1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962
1963
1964
1965
1966
1967
1968
1969
1970
1971
1972
1973
1974
1975
1976
1977
1978
1979
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
|
Internet Engineering Task Force (IETF) T. Mizrahi
Request for Comments: 7384 Marvell
Category: Informational October 2014
ISSN: 2070-1721
Security Requirements of Time Protocols
in Packet Switched Networks
Abstract
As time and frequency distribution protocols are becoming
increasingly common and widely deployed, concern about their exposure
to various security threats is increasing. This document defines a
set of security requirements for time protocols, focusing on the
Precision Time Protocol (PTP) and the Network Time Protocol (NTP).
This document also discusses the security impacts of time protocol
practices, the performance implications of external security
practices on time protocols, and the dependencies between other
security services and time synchronization.
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for informational purposes.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Not all documents
approved by the IESG are a candidate for any level of Internet
Standard; see Section 2 of RFC 5741.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc7384.
Mizrahi Informational [Page 1]
^L
RFC 7384 Time Protocol Security Requirements October 2014
Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction ....................................................4
2. Terminology .....................................................5
2.1. Requirements Language ......................................5
2.2. Abbreviations ..............................................6
2.3. Common Terminology for PTP and NTP .........................6
2.4. Terms Used in This Document ................................6
3. Security Threats ................................................7
3.1. Threat Model ...............................................8
3.1.1. Internal vs. External Attackers .....................8
3.1.2. Man in the Middle (MITM) vs. Packet Injector ........8
3.2. Threat Analysis ............................................9
3.2.1. Packet Manipulation .................................9
3.2.2. Spoofing ............................................9
3.2.3. Replay Attack .......................................9
3.2.4. Rogue Master Attack .................................9
3.2.5. Packet Interception and Removal ....................10
3.2.6. Packet Delay Manipulation ..........................10
3.2.7. L2/L3 DoS Attacks ..................................10
3.2.8. Cryptographic Performance Attacks ..................10
3.2.9. DoS Attacks against the Time Protocol ..............11
3.2.10. Grandmaster Time Source Attack (e.g., GPS Fraud) ..11
3.2.11. Exploiting Vulnerabilities in the Time Protocol ...11
3.2.12. Network Reconnaissance ............................11
3.3. Threat Analysis Summary ...................................12
4. Requirement Levels .............................................13
5. Security Requirements ..........................................14
5.1. Clock Identity Authentication and Authorization ...........14
5.1.1. Authentication and Authorization of Masters ........15
5.1.2. Recursive Authentication and Authorization
of Masters (Chain of Trust) ........................16
5.1.3. Authentication and Authorization of Slaves .........17
Mizrahi Informational [Page 2]
^L
RFC 7384 Time Protocol Security Requirements October 2014
5.1.4. PTP: Authentication and Authorization of
P2P TCs by the Master ..............................18
5.1.5. PTP: Authentication and Authorization of
Control Messages ...................................18
5.2. Protocol Packet Integrity .................................19
5.2.1. PTP: Hop-by-Hop vs. End-to-End Integrity
Protection .........................................20
5.2.1.1. Hop-by-Hop Integrity Protection ...........20
5.2.1.2. End-to-End Integrity Protection ...........21
5.3. Spoofing Prevention .......................................21
5.4. Availability ..............................................22
5.5. Replay Protection .........................................23
5.6. Cryptographic Keys and Security Associations ..............23
5.6.1. Key Freshness ......................................23
5.6.2. Security Association ...............................24
5.6.3. Unicast and Multicast Associations .................24
5.7. Performance ...............................................25
5.8. Confidentiality ...........................................26
5.9. Protection against Packet Delay and Interception Attacks ..27
5.10. Combining Secured with Unsecured Nodes ...................27
5.10.1. Secure Mode .......................................28
5.10.2. Hybrid Mode .......................................28
6. Summary of Requirements ........................................29
7. Additional Security Implications ...............................31
7.1. Security and On-the-Fly Timestamping ......................31
7.2. PTP: Security and Two-Step Timestamping ...................31
7.3. Intermediate Clocks .......................................32
7.4. External Security Protocols and Time Protocols ............32
7.5. External Security Services Requiring Time .................33
7.5.1. Timestamped Certificates ...........................33
7.5.2. Time Changes and Replay Attacks ....................33
8. Issues for Further Discussion ..................................34
9. Security Considerations ........................................34
10. References ....................................................34
10.1. Normative References .....................................34
10.2. Informative References ...................................34
Acknowledgments ...................................................36
Contributors ......................................................36
Author's Address ..................................................36
Mizrahi Informational [Page 3]
^L
RFC 7384 Time Protocol Security Requirements October 2014
1. Introduction
As time protocols are becoming increasingly common and widely
deployed, concern about the resulting exposure to various security
threats is increasing. If a time protocol is compromised, the
applications it serves are prone to a range of possible attacks
including Denial of Service (DoS) or incorrect behavior.
This document discusses the security aspects of time distribution
protocols in packet networks and focuses on the two most common
protocols: the Network Time Protocol [NTPv4] and the Precision Time
Protocol (PTP) [IEEE1588]. Note that although PTP was not defined by
the IETF, it is one of the two most common time protocols; hence, it
is included in the discussion.
The Network Time Protocol was defined with an inherent security
protocol; [NTPv4] defines a security protocol that is based on a
symmetric key authentication scheme, and [AutoKey] presents an
alternative security protocol, based on a public key authentication
scheme. [IEEE1588] includes an experimental security protocol,
defined in Annex K of the standard, but this Annex was never
formalized into a fully defined security protocol.
While NTP includes an inherent security protocol, the absence of a
standard security solution for PTP undoubtedly contributed to the
wide deployment of unsecured time synchronization solutions.
However, in some cases, security mechanisms may not be strictly
necessary, e.g., due to other security practices in place or due to
the architecture of the network. A time synchronization security
solution, much like any security solution, is comprised of various
building blocks and must be carefully tailored for the specific
system in which it is deployed. Based on a system-specific threat
assessment, the benefits of a security solution must be weighed
against the potential risks, and based on this trade-off an optimal
security solution can be selected.
The target audience of this document includes:
o Timing and networking equipment vendors - can benefit from this
document by deriving the security features that should be
supported in the time/networking equipment.
o Standards development organizations - can use the requirements
defined in this document when specifying security mechanisms for a
time protocol.
Mizrahi Informational [Page 4]
^L
RFC 7384 Time Protocol Security Requirements October 2014
o Network operators - can use this document as a reference when
designing a network and its security architecture. As stated
above, the requirements in this document may be deployed
selectively based on a careful per-system threat analysis.
This document attempts to add clarity to the time protocol security
requirements discussion by addressing a series of questions:
(1) What are the threats that need to be addressed for the time
protocol and what security services need to be provided (e.g., a
malicious NTP server or PTP master)?
(2) What external security practices impact the security and
performance of time keeping and what can be done to mitigate
these impacts (e.g., an IPsec tunnel in the time protocol traffic
path)?
(3) What are the security impacts of time protocol practices (e.g.,
on-the-fly modification of timestamps)?
(4) What are the dependencies between other security services and
time protocols? (For example, which comes first - the
certificate or the timestamp?)
In light of the questions above, this document defines a set of
requirements for security solutions for time protocols, focusing on
PTP and NTP.
2. Terminology
2.1. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [KEYWORDS].
This document describes security requirements; thus, requirements are
phrased in the document in the form "the security mechanism
MUST/SHOULD/...". Note that the phrasing does not imply that this
document defines a specific security mechanism, but that it defines
the requirements with which every security mechanism should comply.
Mizrahi Informational [Page 5]
^L
RFC 7384 Time Protocol Security Requirements October 2014
2.2. Abbreviations
BC Boundary Clock [IEEE1588]
BMCA Best Master Clock Algorithm [IEEE1588]
DoS Denial of Service
MITM Man in the Middle
NTP Network Time Protocol [NTPv4]
OC Ordinary Clock [IEEE1588]
P2P TC Peer-to-Peer Transparent Clock [IEEE1588]
PTP Precision Time Protocol [IEEE1588]
TC Transparent Clock [IEEE1588]
2.3. Common Terminology for PTP and NTP
This document refers to both PTP and NTP. For the sake of
consistency, throughout the document the term "master" applies to
both a PTP master and an NTP server. Similarly, the term "slave"
applies to both PTP slaves and NTP clients. The term "protocol
packets" refers generically to PTP and NTP messages.
2.4. Terms Used in This Document
o Clock - A node participating in the protocol (either PTP or NTP).
A clock can be a master, a slave, or an intermediate clock (see
corresponding definitions below).
o Control packets - Packets used by the protocol to exchange
information between clocks that is not strictly related to the
time. NTP uses NTP Control Messages. PTP uses Announce,
Signaling, and Management messages.
o End-to-end security - A security approach where secured packets
sent from a source to a destination are not modified by
intermediate nodes, allowing the destination to authenticate the
source of the packets and to verify their integrity. In the
context of confidentiality, end-to-end encryption guarantees that
intermediate nodes cannot eavesdrop to en route packets. However,
as discussed in Section 5, confidentiality is not a strict
requirement in this document.
Mizrahi Informational [Page 6]
^L
RFC 7384 Time Protocol Security Requirements October 2014
o Grandmaster - A master that receives time information from a
locally attached clock device and not through the network. A
grandmaster distributes its time to other clocks in the network.
o Hop-by-hop security - A security approach where secured packets
sent from a source to a destination may be modified by
intermediate nodes. In this approach intermediate nodes share the
encryption key with the source and destination, allowing them to
re-encrypt or re-authenticate modified packets before relaying
them to the destination.
o Intermediate clock - A clock that receives timing information from
a master and sends timing information to other clocks. In NTP,
this term refers to an NTP server that is not a Stratum 1 server.
In PTP, this term refers to a BC or a TC.
o Master - A clock that generates timing information to other clocks
in the network. In NTP, 'master' refers to an NTP server. In
PTP, 'master' refers to a master OC (aka grandmaster) or to a port
of a BC that is in the master state.
o Protocol packets - Packets used by the time protocol. The
terminology used in this document distinguishes between time
packets and control packets.
o Secured clock - A clock that supports a security mechanism that
complies to the requirements in this document.
o Slave - A clock that receives timing information from a master.
In NTP, 'slave' refers to an NTP client. In PTP, 'slave' refers
to a slave OC or to a port of a BC that is in the slave state.
o Time packets - Protocol packets carrying time information.
o Unsecured clock - A clock that does not support a security
mechanism according to the requirements in this document.
3. Security Threats
This section discusses the possible attacker types and analyzes
various attacks against time protocols.
The literature is rich with security threats of time protocols, e.g.,
[Traps], [AutoKey], [TimeSec], [SecPTP], and [SecSen]. The threat
analysis in this document is mostly based on [TimeSec].
Mizrahi Informational [Page 7]
^L
RFC 7384 Time Protocol Security Requirements October 2014
3.1. Threat Model
A time protocol can be attacked by various types of attackers.
The analysis in this document classifies attackers according to two
criteria, as described in Sections 3.1.1 and 3.1.2.
3.1.1. Internal vs. External Attackers
In the context of internal and external attackers, the underlying
assumption is that the time protocol is secured by either an
encryption mechanism, an authentication mechanism, or both.
Internal attackers either have access to a trusted segment of the
network or possess the encryption or authentication keys. An
internal attack can also be performed by exploiting vulnerabilities
in devices; for example, by installing malware or obtaining
credentials to reconfigure the device. Thus, an internal attacker
can maliciously tamper with legitimate traffic in the network as well
as generate its own traffic and make it appear legitimate to its
attacked nodes.
Note that internal attacks are a special case of Byzantine failures,
where a node in the system may fail in arbitrary ways; by crashing,
by omitting messages, or by malicious behavior. This document
focuses on nodes that demonstrate malicious behavior.
External attackers, on the other hand, do not have the keys and have
access only to the encrypted or authenticated traffic.
Obviously, in the absence of a security mechanism, there is no
distinction between internal and external attackers, since all
attackers are internal in practice.
3.1.2. Man in the Middle (MITM) vs. Packet Injector
MITM attackers are located in a position that allows interception and
modification of in-flight protocol packets. It is assumed that an
MITM attacker has physical access to a segment of the network or has
gained control of one of the nodes in the network.
A traffic injector is not located in an MITM position, but can attack
by generating protocol packets. An injector can reside either within
the attacked network or on an external network that is connected to
the attacked network. An injector can also potentially eavesdrop on
protocol packets sent as multicast, record them, and replay them
later.
Mizrahi Informational [Page 8]
^L
RFC 7384 Time Protocol Security Requirements October 2014
3.2. Threat Analysis
3.2.1. Packet Manipulation
A packet manipulation attack results when an MITM attacker receives
timing protocol packets, alters them, and relays them to their
destination, allowing the attacker to maliciously tamper with the
protocol. This can result in a situation where the time protocol is
apparently operational but providing intentionally inaccurate
information.
3.2.2. Spoofing
In spoofing, an injector masquerades as a legitimate node in the
network by generating and transmitting protocol packets or control
packets. Two typical examples of spoofing attacks:
o An attacker can impersonate the master, allowing malicious
distribution of false timing information.
o An attacker can impersonate a legitimate clock, a slave, or an
intermediate clock, by sending malicious messages to the master,
causing the master to respond to the legitimate clock with
protocol packets that are based on the spoofed messages.
Consequently, the delay computations of the legitimate clock are
based on false information.
As with packet manipulation, this attack can result in a situation
where the time protocol is apparently operational but providing
intentionally inaccurate information.
3.2.3. Replay Attack
In a replay attack, an attacker records protocol packets and replays
them at a later time without any modification. This can also result
in a situation where the time protocol is apparently operational but
providing intentionally inaccurate information.
3.2.4. Rogue Master Attack
In a rogue master attack, an attacker causes other nodes in the
network to believe it is a legitimate master. As opposed to the
spoofing attack, in the rogue master attack the attacker does not
fake its identity, but rather manipulates the master election process
using malicious control packets. For example, in PTP, an attacker
can manipulate the Best Master Clock Algorithm (BMCA) and cause other
nodes in the network to believe it is the most eligible candidate to
be a grandmaster.
Mizrahi Informational [Page 9]
^L
RFC 7384 Time Protocol Security Requirements October 2014
In PTP, a possible variant of this attack is the rogue TC/BC attack.
Similar to the rogue master attack, an attacker can cause victims to
believe it is a legitimate TC or BC, allowing the attacker to
manipulate the time information forwarded to the victims.
3.2.5. Packet Interception and Removal
A packet interception and removal attack results when an MITM
attacker intercepts and drops protocol packets, preventing the
destination node from receiving some or all of the protocol packets.
3.2.6. Packet Delay Manipulation
In a packet delay manipulation scenario, an MITM attacker receives
protocol packets and relays them to their destination after adding a
maliciously computed delay. The attacker can use various delay
attack strategies; the added delay can be constant, jittered, or
slowly wandering. Each of these strategies has a different impact,
but they all effectively manipulate the attacked clock.
Note that the victim still receives one copy of each packet, contrary
to the replay attack, where some or all of the packets may be
received by the victim more than once.
3.2.7. L2/L3 DoS Attacks
There are many possible Layer 2 and Layer 3 DoS attacks, e.g., IP
spoofing, ARP spoofing [Hack], MAC flooding [Anatomy], and many
others. As the target's availability is compromised, the timing
protocol is affected accordingly.
3.2.8. Cryptographic Performance Attacks
In cryptographic performance attacks, an attacker transmits fake
protocol packets, causing high utilization of the cryptographic
engine at the receiver, which attempts to verify the integrity of
these fake packets.
This DoS attack is applicable to all encryption and authentication
protocols. However, when the time protocol uses a dedicated security
mechanism implemented in a dedicated cryptographic engine, this
attack can be applied to cause DoS specifically to the time protocol.
Mizrahi Informational [Page 10]
^L
RFC 7384 Time Protocol Security Requirements October 2014
3.2.9. DoS Attacks against the Time Protocol
An attacker can attack a clock by sending an excessive number of time
protocol packets, thus degrading the victim's performance. This
attack can be implemented, for example, using the attacks described
in Sections 3.2.2 and 3.2.4.
3.2.10. Grandmaster Time Source Attack (e.g., GPS Fraud)
Grandmasters receive their time from an external accurate time
source, such as an atomic clock or a GPS clock, and then distribute
this time to the slaves using the time protocol.
Time source attacks are aimed at the accurate time source of the
grandmaster. For example, if the grandmaster uses a GPS-based clock
as its reference source, an attacker can jam the reception of the GPS
signal, or transmit a signal similar to one from a GPS satellite,
causing the grandmaster to use a false reference time.
Note that this attack is outside the scope of the time protocol.
While various security measures can be taken to mitigate this attack,
these measures are outside the scope of the security requirements
defined in this document.
3.2.11. Exploiting Vulnerabilities in the Time Protocol
Time protocols can be attacked by exploiting vulnerabilities in the
protocol, implementation bugs, or misconfigurations (e.g.,
[NTPDDoS]). It should be noted that such attacks cannot typically be
mitigated by security mechanisms. However, when a new vulnerability
is discovered, operators should react as soon as possible, and take
the necessary measures to address it.
3.2.12. Network Reconnaissance
An attacker can exploit the time protocol to collect information such
as addresses and locations of nodes that take part in the protocol.
Reconnaissance can be applied by either passively eavesdropping on
protocol packets or sending malicious packets and gathering
information from the responses. By eavesdropping on a time protocol,
an attacker can learn the network latencies, which provide
information about the network topology and node locations.
Moreover, properties such as the frequency of the protocol packets,
or the exact times at which they are sent, can allow fingerprinting
of specific nodes; thus, protocol packets from a node can be
identified even if network addresses are hidden or encrypted.
Mizrahi Informational [Page 11]
^L
RFC 7384 Time Protocol Security Requirements October 2014
3.3. Threat Analysis Summary
The two key factors to a threat analysis are the impact and the
likelihood of each of the analyzed attacks.
Table 1 summarizes the security attacks presented in Section 3.2.
For each attack, the table specifies its impact, and its
applicability to each of the attacker types presented in Section 3.1.
Table 1 clearly shows the distinction between external and internal
attackers, and motivates the usage of authentication and integrity
protection, significantly reducing the impact of external attackers.
The Impact column provides an intuitive measure of the severity of
each attack, and the relevant Attacker Type column provides an
intuition about how difficult each attack is to implement and, hence,
about the likelihood of each attack.
The Impact column in Table 1 can have one of three values:
o DoS - the attack causes denial of service to the attacked node,
the impact of which is not restricted to the time protocol.
o Accuracy degradation - the attack yields a degradation in the
slave accuracy, but does not completely compromise the slaves'
time and frequency.
o False time - slaves align to a false time or frequency value due
to the attack. Note that if the time protocol aligns to a false
time, it may cause DoS to other applications that rely on accurate
time. However, for the purpose of the analysis in this section,
we distinguish this implication from 'DoS', which refers to a DoS
attack that is not necessarily aimed at the time protocol. All
attacks that have a '+' for 'False Time' implicitly have a '+' for
'Accuracy Degradation'. Note that 'False Time' necessarily
implies 'Accuracy Degradation'. However, two different terms are
used, indicating two levels of severity.
The Attacker Type column refers to the four possible combinations of
the attacker types defined in Section 3.1.
Mizrahi Informational [Page 12]
^L
RFC 7384 Time Protocol Security Requirements October 2014
+-----------------------------+-------------------++-------------------+
| Attack | Impact || Attacker Type |
| +-----+--------+----++---------+---------+
| |False|Accuracy| ||Internal |External |
| |Time |Degrad. |DoS ||MITM|Inj.|MITM|Inj.|
+-----------------------------+-----+--------+----++----+----+----+----+
|Manipulation | + | | || + | | | |
+-----------------------------+-----+--------+----++----+----+----+----+
|Spoofing | + | | || + | + | | |
+-----------------------------+-----+--------+----++----+----+----+----+
|Replay attack | + | | || + | + | | |
+-----------------------------+-----+--------+----++----+----+----+----+
|Rogue master attack | + | | || + | + | | |
+-----------------------------+-----+--------+----++----+----+----+----+
|Interception and removal | | + | + || + | | + | |
+-----------------------------+-----+--------+----++----+----+----+----+
|Packet delay manipulation | + | | || + | | + | |
+-----------------------------+-----+--------+----++----+----+----+----+
|L2/L3 DoS attacks | | | + || + | + | + | + |
+-----------------------------+-----+--------+----++----+----+----+----+
|Crypt. performance attacks | | | + || + | + | + | + |
+-----------------------------+-----+--------+----++----+----+----+----+
|Time protocol DoS attacks | | | + || + | + | | |
+-----------------------------+-----+--------+----++----+----+----+----+
|Master time source attack | + | | || + | + | + | + |
|(e.g., GPS spoofing) | | | || | | | |
+-----------------------------+-----+--------+----++----+----+----+----+
Table 1: Threat Analysis - Summary
The threats discussed in this section provide the background for the
security requirements presented in Section 5.
4. Requirement Levels
The security requirements are presented in Section 5. Each
requirement is defined with a requirement level, in accordance with
the requirement levels defined in Section 2.1.
The requirement levels in this document are affected by the following
factors:
o Impact:
The possible impact of not implementing the requirement, as
illustrated in the Impact column of Table 1. For example, a
requirement that addresses a threat that can be implemented by an
external injector is typically a 'MUST', since the threat can be
implemented by all the attacker types analyzed in Section 3.1.
Mizrahi Informational [Page 13]
^L
RFC 7384 Time Protocol Security Requirements October 2014
o Difficulty of the corresponding attack:
The level of difficulty of the possible attacks that become
possible by not implementing the requirement. The level of
difficulty is reflected in the Attacker Type column of Table 1.
For example, a requirement that addresses a threat that only
compromises the availability of the protocol is typically no more
than a 'SHOULD'.
o Practical considerations:
Various practical factors that may affect the requirement. For
example, if a requirement is very difficult to implement, or is
applicable to very specific scenarios, these factors may reduce
the requirement level.
Section 5 lists the requirements. For each requirement, there is a
short explanation detailing the reason for its requirement level.
5. Security Requirements
This section defines a set of security requirements. These
requirements are phrased in the form "the security mechanism
MUST/SHOULD/MAY...". However, this document does not specify how
these requirements can be met. While these requirements can be
satisfied by defining explicit security mechanisms for time
protocols, at least a subset of the requirements can be met by
applying common security practices to the network or by using
existing security protocols, such as [IPsec] or [MACsec]. Thus,
security solutions that address these requirements are outside the
scope of this document.
5.1. Clock Identity Authentication and Authorization
Requirement
The security mechanism MUST support authentication.
Requirement
The security mechanism MUST support authorization.
Requirement Level
The requirements in this subsection address the spoofing attack
(Section 3.2.2) and the rogue master attack (Section 3.2.4).
The requirement level of these requirements is 'MUST' since, in
the absence of these requirements, the protocol is exposed to
attacks that are easy to implement and have a high impact.
Mizrahi Informational [Page 14]
^L
RFC 7384 Time Protocol Security Requirements October 2014
Discussion
Authentication refers to verifying the identity of the peer clock.
Authorization, on the other hand, refers to verifying that the
peer clock is permitted to play the role that it plays in the
protocol. For example, some nodes may be permitted to be masters,
while other nodes are only permitted to be slaves or TCs.
Authentication is typically implemented by means of a
cryptographic signature, allowing the verification of the identity
of the sender. Authorization requires clocks to maintain a list
of authorized clocks, or a "black list" of clocks that should be
denied service or revoked.
It is noted that while the security mechanism is required to
provide an authorization mechanism, the deployment of such a
mechanism depends on the nature of the network. For example, a
network that deploys PTP may consist of a set of identical OCs,
where all clocks are equally permitted to be a master. In such a
network, an authorization mechanism may not be necessary.
The following subsections describe five distinct cases of clock
authentication.
5.1.1. Authentication and Authorization of Masters
Requirement
The security mechanism MUST support an authentication mechanism,
allowing slaves to authenticate the identity of masters.
Requirement
The authentication mechanism MUST allow slaves to verify that the
authenticated master is authorized to be a master.
Requirement Level
The requirements in this subsection address the spoofing attack
(Section 3.2.2) and the rogue master attack (Section 3.2.4).
The requirement level of these requirements is 'MUST' since, in
the absence of these requirements, the protocol is exposed to
attacks that are easy to implement and have a high impact.
Mizrahi Informational [Page 15]
^L
RFC 7384 Time Protocol Security Requirements October 2014
Discussion
Clocks authenticate masters in order to ensure the authenticity of
the time source. It is important for a slave to verify the
identity of the master, as well as to verify that the master is
indeed authorized to be a master.
5.1.2. Recursive Authentication and Authorization of Masters (Chain of
Trust)
Requirement
The security mechanism MUST support recursive authentication and
authorization of the master, to be used in cases where time
information is conveyed through intermediate clocks.
Requirement Level
The requirement in this subsection addresses the spoofing attack
(Section 3.2.2) and the rogue master attack (Section 3.2.4).
The requirement level of this requirement is 'MUST' since, in the
absence of this requirement, the protocol is exposed to attacks
that are easy to implement and have a high impact.
Discussion
In some cases, a slave is connected to an intermediate clock that
is not the primary time source. For example, in PTP, a slave can
be connected to a Boundary Clock (BC) or a Transparent Clock (TC),
which in turn is connected to a grandmaster. A similar example in
NTP is when a client is connected to a Stratum 2 server, which is
connected to a Stratum 1 server. In both the PTP and the NTP
cases, the slave authenticates the intermediate clock, and the
intermediate clock authenticates the grandmaster. This recursive
authentication process is referred to in [AutoKey] as
proventication.
Specifically in PTP, this requirement implies that if a slave
receives time information through a TC, it must authenticate the
TC to which it is attached, as well as authenticate the master
from which it receives the time information, as per Section 5.1.1.
Similarly, if a TC receives time information through an attached
TC, it must authenticate the attached TC.
Mizrahi Informational [Page 16]
^L
RFC 7384 Time Protocol Security Requirements October 2014
5.1.3. Authentication and Authorization of Slaves
Requirement
The security mechanism MAY provide a means for a master to
authenticate its slaves.
Requirement
The security mechanism MAY provide a means for a master to verify
that the sender of a protocol packet is authorized to send a
packet of this type.
Requirement Level
The requirement in this subsection prevents DoS attacks against
the master (Section 3.2.9).
The requirement level of this requirement is 'MAY' since:
o Its impact is low, i.e., in the absence of this requirement the
protocol is only exposed to DoS.
o Practical considerations: requiring an NTP server to
authenticate its clients may significantly impose on the
server's performance.
Note that while the requirement level of this requirement is
'MAY', the requirement in Section 5.1.1 is 'MUST'; the security
mechanism must provide a means for authentication and
authorization, with an emphasis on the master. Authentication and
authorization of slaves are specified in this subsection as 'MAY'.
Discussion
Slaves and intermediate clocks are authenticated by masters in
order to verify that they are authorized to receive timing
services from the master.
Authentication of slaves prevents unauthorized clocks from
receiving time services. Preventing the master from serving
unauthorized clocks can help in mitigating DoS attacks against the
master. Note that the authentication of slaves might put a higher
load on the master than serving the unauthorized clock; hence,
this requirement is 'MAY'.
Mizrahi Informational [Page 17]
^L
RFC 7384 Time Protocol Security Requirements October 2014
5.1.4. PTP: Authentication and Authorization of P2P TCs by the Master
Requirement
The security mechanism for PTP MAY provide a means for a master to
authenticate the identity of the P2P TCs directly connected to it.
Requirement
The security mechanism for PTP MAY provide a means for a master to
verify that P2P TCs directly connected to it are authorized to be
TCs.
Requirement Level
The requirement in this subsection prevents DoS attacks against
the master (Section 3.2.9).
The requirement level of this requirement is 'MAY' for the same
reasons specified in Section 5.1.3.
Discussion
P2P TCs that are one hop from the master use the PDelay_Req and
PDelay_Resp handshake to compute the link delay between the master
and TC. These TCs are authenticated by the master.
Authentication of TCs, much like authentication of slaves, reduces
unnecessary load on the master and peer TCs, by preventing the
master from serving unauthorized clocks.
5.1.5. PTP: Authentication and Authorization of Control Messages
Requirement
The security mechanism for PTP MUST support authentication of
Announce messages. The authentication mechanism MUST also verify
that the sender is authorized to be a master.
Requirement
The security mechanism for PTP MUST support authentication and
authorization of Management messages.
Requirement
The security mechanism MAY support authentication and
authorization of Signaling messages.
Mizrahi Informational [Page 18]
^L
RFC 7384 Time Protocol Security Requirements October 2014
Requirement Level
The requirements in this subsection address the spoofing attack
(Section 3.2.2) and the rogue master attack (Section 3.2.4).
The requirement level of the first two requirements is 'MUST'
since, in the absence of these requirements, the protocol is
exposed to attacks that are easy to implement and have a high
impact.
The requirement level of the third requirement is 'MAY' since its
impact greatly depends on the application for which the Signaling
messages are used.
Discussion
Master election is performed in PTP using the Best Master Clock
Algorithm (BMCA). Each Ordinary Clock (OC) announces its clock
attributes using Announce messages, and the best master is elected
based on the information gathered from all the candidates.
Announce messages must be authenticated in order to prevent rogue
master attacks (Section 3.2.4). Note that this subsection
specifies a requirement that is not necessarily included in
Sections 5.1.1 or 5.1.3, since the BMCA is initiated before clocks
have been defined as masters or slaves.
Management messages are used to monitor or configure PTP clocks.
Malicious usage of Management messages enables various attacks,
such as the rogue master attack or DoS attack.
Signaling messages are used by PTP clocks to exchange information
that is not strictly related to time information or to master
selection, such as unicast negotiation. Authentication and
authorization of Signaling messages may be required in some
systems, depending on the application for which these messages are
used.
5.2. Protocol Packet Integrity
Requirement
The security mechanism MUST protect the integrity of protocol
packets.
Mizrahi Informational [Page 19]
^L
RFC 7384 Time Protocol Security Requirements October 2014
Requirement Level
The requirement in this subsection addresses the packet
manipulation attack (Section 3.2.1).
The requirement level of this requirement is 'MUST' since, in the
absence of this requirement, the protocol is exposed to attacks
that are easy to implement and have high impact.
Discussion
While Section 5.1 refers to ensuring the identity an authorization
of the source of a protocol packet, this subsection refers to
ensuring that the packet arrived intact. The integrity protection
mechanism ensures the authenticity and completeness of data from
the data originator.
Integrity protection is typically implemented by means of an
Integrity Check Value (ICV) that is included in protocol packets
and is verified by the receiver.
5.2.1. PTP: Hop-by-Hop vs. End-to-End Integrity Protection
Specifically in PTP, when protocol packets are subject to
modification by TCs, the integrity protection can be enforced in one
of two approaches: end-to-end or hop-by-hop.
5.2.1.1. Hop-by-Hop Integrity Protection
Each hop that needs to modify a protocol packet:
o Verifies its integrity.
o Modifies the packet, i.e., modifies the correctionField. Note:
TCs improve the end-to-end accuracy by updating a correctionField
(Clause 6.5 in [IEEE1588]) in the PTP packet by adding the latency
caused by the current TC.
o Re-generates the integrity protection, e.g., re-computes a Message
Authentication Code (MAC).
In the hop-by-hop approach, the integrity of protocol packets is
protected by induction on the path from the originator to the
receiver.
This approach is simple, but allows rogue TCs to modify protocol
packets.
Mizrahi Informational [Page 20]
^L
RFC 7384 Time Protocol Security Requirements October 2014
5.2.1.2. End-to-End Integrity Protection
In this approach, the integrity protection is maintained on the path
from the originator of a protocol packet to the receiver. This
allows the receiver to directly validate the protocol packet without
the ability of intermediate TCs to manipulate the packet.
Since TCs need to modify the correctionField, a separate integrity
protection mechanism is used specifically for the correctionField.
The end-to-end approach limits the TC's impact to the correctionField
alone, while the rest of the protocol packet is protected on an end-
to-end basis. It should be noted that this approach is more
difficult to implement than the hop-by-hop approach, as it requires
the correctionField to be protected separately from the other fields
of the packet, possibly using different cryptographic mechanisms and
keys.
5.3. Spoofing Prevention
Requirement
The security mechanism MUST provide a means to prevent master
spoofing.
Requirement
The security mechanism MUST provide a means to prevent slave
spoofing.
Requirement
PTP: The security mechanism MUST provide a means to prevent P2P TC
spoofing.
Requirement Level
The requirements in this subsection address spoofing attacks. As
described in Section 3.2.2, when these requirements are not met,
the attack may have a high impact, causing slaves to rely on false
time information. Thus, the requirement level is 'MUST'.
Discussion
Spoofing attacks may take various forms, and they can potentially
cause significant impact. In a master spoofing attack, the
attacker causes slaves to receive false information about the
current time by masquerading as the master.
Mizrahi Informational [Page 21]
^L
RFC 7384 Time Protocol Security Requirements October 2014
By spoofing a slave or an intermediate node (the second example of
Section 3.2.2), an attacker can tamper with the slaves' delay
computations. These attacks can be mitigated by an authentication
mechanism (Sections 5.1.3 and 5.1.4) or by other means, for
example, a PTP Delay_Req can include a MAC that is included in the
corresponding Delay_Resp message, allowing the slave to verify
that the Delay_Resp was not sent in response to a spoofed message.
5.4. Availability
Requirement
The security mechanism SHOULD include measures to mitigate DoS
attacks against the time protocol.
Requirement Level
The requirement in this subsection prevents DoS attacks against
the protocol (Section 3.2.9).
The requirement level of this requirement is 'SHOULD' due to its
low impact, i.e., in the absence of this requirement the protocol
is only exposed to DoS.
Discussion
The protocol availability can be compromised by several different
attacks. An attacker can inject protocol packets to implement the
spoofing attack (Section 3.2.2) or the rogue master attack
(Section 3.2.4), causing DoS to the victim (Section 3.2.9).
An authentication mechanism (Section 5.1) limits these attacks
strictly to internal attackers; thus, it prevents external
attackers from performing them. Hence, the requirements of
Section 5.1 can be used to mitigate this attack. Note that
Section 5.1 addresses a wider range of threats, whereas the
current section is focused on availability.
The DoS attacks described in Section 3.2.7 are performed at lower
layers than the time protocol layer, and they are thus outside the
scope of the security requirements defined in this document.
Mizrahi Informational [Page 22]
^L
RFC 7384 Time Protocol Security Requirements October 2014
5.5. Replay Protection
Requirement
The security mechanism MUST include a replay prevention mechanism.
Requirement Level
The requirement in this subsection prevents replay attacks
(Section 3.2.3).
The requirement level of this requirement is 'MUST' since, in the
absence of this requirement, the protocol is exposed to attacks
that are easy to implement and have a high impact.
Discussion
The replay attack (Section 3.2.3) can compromise both the
integrity and availability of the protocol. Common encryption and
authentication mechanisms include replay prevention mechanisms
that typically use a monotonously increasing packet sequence
number.
5.6. Cryptographic Keys and Security Associations
5.6.1. Key Freshness
Requirement
The security mechanism MUST provide a means to refresh the
cryptographic keys.
The cryptographic keys MUST be refreshed frequently.
Requirement Level
The requirement level of this requirement is 'MUST' since key
freshness is an essential property for cryptographic algorithms,
as discussed below.
Discussion
Key freshness guarantees that both sides share a common updated
secret key. It also helps in preventing replay attacks. Thus, it
is important for keys to be refreshed frequently. Note that the
term 'frequently' is used without a quantitative requirement, as
the precise frequency requirement should be considered on a per-
system basis, based on the threats and system requirements.
Mizrahi Informational [Page 23]
^L
RFC 7384 Time Protocol Security Requirements October 2014
5.6.2. Security Association
Requirement
The security protocol SHOULD support a security association
protocol where:
o Two or more clocks authenticate each other.
o The clocks generate and agree on a cryptographic session
key.
Requirement
Each instance of the association protocol SHOULD produce a
different session key.
Requirement Level
The requirement level of this requirement is 'SHOULD' since it may
be expensive in terms of performance, especially in low-cost
clocks.
Discussion
The security requirements in Sections 5.1 and 5.2 require usage of
cryptographic mechanisms, deploying cryptographic keys. A
security association (e.g., [IPsec]) is an important building
block in these mechanisms.
It should be noted that in some cases, different security
association mechanisms may be used at different levels of clock
hierarchies. For example, the association between a Stratum 2
clock and a Stratum 3 clock in NTP may have different
characteristics than an association between two clocks at the same
stratum level. On a related note, in some cases, a hybrid
solution may be used, where a subset of the network is not secured
at all (see Section 5.10.2).
5.6.3. Unicast and Multicast Associations
Requirement
The security mechanism SHOULD support security association
protocols for unicast and for multicast associations.
Mizrahi Informational [Page 24]
^L
RFC 7384 Time Protocol Security Requirements October 2014
Requirement Level
The requirement level of this requirement is 'SHOULD' since it may
be expensive in terms of performance, especially for low-cost
clocks.
Discussion
A unicast protocol requires an association protocol between two
clocks, whereas a multicast protocol requires an association
protocol among two or more clocks, where one of the clocks is a
master.
5.7. Performance
Requirement
The security mechanism MUST be designed in such a way that it does
not significantly degrade the quality of the time transfer.
Requirement
The mechanism SHOULD minimize computational load.
Requirement
The mechanism SHOULD minimize storage requirements of client state
in the master.
Requirement
The mechanism SHOULD minimize the bandwidth overhead required by
the security protocol.
Requirement Level
While the quality of the time transfer is clearly a 'MUST', the
other three performance requirements are 'SHOULD', since some
systems may be more sensitive to resource consumption than others;
hence, these requirements should be considered on a per-system
basis.
Discussion
Performance efficiency is important since client restrictions
often dictate a low processing and memory footprint and because
the server may have extensive fan-out.
Mizrahi Informational [Page 25]
^L
RFC 7384 Time Protocol Security Requirements October 2014
Note that the performance requirements refer to a time-protocol-
specific security mechanism. In systems where a security protocol
is used for other types of traffic as well, this document does not
place any performance requirements on the security protocol
performance. For example, if IPsec encryption is used for
securing all information between the master and slave node,
including information that is not part of the time protocol, the
requirements in this subsection are not necessarily applicable.
5.8. Confidentiality
Requirement
The security mechanism MAY provide confidentiality protection of
the protocol packets.
Requirement Level
The requirement level of this requirement is 'MAY' since the
absence of this requirement does not expose the protocol to severe
threats, as discussed below.
Discussion
In the context of time protocols, confidentiality is typically of
low importance, since timing information is usually not considered
secret information.
Confidentiality can play an important role when service providers
charge their customers for time synchronization services; thus, an
encryption mechanism can prevent eavesdroppers from obtaining the
service without payment. Note that these cases are, for now,
rather esoteric.
Confidentiality can also prevent an MITM attacker from identifying
protocol packets. Thus, confidentiality can assist in protecting
the timing protocol against MITM attacks such as packet delay
(Section 3.2.6), manipulation and interception, and removal
attacks. Note that time protocols have predictable behavior even
after encryption, such as packet transmission rates and packet
lengths. Additional measures can be taken to mitigate encrypted
traffic analysis by random padding of encrypted packets and by
adding random dummy packets. Nevertheless, encryption does not
prevent such MITM attacks, but rather makes these attacks more
difficult to implement.
Mizrahi Informational [Page 26]
^L
RFC 7384 Time Protocol Security Requirements October 2014
5.9. Protection against Packet Delay and Interception Attacks
Requirement
The security mechanism MUST include means to protect the protocol
from MITM attacks that degrade the clock accuracy.
Requirement Level
The requirements in this subsection address MITM attacks such as
the packet delay attack (Section 3.2.6) and packet interception
attacks (Sections 3.2.5 and 3.2.1).
The requirement level of this requirement is 'MUST'. In the
absence of this requirement, the protocol is exposed to attacks
that are easy to implement and have a high impact. Note that in
the absence of this requirement, the impact is similar to packet
manipulation attacks (Section 3.2.1); thus, this requirement has
the same requirement level as integrity protection (Section 5.2).
It is noted that the implementation of this requirement depends on
the topology and properties of the system.
Discussion
While this document does not define specific security solutions,
we note that common practices for protection against MITM attacks
use redundant masters (e.g., [NTPv4]) or redundant paths between
the master and slave (e.g., [DelayAtt]). If one of the time
sources indicates a time value that is significantly different
than the other sources, it is assumed to be erroneous or under
attack and is therefore ignored.
Thus, MITM attack prevention derives a requirement from the
security mechanism and a requirement from the network topology.
While the security mechanism should support the ability to detect
delay attacks, it is noted that in some networks it is not
possible to provide the redundancy needed for such a detection
mechanism.
5.10. Combining Secured with Unsecured Nodes
Integrating a security mechanism into a time-synchronized system is a
complex and expensive process, and hence in some cases may require
incremental deployment, where new equipment supports the security
mechanism, and is required to interoperate with legacy equipment
without the security features.
Mizrahi Informational [Page 27]
^L
RFC 7384 Time Protocol Security Requirements October 2014
5.10.1. Secure Mode
Requirement
The security mechanism MUST support a secure mode, where only
secured clocks are permitted to take part in the time protocol.
In this mode every protocol packet received from an unsecured
clock MUST be discarded.
Requirement Level
The requirement level of this requirement is 'MUST' since the full
capacity of the security requirements defined in this document can
only be achieved in secure mode.
Discussion
While the requirement in this subsection is similar to the one in
Section 5.1, it refers to the secure mode, as opposed to the
hybrid mode presented in the next subsection.
5.10.2. Hybrid Mode
Requirement
The security protocol SHOULD support a hybrid mode, where both
secured and unsecured clocks are permitted to take part in the
protocol.
Requirement Level
The requirement level of this requirement is 'SHOULD'; on one
hand, hybrid mode enables a gradual transition from unsecured to
secured mode, which is especially important in large-scaled
deployments. On the other hand, hybrid mode is not required in
all systems; this document recommends deployment of the 'secure
mode' described in Section 5.10.1, where possible.
Discussion
The hybrid mode allows both secured and unsecured clocks to take
part in the time protocol. NTP, for example, allows a mixture of
secured and unsecured nodes.
Requirement
A master in the hybrid mode SHOULD be a secured clock.
Mizrahi Informational [Page 28]
^L
RFC 7384 Time Protocol Security Requirements October 2014
A secured slave in the hybrid mode SHOULD discard all protocol
packets received from unsecured clocks.
Requirement Level
The requirement level of this requirement is 'SHOULD' since it may
not be applicable to all deployments. For example, a hybrid
network may require the usage of unsecured masters or TCs.
Discussion
This requirement ensures that the existence of unsecured clocks
does not compromise the security provided to secured clocks.
Hence, secured slaves only "trust" protocol packets received from
a secured clock.
An unsecured slave can receive protocol packets from either
unsecured clocks or secured clocks. Note that the latter does not
apply when encryption is used. When integrity protection is used,
the unsecured slave can receive secured packets ignoring the
integrity protection.
Note that the security scheme in [NTPv4] with [AutoKey] does not
satisfy this requirement, since nodes prefer the server with the
most accurate clock, which is not necessarily the server that
supports authentication. For example, a Stratum 2 server is
connected to two Stratum 1 servers: Server A, supporting
authentication, and Server B, without authentication. If Server B
has a more accurate clock than A, the Stratum 2 server chooses
Server B, in spite of the fact it does not support authentication.
6. Summary of Requirements
+-----------+---------------------------------------------+--------+
| Section | Requirement | Type |
+-----------+---------------------------------------------+--------+
| 5.1 | Authentication & authorization of sender | MUST |
| +---------------------------------------------+--------+
| | Authentication & authorization of master | MUST |
| +---------------------------------------------+--------+
| | Recursive authentication & authorization | MUST |
| +---------------------------------------------+--------+
| | Authentication & authorization of slaves | MAY |
| +---------------------------------------------+--------+
| | PTP: Authentication & authorization of | MAY |
| | P2P TCs by master | |
+-----------+---------------------------------------------+--------+
Mizrahi Informational [Page 29]
^L
RFC 7384 Time Protocol Security Requirements October 2014
+-----------+---------------------------------------------+--------+
|5.1 (cont) | PTP: Authentication & authorization of | MUST |
| | Announce messages | |
| +---------------------------------------------+--------+
| | PTP: Authentication & authorization of | MUST |
| | Management messages | |
| +---------------------------------------------+--------+
| | PTP: Authentication & authorization of | MAY |
| | Signaling messages | |
+-----------+---------------------------------------------+--------+
| 5.2 | Integrity protection | MUST |
+-----------+---------------------------------------------+--------+
| 5.3 | Spoofing prevention | MUST |
+-----------+---------------------------------------------+--------+
| 5.4 | Protection from DoS attacks against the | SHOULD |
| | time protocol | |
+-----------+---------------------------------------------+--------+
| 5.5 | Replay protection | MUST |
+-----------+---------------------------------------------+--------+
| 5.6 | Key freshness | MUST |
| +---------------------------------------------+--------+
| | Security association | SHOULD |
| +---------------------------------------------+--------+
| | Unicast and multicast associations | SHOULD |
+-----------+---------------------------------------------+--------+
| 5.7 | Performance: no degradation in quality of | MUST |
| | time transfer | |
| +---------------------------------------------+--------+
| | Performance: computation load | SHOULD |
| +---------------------------------------------+--------+
| | Performance: storage | SHOULD |
| +---------------------------------------------+--------+
| | Performance: bandwidth | SHOULD |
+-----------+---------------------------------------------+--------+
| 5.8 | Confidentiality protection | MAY |
+-----------+---------------------------------------------+--------+
| 5.9 | Protection against delay and interception | MUST |
| | attacks | |
+-----------+---------------------------------------------+--------+
| 5.10 | Secure mode | MUST |
| +---------------------------------------------+--------+
| | Hybrid mode | SHOULD |
+-----------+---------------------------------------------+--------+
Table 2: Summary of Security Requirements
Mizrahi Informational [Page 30]
^L
RFC 7384 Time Protocol Security Requirements October 2014
7. Additional Security Implications
This section discusses additional implications of the interaction
between time protocols and security mechanisms.
This section refers to time protocol security mechanisms, as well as
to "external" security mechanisms, i.e., security mechanisms that are
not strictly related to the time protocol.
7.1. Security and On-the-Fly Timestamping
Time protocols often require that protocol packets be modified during
transmission. Both NTP and PTP in one-step mode require clocks to
modify protocol packets based on the time of transmission and/or
reception.
In the presence of a security mechanism, whether encryption or
integrity protection:
o During transmission the encryption and/or integrity protection
MUST be applied after integrating the timestamp into the packet.
To allow high accuracy, timestamping is typically performed as close
to the transmission or reception time as possible. However, since
the security engine must be placed between the timestamping function
and the physical interface, it may introduce non-deterministic
latency that causes accuracy degradation. These performance aspects
have been analyzed in literature, e.g., [1588IPsec] and [Tunnel].
7.2. PTP: Security and Two-Step Timestamping
PTP supports a two-step mode of operation, where the time of
transmission of protocol packets is communicated without modifying
the packets. As opposed to one-step mode, two-step timestamping can
be performed without the requirement to encrypt after timestamping.
Note that if an encryption mechanism such as IPsec is used, it
presents a challenge to the timestamping mechanism, since time
protocol packets are encrypted when traversing the physical
interface, and are thus impossible to identify. A possible solution
to this problem [IPsecSync] is to include an indication in the
encryption header that identifies time protocol packets.
Mizrahi Informational [Page 31]
^L
RFC 7384 Time Protocol Security Requirements October 2014
7.3. Intermediate Clocks
A time protocol allows slaves to receive time information from an
accurate time source. Time information is sent over a path that
often traverses one or more intermediate clocks.
o In NTP, time information originated from a Stratum 1 server can be
distributed to Stratum 2 servers and, in turn, distributed from
the Stratum 2 servers to NTP clients. In this case, the Stratum 2
servers are a layer of intermediate clocks. These intermediate
clocks are referred to as "secondary servers" in [NTPv4].
o In PTP, BCs and TCs are intermediate nodes used to improve the
accuracy of time information conveyed between the grandmaster and
the slaves.
A common rule of thumb in network security is that end-to-end
security is the best policy, as it secures the entire path between
the data originator and its receiver. The usage of intermediate
nodes implies that if a security mechanism is deployed in the
network, a hop-by-hop security scheme must be used, since
intermediate nodes must be able to send time information to the
slaves, or to modify time information sent through them.
This inherent property of using intermediate clocks increases the
system's exposure to internal threats, as a large number of nodes
possess the security keys.
Thus, there is a trade-off between the achievable clock accuracy of a
system, and the robustness of its security solution. On one hand,
high clock accuracy calls for hop-by-hop involvement in the protocol,
also known as on-path support. On the other hand, a robust security
solution calls for end-to-end data protection.
7.4. External Security Protocols and Time Protocols
Time protocols are often deployed in systems that use security
mechanisms and protocols.
A typical example is the 3GPP Femtocell network [3GPP], where IPsec
is used for securing traffic between a Femtocell and the Femto
Gateway. In some cases, all traffic between these two nodes may be
secured by IPsec, including the time protocol traffic. This use-case
is thoroughly discussed in [IPsecSync].
Another typical example is the usage of MACsec encryption ([MACsec])
in L2 networks that deploy time synchronization [AvbAssum].
Mizrahi Informational [Page 32]
^L
RFC 7384 Time Protocol Security Requirements October 2014
The usage of external security mechanisms may affect time protocols
as follows:
o Timestamping accuracy can be affected, as described in Section
7.1.
o If traffic is secured between two nodes in the network, no
intermediate clocks can be used between these two nodes. In the
[3GPP] example, if traffic between the Femtocell and the Femto
Gateway is encrypted, then time protocol packets are necessarily
transported over the underlying network without modification and,
thus, cannot enjoy the improved accuracy provided by intermediate
clock nodes.
7.5. External Security Services Requiring Time
Cryptographic protocols often use time as an important factor in the
cryptographic algorithm. If a time protocol is compromised, it may
consequently expose the security protocols that rely on it to various
attacks. Two examples are presented in this section.
7.5.1. Timestamped Certificates
Certificate validation requires the sender and receiver to be roughly
time synchronized. Thus, synchronization is required for
establishing security protocols such as Internet Key Exchange
Protocol version 2 (IKEv2) and Transport Layer Security (TLS). Other
authentication and key exchange mechanisms, such as Kerberos, also
require the parties involved to be synchronized [Kerb].
An even stronger interdependence between a time protocol and a
security mechanism is defined in [AutoKey], which defines mutual
dependence between the acquired time information, and the
authentication protocol that secures it. This bootstrapping behavior
results from the fact that trusting the received time information
requires a valid certificate, and validating a certificate requires
knowledge of the time.
7.5.2. Time Changes and Replay Attacks
A successful attack on a time protocol may cause the attacked clocks
to go back in time. The erroneous time may expose cryptographic
algorithms that rely on time, as a node may use a key that was
already used in the past and has expired.
Mizrahi Informational [Page 33]
^L
RFC 7384 Time Protocol Security Requirements October 2014
8. Issues for Further Discussion
The Key distribution is outside the scope of this document. Although
this is an essential element of any security system, it is outside
the scope of this document.
9. Security Considerations
The security considerations of network timing protocols are presented
throughout this document.
10. References
10.1. Normative References
[IEEE1588] IEEE, "1588-2008 - IEEE Standard for a Precision Clock
Synchronization Protocol for Networked Measurement and
Control Systems", IEEE Standard 1588-2008, July 2008.
[KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>.
[NTPv4] Mills, D., Martin, J., Ed., Burbank, J., and W. Kasch,
"Network Time Protocol Version 4: Protocol and
Algorithms Specification", RFC 5905, June 2010,
<http://www.rfc-editor.org/info/rfc5905>.
10.2. Informative References
[1588IPsec] Treytl, A. and B. Hirschler, "Securing IEEE 1588 by
IPsec tunnels - An analysis", in Proceedings of 2010
International Symposium for Precision Clock
Synchronization for Measurement, Control and
Communication, ISPCS 2010, pp. 83-90, September 2010.
[3GPP] 3GPP, "Security of Home Node B (HNB) / Home evolved
Node B (HeNB)", 3GPP TS 33.320 11.6.0, November 2012.
[Anatomy] Nachreiner, C., "Anatomy of an ARP Poisoning Attack",
2003.
[AutoKey] Haberman, B., Ed., and D. Mills, "Network Time Protocol
Version 4: Autokey Specification", RFC 5906, June 2010,
<http://www.rfc-editor.org/info/rfc5906>.
Mizrahi Informational [Page 34]
^L
RFC 7384 Time Protocol Security Requirements October 2014
[AvbAssum] Pannell, D., "Audio Video Bridging Gen 2 Assumptions",
IEEE 802.1 AVB Plenary, Work in Progress, May 2012.
[DelayAtt] Mizrahi, T., "A game theoretic analysis of delay
attacks against time synchronization protocols",
accepted, to appear in Proceedings of the International
IEEE Symposium on Precision Clock Synchronization for
Measurement, Control and Communication, ISPCS,
September 2012.
[Hack] McClure, S., Scambray, J., and G. Kurtz, "Hacking
Exposed: Network Security Secrets and Solutions",
McGraw-Hill, 2009.
[IPsec] Kent, S. and K. Seo, "Security Architecture for the
Internet Protocol", RFC 4301, December 2005,
<http://www.rfc-editor.org/info/rfc4301>.
[IPsecSync] Xu, Y., "IPsec security for packet based
synchronization", Work in Progress, draft-xu-tictoc-
ipsec-security-for-synchronization-02, September 2011.
[Kerb] Sakane, S., Kamada, K., Thomas, M., and J. Vilhuber,
"Kerberized Internet Negotiation of Keys (KINK)",
RFC 4430, March 2006,
<http://www.rfc-editor.org/info/rfc4430>.
[MACsec] IEEE, "IEEE Standard for Local and metropolitan area
networks - Media Access Control (MAC) Security", IEEE
Standard 802.1AE, August 2006.
[NTPDDoS] "Attackers use NTP reflection in huge DDoS attack",
TICTOC mail archive, 2014.
[SecPTP] Tsang, J. and K. Beznosov, "A Security Analysis of the
Precise Time Protocol (Short Paper)," 8th International
Conference on Information and Communication Security
(ICICS) Lecture Notes in Computer Science Volume 4307,
pp. 50-59, 2006.
[SecSen] Ganeriwal, S., Popper, C., Capkun, S., and M. B.
Srivastava, "Secure Time Synchronization in Sensor
Networks", ACM Trans. Inf. Syst. Secur., Volume 11,
Issue 4, Article 23, July 2008.
[TimeSec] Mizrahi, T., "Time synchronization security using IPsec
and MACsec", ISPCS 2011, pp. 38-43, September 2011.
Mizrahi Informational [Page 35]
^L
RFC 7384 Time Protocol Security Requirements October 2014
[Traps] Treytl, A., Gaderer, G., Hirschler, B., and R. Cohen,
"Traps and pitfalls in secure clock synchronization" in
Proceedings of 2007 International Symposium for
Precision Clock Synchronization for Measurement,
Control and Communication, ISPCS 2007, pp. 18-24,
October 2007.
[Tunnel] Treytl, A., Hirschler, B., and T. Sauter, "Secure
tunneling of high-precision clock synchronisation
protocols and other time-stamped data", in Proceedings
of the 8th IEEE International Workshop on Factory
Communication Systems (WFCS), pp. 303-313, May 2010.
Acknowledgments
The author gratefully acknowledges Stefano Ruffini, Doug Arnold,
Kevin Gross, Dieter Sibold, Dan Grossman, Laurent Montini, Russell
Smiley, Shawn Emery, Dan Romascanu, Stephen Farrell, Kathleen
Moriarty, and Joel Jaeggli for their thorough review and helpful
comments. The author would also like to thank members of the TICTOC
WG for providing feedback on the TICTOC mailing list.
Contributors
Karen O'Donoghue
ISOC
EMail: odonoghue@isoc.org
Author's Address
Tal Mizrahi
Marvell
6 Hamada St.
Yokneam, 20692 Israel
EMail: talmi@marvell.com
Mizrahi Informational [Page 36]
^L
|
