In response to a Right to Information (RTI) request filed by MediaNama, the Indian government has revealed some specifications of the time servers that it wants all companies to sync their system clocks with. Some of the details that have been shared include the number of servers, their IP addresses, the geographical locations, hardware configuration, and the ISP (Internet Service Provider) and ASN (Autonomous System Number) of these servers.
Why does this matter? The cybersecurity directions issued by the Indian Computer Emergency Response Team (CERT-In) on April 28, and which went into effect on September 26, requires, among other things, companies to connect to the Network Time Protocol (NTP) Server of the National Informatics Centre (NIC) or the National Physical Laboratory (NPL) or to servers traceable to these NTP servers for synchronization of their systems clocks. But this has been criticized for a long list of reasons (recapped below), one of which being that we know very little about these time servers. The RTI response sheds more light on the specifications, although not necessarily enough.
FREE READ of the day by MediaNama: Click here to sign-up for our free-read of the day newsletter delivered daily before 9 AM in your inbox.
What do we now know about these time servers?
MediaNama received RTI responses from the National Informatics Centre (NIC) and the National Physical Laboratory (NPL) to the following questions. While NIC has remained evasive to most questions by citing “security reasons,” NPL has responded to all questions.
- How many time servers do the National Informatics Centre (NIC) or the National Physical Laboratory (NPL) run?
- NIC: NIC runs multiple servers located at different locations across the country. Actual number of servers cannot be revealed for security reasons.
- NPL: NPL runs 20 NTP Servers.
- What are their IP addresses?
- NIC: NIC runs the NTP service through samay1.nic.in and samay2.nic.in.
- NPL: The current IP addresses are 18.104.22.168, 22.214.171.124 and 126.96.36.199.
- What geographical locations are they configured in?
- NIC: The servers are located in various cities across India. Exact location details cannot be provided for security reasons.
- NPL: The geographical location is CSIR-National Physical Laboratory, Delhi.
- What are their average latency times?
- NIC: Latency time purely depends on client location.
- NPL: NTP servers of NPL run directly from UTC (NPLI).
- Do they publish uptimes and downtimes of their NTP servers?
- NIC: Information related to NPT servers not available. (We had misspelled NTP as NPT in the question, presumably leading to this response).
- NPL: Uptimes and downtimes of NTP servers are not published.
- What is the hardware and software configuration of their NTP servers?
- NIC: This information cannot be revealed due to security reasons under section 8.
- NPL: NTP servers are NTP v4.
- If these servers go down, who should be contacted?
- NIC: User may contact via servicedesk.nic.in or can contact at toll free number 1800-111-555.
- NPL: CSIR-NPL may be contacted for NPLs NTP servers.
- Who is the primary and secondary ISP for these servers?
- NIC: NIC has direct peering with multiple ISPs including NIXIs internet exchange, which is being leveraged for delivering the NTP services.
- NPL: ISP is NKN (refers to the National Knowledge Network managed by NIC)
- What is the ASN these servers are operated in?
- NIC: AS 4758
- NPL: ASN is 55824
Why was there pushback against the time sync requirement?
- Uncertainties about the specifications and capacity of the NTP servers: “There are also uncertainties about the location, geographical distribution, and configuration of the NIC and NPL servers. In a system where everything is dependent on the time drift not being more than a nanosecond, it is important that any questions about the configuration, latency, service levels, and time sources of the NIC and NPL servers be clearly and publicly answered. There are also concerns about the capacity of the Indian government’s servers, and whether the NIC and NPL servers are able to serve potentially millions of entities and billions of devices hitting the same set of servers from the perspectives of technical capacity, budget, and human resources,” a report by the Internet Society pointed out.
- There are more accurate and reliable sources: Cybersecurity experts explained to MediaNama that most companies currently rely on GPS for time because of its accuracy and that we don’t know if the NTP servers of NIC and NPL will have the same accuracy and reliability. “Are companies going to choose NIC servers over this? […] After spending millions of dollars to build a time server that uses GPS clocks across multiple geographical locations all around the world, why should I have to bank on CERT-In’s single option,” cybersecurity researcher Anand Venkatanarayanan asked.
- Companies should rely on multiple servers to prevent a single point of failure and for better security: CERT-In’s requirement creates a real risk of a single point of failure and vulnerability. It also goes against industry best practices for synchronizing to multiple sources of time, the Internet Society (ISOC) said in a report. “A lot of security services rely on precise and accurate time, and making sure time is reliable is an important goal. […] One of the main purposes of the NTP protocol is that it eradicates clocks with the wrong time by comparing several sources of time. Ideally, an NTP instance takes its time from at least three sources that do not share a common source. By forcing all users in India to use clocks that depend on one source they completely undermine the resiliency offered by using diverse sources of time,” the report explains.
- Latency issues: “Let us say you are running a data centre. You have to connect all the servers to a time server. By the very nature of a data centre, imagine you have like 25,000 machines in one building. Which time server would you bank on? The one near you that you control or one someone else gives you. You will choose the one you have control on. And why is that? Latency,” Venkatanarayanan remarked. Latency is the time taken for a message to travel from one server to another and a higher latency is undesirable. When servers are further apart, the latency tends to be higher.
- NIC, NPL servers might not be able to handle the load: “Even if you were to have this set of servers, you are going to be a bit overwhelmed if everyone starts hitting the same set of servers. So until and unless CERT has figured out a budget and human resources required to run dedicated NTP services that a country like India will probably need, the practical viability of this particular direction looks difficult, if not impossible to me,” Suman Kar, CEO of cybersecurity firm Banbreach explained.
- Lots of other issues to address before mandating this direction: A former researcher at the Council of Scientific And Industrial Research (CSIR), which runs the National Physical Laboratory, explained to MediaNama that the root problems lie elsewhere as India neither has a legal time yet, nor the required infrastructure to disseminate time to large group of entities. “NPL was given the project to set up five regional centres in the laboratories of consumer affairs in 2017, but that project is still going on,” the researcher said. Furthermore, ISRO should come out with Indian-satellite receivers systems that Indian companies can rely on rather than GPS systems synced to US clocks, the researcher said.
This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.
- CERT-In Wants Cybersecurity Incidents Reported Within 6 Hours
- Why India’s New Cybersecurity Directive Is A Bad Joke
- Why India Should Not (Yet) Mandate Companies To Adopt A Specific Time Source
- Companies Can Use Own Time Source But There’s A Caveat