
      (fractional) number of cycles since being initialized with a given
      value at a given time.

      timescale - The NTP timescale is based on the UTC timescale, such
      that at the hour zero on 1 January 1972 (the beginning of the UTC
      era) the NTP clock was set to 2,272,060,800 (the number of seconds
      since hour zero on 1 January 1900).

      epoch - the value of the counter at any given time.  These are not
      continuous and depend on the precision of the counter.

      calendar - a mapping from epoch in some frame of reference to the
      times and dates used in everyday life.

      stability - a term used to classify the performance for clock
      oscillators, the systematic variation of frequency with time,
      synonymous with aging, drift, trends, etc.

      jitter - a term used to classify the performance for clock
      oscillators, the short-term variations in frequency with
      components greater than 10 Hz.

      wander - a term used to classify the performance for clock
      oscillators, the long-term variations in frequency with components
      less than 10 Hz.

      stratum - the hierarchical layer at which an NTP host exists.  The
      host(s) at the lowest layer (stratum 1) get their time value from
      a primary (non-NTP) time source and disseminate the time to hosts
      of the same or the next higher stratum.

      subnet - the subset of network hosts that participate in a given
      NTP arrangement of servers and clients.  Typically this arrangment
      is a hierarchical tree structure in which servers of the lowest
      strata are at the root and NTP servers of increasing strata branch
      toward the leaves of the tree, that are a set of NTP clients.

      primary server - an NTP server host at stratum 1 that synchronizes
      to a non-NTP, typically national, time standard, such as by radio,
      satellite, or modem.

      secondary server/client - an NTP host at stratum 2 or more that
      synchronizes to primary server(s) via a hierarchical subnet.




Plonka                  Expires January 11, 2006                [Page 5]


Internet-Draft             NTPv4 Requirements                  July 2005


      NTP modes - one of the modes in which an NTP host operates:

         client/server mode - a unicast mode of operation in which an
         NTP server host disseminates a time value to an NTP client
         host.  This mode has also been referred to as "master/slave".

         symmetric mode - a mode of operation in which NTP hosts are
         equal peers, or servers of the same stratum.

         multicast mode - a mode of operation in which NTP clients
         discover their NTP server(s) by receiving multicast
         advertisements from the available servers.

         broadcast mode - a mode of intra-LAN operation in which NTP
         clients receive unsolicited broadcasts of the time value,
         typically from a single NTP server.


4.  Algorithm Requirements

   FIXME: consider common variable definitions whis should be compile
   time or runtime configurable?: such as MAXSTRAT, MAXSKEW, MAXDISP,
   MINCLOCK, MAXCLOCK

   FIXME: We need some help here from someone that knows the NTP
   reference implementation's (ntpd) code.  Which of the compile-time
   definitions (macros) are required to have the values defined in the
   implementation, as opposed to being configurable within a required
   range?  We should also define the range required to be supported.

4.1  Clock Discipline

   NTP implementations should include, at least, a clock discipline
   algorithm that utilizes a traditional linear phase-lock loop (PLL).
   Furthermore, NTP implementations may include a loop filter and
   variable frequency oscillator (VFO) that functions as a nonlinear,
   hybrid phase/frequency-lock (P/F) feedback loop to minimize jitter
   and wander and decrease time to converge as compared with a linear
   system only.

   When available, NTP implementations should use host system-provided
   time adjustment routines so that clock readings are monotonically
   increasing such that no two successive clock readings could be the
   same.

4.2  Accuracy

   Current NTP implementations and deployments generally have accuracies



Plonka                  Expires January 11, 2006                [Page 6]


Internet-Draft             NTPv4 Requirements                  July 2005


   of a few milliseconds in Local-Area Networks, and up to a few tens of
   milliseconds in global Wide-Area Networks.  Given the best of
   implementation environments, worst-case error cannot exceed one-half
   the roundtrip delay measured by the client.

4.3  Jitter

   FIXME

4.4  Wander

   FIXME

5.  Protocol Requirements

   NTP server implementations must include support for unicast mode of
   client/server operation and symmetric mode so that a robust
   hierarchical subnet of NTP hosts can be constructed since this is
   NTP's basis for reliability.

   NTP server implementations may provide a multicast mode to serve
   multiple IP subnets in a network.  It may also provide a broadcast
   mode in which unsolicited time values are disseminated to hosts on
   its LAN.

5.1  Configuration Requirements

   Implementations must support the configuration of NTP servers using
   the Domain Name System.  Multiple servers, e.g. up to six, should be
   able to be configured, since diverse network paths to multiple
   servers is the basis of NTP's reliability.

5.1.1  Manual Configuration

   FIXME

5.1.2  Automatic, Autonomous Configuration

   FIXME: discuss autonomous configuration using multicast (for
   diversity and redundancy) with cryptographically secure source
   discovery.

   Autonomously configured clients must periodically refresh their list
   of suitable servers.

5.1.3  Vendor Pre-configuration

   FIXME: RFC 4085 [4] defines some best current practice for SNTP



Plonka                  Expires January 11, 2006                [Page 7]


Internet-Draft             NTPv4 Requirements                  July 2005


   operation.

5.1.4  Administrative Domains

   FIXME

5.1.5  Key Distribution

   FIXME

5.2  System Performance

   FIXME

5.2.1  Scalability

   FIXME: how many servers/peers can be configured?  How many strata?

5.2.2  Client Performance Requirements

   FIXME

5.2.3  Server Performance Requirements

   FIXME

5.3  Security Requirements

   Implementations must support the MD5-based symmetric key cryptography
   with preshared keys.  This scheme is defined in RFC 1305 [1].

   Implementations must support public key cryptography as defined by
   the so-called "Autokey" protocol, which is used to verify server
   identity.  If employed, the implemetation must regenerate keys in a
   timely manner to resist compromise.  FIXME: add details

5.4  Internet Protocol Version 6 Requirements

   NTPv4 Requirements defined in this document apply without regard to
   whether the implementation runs atop IPv4 or IPv6, or both.  So, an
   implementation that supports IPv4 must support all of its NTP modes
   and cryptographic features available using IPv6 whenever IPv6 is
   available on the underlying platform.

5.5  Robustness

   FIXME




Plonka                  Expires January 11, 2006                [Page 8]


Internet-Draft             NTPv4 Requirements                  July 2005


5.5.1  Authentication & Access Control

   NTP has authentication requirements to protect the resulting system
   from faulty implementations, improper operation, and malicious
   attacks.  These are important in a distrubuted protocol so that
   damage does not propograte throughout the NTP subnet.

   NTP implementations must attempt to limit access to trusted peers.
   Trivially, this is first done by sanity checking NTP packet content
   to ignore duplicates and to timestamp packets as a one-time pad.

   However, NTP implementations should also take measures to prevent
   unauthorized message-stream modification by using a crypto-checksum
   computed by the sender and checked by the receiver.

5.5.2  Client/Peer Rejection

   NTP server implementations should include the ability to return a so-
   called "Kiss-o'-Death" (KoD) packet to a configured or discovered set
   of unwanted NTP cleints.  NTP clients, upon receiving the KoD packet,
   should cease communications with the given NTP server host that sent
   the packet, and instead rely on their other configured servers.

5.6  Longevity, Persistence

   FIXME

5.6.1  Reconfiguration

   FIXME: mention re-resolving DNS names here?

6.  Simple Network Time Protocol Requirements

   The Simple network Time Protocol (SNTP) is a slight variation of NTP
   in which the clients simply receive periodic time values to update
   their local clocks.  Today, SNTP is the most common use of the NTP
   infrastructure.  Also, SNTP is a small subset of the overall NTP
   functionality, so it has many unique client implementations.  This
   plurality and ubiquity of SNTP clients warrants special attention as
   we define requirements for implementations.

   SNTP Version 4 is defined by RFC 2030 [3] and was improved upon in a
   more recent draft by Mills, et al.  (FIXME: temporarily named "rfc-
   xxxx").  RFC 4085 [4] defines some best current practice for SNTP
   operation.

   An SNTP client should respect the KoD access-control mechanism.




Plonka                  Expires January 11, 2006                [Page 9]


Internet-Draft             NTPv4 Requirements                  July 2005


7.  Operational Requirements

   FIXME: Do operational requirements belong here or in a seperate
   document?  E.g. stratum 1 servers should be synchronized to a non-NTP
   time standard, stratum 2 servers must synchronized to primary servers
   in the NTP hierarchy.

7.1  Client Poll Interval

   An SNTP client must not use a poll interval less than one minute.

   An SNTP client should increase the poll interval using exponential
   backoff if ever the server does not respond and also as its required
   clock performance permits.

   An SNTP client should randomize its initial inter-query timeout.

8.  Security Considerations

   A reliable network time service, such as NTP means to be, requires
   provisions to prevent accidental or malicious attacks on its servers
   and clients.  Furthermore, reliability requires that NTP clients can
   verify the authenticity of NTP messages it receives.

   NTP implementations, whose requirements are described above, address
   security threats in a number of ways:

      The hosts in an NTP subnet should be able to be configurated to
      cryptographically authentication servers using shared secret keys.
      This is appropriate for hand-configured, engineered subnet
      hierarchies amongst a relatively small set of trusted NTP hosts.

      A specially crafted, NTP-specific public-key cryptography method
      should be employed to simplify the authentication of servers by
      hosts which are part of a potential large, possibly automatically
      configured, NTP subnet.

      The potentially large number and redundancy of NTP hosts and paths
      amongst them, within an NTP subnet, mitigates some security
      threats to the overall system.  NTP takes advantage of this scale
      by employing its algorithms to reject poorly performing, possibly
      compromised, NTP servers to create an overal robust, reliable time
      synchronization and dissemination system.


9.  IANA Considerations

   This document creates no new requirements on IANA namespaces.



Plonka                  Expires January 11, 2006               [Page 10]


Internet-Draft             NTPv4 Requirements                  July 2005


10.  Acknowledgements

   Most of the NTP information used as background for this document was
   drawn from David L. Mills' NTP documents, linked from [7] and [8].

11.  References

11.1  Normative References

   [1]  Mills, D., "Network Time Protocol (Version 3) Specification,
        Implementation", RFC 1305, March 1992.

   [2]  Mills, D., "Simple Network Time Protocol (SNTP)", RFC 1769,
        March 1995.

   [3]  Mills, D., "Simple Network Time Protocol (SNTP) Version 4 for
        IPv4, IPv6 and OSI", RFC 2030, October 1996.

   [4]  Plonka, D., "Embedding Globally-Routable Internet Addresses
        Considered Harmful", BCP 105, RFC 4085, June 2005.

11.2  Informative References

   [5]  "Requirements for Network Time Protocol Version 4 Project",
        <http://net.doit.wisc.edu/~plonka/ntp-reqs/>.

   [6]  Bradner, S., "Key words for use in RFCs to Indicate Requirement
        Levels", BCP 14, RFC 2119, March 1997.

   [7]  "The Network Time Protocol Project", <http://www.ntp.org>.

   [8]  "The Network Time Synchronization Project",
        <http://www.eecis.udel.edu/~mills/ntp.html>.


Author's Address

   David Plonka
   University of Wisconsin - Madison

   Email: plonka@doit.wisc.edu
   URI:   http://net.doit.wisc.edu/~plonka/









Plonka                  Expires January 11, 2006               [Page 11]


Internet-Draft             NTPv4 Requirements                  July 2005


Intellectual Property Statement

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at
   http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at
   ietf-ipr@ietf.org.


Disclaimer of Validity

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.


Copyright Statement

   Copyright (C) The Internet Society (2005).  This document is subject
   to the rights, licenses and restrictions contained in BCP 78, and
   except as set forth therein, the authors retain all their rights.


Acknowledgment

   Funding for the RFC Editor function is currently provided by the
   Internet Society.




Plonka                  Expires January 11, 2006               [Page 12]


Html markup produced by rfcmarkup 1.129c, available from https://tools.ietf.org/tools/rfcmarkup/