Time is running out for NTP

Everyone benefits from Network Time Protocol, but the project struggles to pay its sole maintainer or fund its various initiatives

There are two types of open source projects: those with corporate sponsorship and those that fall under the “labor of love” category. Actually, there’s a third variety: projects that get some support but have to keep looking ahead for the next sponsor.

Some open source projects are so widely used that if anything goes wrong, everyone feels the ripple effects. OpenSSL is one such project; when the Heartbleed flaw was discovered in the open source cryptography library, organizations scrambled to identify and fix all their vulnerable networking devices and software. Network Time Protocol (NTP) arguably plays as critical a role in modern computing, if not more; the open source protocol is used to synchronize clocks on servers and devices to make sure they all have the same time. Yet, the fact remains that NTP is woefully underfunded and undersupported.

NTP is more than 30 years old—it may be the oldest codebase running on the internet. Despite some hiccups, it continues to work well. But the project’s future is uncertain because the number of volunteer contributors has shrunk, and there’s too much work for one person—principal maintainer Harlan Stenn—to handle. When there is limited support, the project has to pick and choose what tasks it can afford to complete, which slows down maintenance and stifles innovation.

“NTF’s NTP project remains severely underfunded,” the project team wrote in a recent security advisory. “Google was unable to sponsor us this year, and currently, the Linux Foundation’s Core Internet Initiative only supports Harlan for about 25 percent of his hours per week and is restricted to NTP development only.”

Last year, the Linux Foundation renewed its financial commitment to NTP for another year via the Core Infrastructure Initiative, but it isn’t enough.

The absence of a sponsor has a direct impact on the project. One of the vulnerabilities addressed in the recently released ntp-4.2.8p9 update was originally reported to the project back in June. In September, the researcher who discovered the flaw, which could be exploited with a single, malformed packet, asked for a status update because 80 days had passed since his initial report. As the vulnerability had already existed for more than 100 days, Magnus Studman was concerned that more delays gave “people with bad intentions” more chances to also find it.

Stenn’s response was blunt. “Reality bites—we remain severely under-resourced for the work that needs to be done. You can yell at us about it, and/or you can work to help us, and/or you can work to get others to help us,” he wrote.

Researchers are reporting security issues, but there aren’t enough developers to help Stenn fix them, test the patches, and document the changes. The Linux Foundation’s CII support doesn’t cover the work on new initiatives, such as the Network Time Security (NTS) and the General Timestamp API, or on standards and best practices work currently underway. The initial support from CII covers “support for developers as well as infrastructure support.”

NTS, currently in draft version with the Internet Engineering Task Force (IETF), would give administrators a way to add security to NTP, as it would secure time synchronization. The mechanism uses Datagram Transport Layer Security (DTLS) to provide cryptographic security for NTP. The General Timestamp API would develop a new time-stamp format containing more information than date and time, which would be more useful. The goal is to also develop an efficient and portable library API to use those time stamps.

Open source projects and initiatives struggle to keep going when there isn’t enough support, sponsorship, financial aid, and manpower. This is why open source security projects frequently struggle to gain traction among organizations. Organizations don’t want to wind up relying on a project when future support is uncertain. In a perfect world, open source projects that are critical parts of core infrastructure should have permanent funding.

NTP is buried so deeply in the infrastructure that practically everyone reaps the project’s benefits for free. NTP needs more than simply maintaining the codebase, fixing bugs, and improving the software. Without help, the future of the project remains uncertain. NTP—or the Network Time Foundation established to run the project—should not have to struggle to find corporate sponsors and donors.

“If accurate, secure time is important to you or your organization, help us help you: Donate today or become a member,” NTP’s project team wrote.


EmoticonEmoticon