2024.12.12

Securing time for any device: Results from the Roughtime Hackathon at IETF 121

A Roughtime Hackathon at IETF 121 led by Netnod’s Technical Consultant, Marcus Dansarie, brought together developers and researchers to refine the protocol and its implementations. In this blogpost, we summarise some of the outcomes from the hackathon.

Roughtime is a draft protocol aimed at providing a secure way for any device to obtain time and to prove if a server has provided false time to that device. This post is based on a summary that Marcus Dansarie shared with the IETF NTP Working Group following the hackathon.

Interoperability with “Plummet”

A major focus of the hackathon was ensuring interoperability between different Roughtime implementations. To facilitate this, participants developed and used Plummet, an automated interoperability testing tool. Plummet creates a Docker container for each Roughtime implementation and uses the containers for testing each client against each server, logging outputs and packets. Results are available as individual log and PCAP files as well as in condensed JSON and HTML formats. The result html file produced by Plummet also contains a handy interoperability matrix and parsed Roughtime packets for quick analysis.

Plummet Example

Figure 1: Interoperability matrix generated by Plummet

Interoperability achieved!

After fixing bugs uncovered during the hackathon, full interoperability was achieved between five of the implementations supporting the latest Roughtime draft (with three having both server and client implementations).

Issues identified at the hackathon

Participants identified a vulnerability in the protocol that allowed for potential version downgrade attacks. To address this, the protocol was updated to ensure that any changes in clients’ request packets or to servers’ version information can be detected. The hackathon also revealed several other security-related clarifications needed for the next version of the draft.

During the hackathon, it was observed that many clients lacked proper checks for received responses and that servers did not grease responses by sending unusual or unexpected data to test client behaviour, even though this was recommended in the draft. The new draft has improved recommendations for greasing to support it being implemented in clients and servers.

In addition, a list of other editorial issues were noted in the draft where the language needed to be clearer to avoid any ambiguity.

Next steps

Most of the issues identified in the hackathon have been resolved and implemented in an updated draft (draft-12) released on 4 December. The next steps for Roughtime include ensuring implementations align with the updated draft to maintain interoperability and moving the draft to Last Call in the IETF NTP Working Group.

More information

For more information on Roughtime, you can see our previous Roughtime blogpost on RIPE Labs. For more on Netnod’s work developing world-leading time services, see here.

Thanks to the RIPE NCC for funding the work on Roughtime development through the RIPE NCC Community Fund.

Roughtime: securing time for IoT devices

Rob Allen

2024.08.27

We spoke with Marcus Dansarie, Technical Consultant at Netnod and co-author of the IETF draft on Roughtime. In the Q&A below, we examine why secure time is essential, the challenges for IoT devices, and how Roughtime could be the solution to a widespread problem.

Remote IX

Netnod Time

Unlocking the power of ports

Björn Strömgård

2024.04.15

We talk with Björn Stromgard, Product Owner at Netnod, about maximising the value of connecting to a Netnod IX and making life easier for customers.

Netnod Time

Implementing Network Time Security at the Hardware Level

Christer Weinigel

2022.07.07

Network Time Security (NTS) adds a vital layer of security to Network Time Protocol (NTP) services. Having carried out our software implementation of NTS back in 2019, we recently implemented NTS at the hardware level.

Show all blog articles