​Saving NTP: The protocol that keeps time across the internet

SEATTLE -- We're foolish. We live our lives on the internet and we take it for granted. We don't realize that the internet is fragile as a Chihuly glass sculpture. As 2014 OpenSSL Heartbleed security security hole showed, vital internet infrastructure programs are being left unsupported.

Thanks to Heartbleed, we've learned that we must take care of the internet's primary programs. To prevent other such critical failures, the Linux Foundation set up the Core Infrastructure Initiative (CII).The CII's job is to fund those small, often ignored programs to keep the internet up and running. The latest to get rescued is the Network Time Protocol (NTP).

NTP is essential to the internet. Without it, servers and PCs wouldn't know what time it is. That, in turn, would mean backups would fail, financial transactions would go awry, and many fundamental network services wouldn't work. The primary time-keepers of the net are stratum-0 devices, i.e. atomic clocks. These are connected to other devices with NTP, which in turn set the time for everything online.

While the stratum devices belong to government agencies and corporations, NTP itself is a free project. It has only one manager, Harlan Stenn, and, until recently, he was running NTP on a shoestring from his home.

Sam Ramji, CEO of the Cloud Foundry Foundation, who calls Stenn "Father Time," said Stenn was just "scraping by" as his voluntary NTP work took up more and more of his time. Stenn was finally coming to the end of his rope and was considering giving up NTP.

Fortunately, the CII stepped in to keep Stenn's work going. However, Stenn and the CII didn't see eye-to-eye and for a time the funding dried up.

Now, however, at LinuxCon, Jim Zemlin, the Linux Foundation's executive director, announced that Stenn would be supported with another annual grant. At the same time, the CII will also fund a NTP-related project, Poul Henning Kamp is working on Ntimed and a new NTP security program, NTPSec.

While an NTP crisis has been avoided, the fact remains that the internet still relies upon some remarkably fragile columns. For example, when a leap second was added on June 30 NTP and Google did it different ways, so for half-a-day their clocks were out of sync.

Clearly a lot of work still needs to be done on the internet's fundamental protocols. Companies, organizations, and governments must make sure these small, open-source projects are adequately funded. The CII is an excellent start, but more needs to be done.

Related Stories:

• CII takes steps to make open-source software safer
• Mission: Funding all those small but important open-source projects
• Corporations put their cash where their open source security is