Time is running out for NTP: Network Time Protocol may be gone forever

[51CTO.com Quick Translation] Everyone is enjoying the convenience brought by the Network Time Protocol, but it is difficult for the project to bring benefits to its maintainers or parties involved in its development.

There are two kinds of open source projects in the world: those funded by companies and those that are “laborations of love.” In fact, there is a third kind of project: those that have some level of support but are always looking for the next sponsor.

[[178247]]

Some open source projects are widely used, which means that when something goes wrong, everyone is negatively affected. OpenSSL is one such project; when the Heartbleed vulnerability was officially disclosed, organizations were scrambling to fix the security holes in their network equipment and software. The Network Time Protocol (NTP) also plays a vital role in modern computing, synchronizing clocks on different servers and devices to ensure they are in sync. However, the NTP project faces a severe lack of funding and support resources.

NTP is over 30 years old - probably the oldest code base running on the Internet. Despite minor setbacks, it continues to work. However, the project's future is not optimistic, and a sharp decline in the number of volunteers has forced Harlan Stenn to often complete the work alone. With limited support, the project can achieve less and less, which means that its maintenance efforts have declined and innovation has become almost impossible.

"NTF's NTP project remains severely underfunded," the project team wrote in a recent security advisory. "Google has withdrawn its sponsorship this year, and the Linux Foundation's Core Infrastructure Project can only support about 25% of Harlan's total weekly work hours on NTP development."

Last year, the Linux Foundation reviewed its funding for NTP through the Core Infrastructure Project for the new year, but the meager amount was clearly far from enough.

The sponsor system has had a fatal impact on the project. Its recently released ntp-4.2.8p0 update targets a vulnerability that was disclosed in June this year. Until September this year, the researchers who discovered the vulnerability were still able to exploit the vulnerability that had been disclosed for 80 days through a single malicious tampering packet. Since the vulnerability window period has exceeded 100 days, Magnus Studman is worried that further delays will lead to it being "exploited by malicious people."

Stenn’s response was indeed rather slow. “In reality, we are still facing a serious lack of resources. Please feel free to ask us questions and/or join us to help get the work done and/or invite others to lend a hand,” he wrote.

Although researchers have reported security issues, there are still not enough developers to help Stenn complete fixes, patch testing, and file changes. The Linux Foundation's core infrastructure project support does not include new projects such as Network Time Security (NTS) and the Universal Timestamp API and their adaptation to existing best practices and standards. Support from the core infrastructure project only includes "support for developers and infrastructure."

As an existing draft version of the Internet Engineering Task Force (IETF), NTS provides administrators with a way to improve the security level of the NTP project to protect the time synchronization mechanism. This mechanism uses Datagram Transport Layer Security (DTLS) to provide cryptographic security for NTP. The Universal Timestamp API will develop a new timestamp format that contains more information than just the date and time to improve practicality. The goal is to develop a more efficient and portable library API to use these timestamps.

Many open source projects and initiatives are plagued by support, sponsorship, financial and human resource issues. For this reason, open source security projects have been working hard to establish connections with enterprises. Enterprises certainly don't want to build existing applications on a project that may no longer be supported in the future. Ideally, open source projects that are critical components of core infrastructure should have permanent sponsorship.

NTP plays an important role in infrastructure, and almost everyone enjoys the convenience of this free project. NTP currently needs not only to maintain the code, but also more people to join in to debug bugs and promote the development of the software. Without more help, the future of the project will be confused. In fact, it should not be difficult for NTP or the Network Time Foundation, which established and is responsible for operating the project, to find suitable corporate sponsors and contributors.

"If accurate and secure time synchronization is important to you or your organization, please help us and help yourself: donate or become a member today," the NTP project team wrote.

Original title: Time is running out for NTP, author: Fahmida Y. Rashid

[Translated by 51CTO. Please indicate the original translator and source as 51CTO.com when reprinting on partner sites]