NTP's Fate Hinges On 'Father Time' - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
IT Life
News
3/11/2015
06:06 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

NTP's Fate Hinges On 'Father Time'

The Network Time Protocol provides a foundation to modern computing. So why does NTP's support hinge so much on the shaky finances of one 59-year-old developer?

(Image: Geralt via Pixabay)

(Image: Geralt via Pixabay)

The Release Before Christmas

Stenn told us his workload got a little heavier in October 2014, when Google security team member Chris Ries notified him that he had discovered a security risk in NTP. It was a buffer overflow in NTP autokey, the public key/private key authentication system used to verify downloaded code. Although no one was known to have used it yet, the vulnerability had the potential to let a hacker launch malicious code remotely through an NTP server.

Stenn said Google previously had made clear to him that it will publish vulnerabilities 90 days after notifying the party responsible for the code. Stenn felt the clock had started ticking, and he didn't ask for a waiver. He set to work, putting in 16 to 18 hours a day for 10 weeks to correct the defect and get a new release out before the 90 days were up. It would be upsetting to all NTP users to have a vulnerability aired with no fix in hand.

On Dec. 18, he posted news of the vulnerability on the support Web site, sent notices out on the NTP email list, and posted a fixed version of the code. For this effort, Stenn said he got a lot of feedback -- and not in a good way.

As best he can estimate, "I pissed off over a hundred thousand folks by announcing this fix" seven days before Christmas, he recalled. "Yow." People wanted more warning, and they accused him of favoritism and letting some people know about it sooner. It was tough, but also offered a deeper realization of the true position he was in.

One of Stenn's main pillars of support is the originator of NTP, Professor David Mills, "who knows more about NTP code than any other human being," said Stenn. In many cases, he checks with Mills before making changes to the code, in part because Mills has embedded comments in the code that should be checked with before the code is altered.

The core functionality of NTP is described as simple and straightforward. But Mills, in an interview with InformationWeek, said that other parts having to do with monitoring and control "are so complex that the whole thing falls apart if you change something."

Mills, 76, is long retired from teaching computer and electrical engineering at the University of Delaware, where he originated the first version of NTP. At this point, he is also blind and can't help Stenn review code. To Mills, NTP "was kind of a hobby" for many years, and Stenn got in early with good patches as he worked with NTP in his contract jobs, and did some of the thankless tasks like release manager. Asked if Stenn should get more support, Mills responded, "I didn't realize he was working on it full time."

"Dave never saw the need for the type of end-user support that we offer," said Stenn. "He has no patience to deal with people who need that sort of handholding."

Independent, outside contributors do still submit code to NTP, though they tend to focus on the single operating system version they like to work with. One expert, Poul-Henning Kamp, is working in Denmark "with great plans for a future implementation," said Stenn.

When it comes to fixing existing bugs and vulnerabilities, there's Stenn as the sole full-time code committer and a few volunteers he can coax into looking at specific problems.

Stenn clearly likes the work, though. He described himself as an introvert who loves resolving issues of time. At his home lab in Talent, he has four GPS receivers on the roof collecting the combined wisdom of 12 atomic clocks. When the question of taking vacations came up in our discussion, his wife Margaret, who's listening in in the background, issued a hearty laugh. Stenn said vacations are a trip to the movies a few times a year. "My wife thinks I'm insane," he said as an aside in a later email.

As Stenn looks to the future, he sees NTP undergoing further development, including possible coordination with PTP, so that NTP "could speak PTP" for those who need more precise time than NTP can deliver. Such a move will take lots of work, though, and Stenn says he'll need to cut back his hours drastically, and start consulting full time, unless the Linux Foundation and other donors support NTP's work.

"There is a need for support for the free public infrastructure," Stenn said. "But there's just no revenue stream around time right now. People scream if their clocks are off by a second. They say, "Yes, we need you, but we can't give you any money.'"

(Image: Geralt via Pixabay)

(Image: Geralt via Pixabay)

Attend Interop Las Vegas, the leading independent technology conference and expo series designed to inspire, inform, and connect the world's IT community. In 2015, look for all new programs, networking opportunities, and classes that will help you set your organization’s IT action plan. It happens April 27 to May 1. Register with Discount Code MPOIWK for $200 off Total Access & Conference Passes.

Charles Babcock is an editor-at-large for InformationWeek and author of Management Strategies for the Cloud Revolution, a McGraw-Hill book. He is the former editor-in-chief of Digital News, former software editor of Computerworld and former technology editor of Interactive ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Previous
5 of 5
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 4   >   >>
akostadinov
50%
50%
akostadinov,
User Rank: Apprentice
8/18/2015 | 10:50:33 AM
alternatives
chronyd anybody? (chrony.tuxfamily.org)

works better at least for some use cases...

Competition is good, otherwise things rot anyway.
kstaron
50%
50%
kstaron,
User Rank: Ninja
3/25/2015 | 3:52:11 PM
So the people using it aren't wiling to pay?
Can I guess that by the lack of this guy's wallet, that the companies who claim to care, like Google, have not stepped up and given the the guy funding to make sure the clock keeps ticking? If he has not yet, I would suggest he approach each of the companies that uses NTP and tell them it's in danger of being unsupported without financial backing. Wake up the guys who use it and let them know the free ride is about over.
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Author
3/23/2015 | 11:51:33 PM
Has this issue kept you up late at night?
This may not be something you've worried about lately, but the 32-bit counter in the Network Time Protocol's time stamp is able to designate any second that's occurred since Jan.1, 1900. The only thing bad about covering such an expanse of time is that the counter runs out of numbers sometime in 2036. Like I said, maybe you haven't worried about it -- yet. Harlan Stenn is up late at night thinking about the solution... Better keep him on the case.
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Author
3/18/2015 | 1:46:40 PM
Just a minute, Mr. Gigabob
Your answer is straightforward, Mr. Gigabob, except for the part about how we've had for years many companies with a vested interest in sychronizing time and they haven't done what you say should happen.
Mr. Gigabob
50%
50%
Mr. Gigabob,
User Rank: Strategist
3/18/2015 | 12:45:27 PM
Re: Is there really a problem?
The process is straightforward - an industry group with a vested interest steps in and enlists support from an eco-system by starting a "Time Committee" with contributions from those organizations in the form of team members and fiscal backing levels.  DLNA, USB, WiFi all started this way as a prelude to creating and adopting a standard.  The more groups the get behind supporting NTP - the more that will build in NTP into their systems.  

Ideally, increased investment in time synchronization for security, log management and other roles will add many paths to orbiting atomic clocks in GPS satellites to increase accuracy of NTP so it eclipses PTP - Precision Time Protocol (IEEE1588).

NTP and PTP approach the problem from different angles.  PTP uses hardware to provide a precise local clock with accuracy to 100ns and very little software sophistication.  NTP uses software and statistics to get time from local motherboards and other sources then distribute across a network.  Accuracy varies widely from micro-seconds to 10's of milliseconds, as distribution delays across shared network links are impacted by busy workloads.  Until there is a ubiquity of precision time sources available with known latency, we need both.

As an example of industry standard support - suppose members of the "TIME ASSOCIATION" included all the major home network router vendors.  Their support for NTP might include some local intelligence and a dedicated port channel for distributing time information that would have a prioritezed Quality of Service level enabling it to consistently provide microsecond accuracy in the home.  This would be advertised as a selling point and if embraced by users would prolieferate across the Customer Premises landscape.

Ironically we have access to precision time in to 100ns today.  Everyone with a GPS chip in their mobile phone leverages the GPS time in the orbiting satellites.  Perhaps it is time to codify that into a new standard.
pzjones
50%
50%
pzjones,
User Rank: Apprentice
3/18/2015 | 12:28:30 PM
Demonstrates change in motivation
I think this article clearly demonstrates what attracts people to IT now is not what drove many of us into IT 20+ years ago. It wasn't about the "job" or the "salary." It was about the love of this new technology, about being a pioneer in this industry, about collaboration, about conquering and innovating.

 It was nice that it came with a salary but that wasn't the driving force. I've seen many come because they thought they would make the big bucks but didn't have the heart or the passion and now they have gone...some stick around because "it's a job" and they don't want to go back to school. For those like Stenn, it is much more than that...it's in the blood. We need to figure out how to ignite that fire in the younger generation that has come to rely on technology without a desire to be part of it.
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Author
3/17/2015 | 2:07:46 PM
You're right, Cesium-133 is stable, not decomposing
mbperezpinilla, A second as measured by an atomic clock is "9,192,631,770 cycles of radiation" reflecting the transition in energy levels of the Caesium-133 atom, according to the International System of Units. I didn't realize radiation in this case doesn't mean (ouch) radioactive. I've always thought atomic cloicks were using a measure of radioactive decomposition as a precise time-keeper. Instead, it's vibrations of the stable Cesium-133 atom that's keeping the beat. It's Cesium-137, used in medical imaging, that's radioactive. Oh boy, time to brush up on my physics.

 

 
mbperezpinilla
50%
50%
mbperezpinilla,
User Rank: Apprentice
3/17/2015 | 7:07:24 AM
Radioactive Cesium-133???
Cesium-133 is the only stable isotope of Cesium!
vorlonken
50%
50%
vorlonken,
User Rank: Apprentice
3/16/2015 | 1:28:34 PM
Here's the proper solution
Author: "So, Mr Stenn, what will you do if huge companies like Google, Microsoft, IBM, Apple, Cisco, Intel, etc don't start contributing? They could each donate $10 million/year with the change culled from under the driver's seat of the CEO!" Stenn: (shrugs) That's how the article should end. I hope everyone out there got my very unsubtle reference.
Susan_Nunziata
50%
50%
Susan_Nunziata,
User Rank: Strategist
3/16/2015 | 7:48:06 AM
Re: Is there really a problem?
@Gigabob: Your comment caught my eye, especially this: creating a better vehicle to support critical open source protocols like NTP.

Having been thru a similar experience yourself, what would you say is required to create such a vehicle for NTP (and other critical open source projects).

 

 
Page 1 / 4   >   >>
News
How to Create a Successful AI Program
Jessica Davis, Senior Editor, Enterprise Apps,  10/14/2020
News
Think Like a Chief Innovation Officer and Get Work Done
Joao-Pierre S. Ruth, Senior Writer,  10/13/2020
Slideshows
10 Trends Accelerating Edge Computing
Cynthia Harvey, Freelance Journalist, InformationWeek,  10/8/2020
White Papers
Register for InformationWeek Newsletters
2020 State of DevOps Report
2020 State of DevOps Report
Download this report today to learn more about the key tools and technologies being utilized, and how organizations deal with the cultural and process changes that DevOps brings. The report also examines the barriers organizations face, as well as the rewards from DevOps including faster application delivery, higher quality products, and quicker recovery from errors in production.
Video
Current Issue
[Special Report] Edge Computing: An IT Platform for the New Enterprise
Edge computing is poised to make a major splash within the next generation of corporate IT architectures. Here's what you need to know!
Slideshows
Flash Poll