r40 - 2014-02-10 - 02:54:47 - HarlanStennYou are here: NTP >  Dev Web > GoogleSummerOfCode > GSoCProjectIdeas
NTP users are strongly urged to take immediate action to ensure that their NTP daemons are not susceptible to being used in distributed denial-of-service (DDoS) attacks. Please also take this opportunity to defeat denial-of-service attacks by implementing Ingress and Egress filtering through BCP38.

ntp-4.2.8p15 was released on 23 June 2020. It addresses 1 medium-severity security issue in ntpd, and provides 13 non-security bugfixes over 4.2.8p13.

Please see the NTP Security Notice for vulnerability and mitigation details.

Are you using Autokey in production? If so, please contact Harlan - he's got some questions for you.

GSoC Project Ideas

Related Topics: NTF:GSoC/GSoCProjectIdeas


Anyone interested in learning advanced techniques in software testing will be interested in this project. It will cover testing lowlevel protocols and operational testing of ntpd. Existing knowledge of software testing is not required however a successful candidate must have a firm grasp of the C language and cursory knowledge of C++ as well as Python. The first half of this project will involve writing protocol tests in Python the later half will involve testing ntpd using this library as well as modifications to ntpd for allowing easier testing.

We also need network-level testing, including adding and removing interfaces.

Please be aware this project is about software testing and not NTP software itself. You will learn a lot about the NTP protocol and protocols in general. Learning how to test software is an extremely desirable skill in the software development world any candidate should come in with an eagerness to learn.

Ideally, some documentation for our wiki will be produced, as we want to make it as easy as possible for existing developers to see how to provide test cases for all new patches to the codebase.

Feel free to contact Amar directly at amar-ntp.org via email if you have any questions.

Improving NTP's logging/debugging system

  • Redesign/Change NTP's logging/debugging system.
  • Write a common debugging/logging interface for NTP.

While this topic has been worked on 3 times before, we've gotten the API designed and ready to go but we have not yet converted the codebase to use it all. There is a reasonable chance that during the deployment of this project we'll find some problems with the new API that must be corrected, and we may also learn ways to make the new API more lightweight or otherwise better.

Related Topics: GSoC2013LoggingDebugging, GSoC2010LoggingAndDebugging, GSoC2009LogDebug, GSoC2009LoggingAndDebugging, bug_small.png Bug #1408, bug_small.png Bug #2160

Virtual Refclock Engine/Refclock Definition Language

Analyze the existing refclock drivers. Come up with a language that can be converted into some sort of bytecode or threaded code that will be able to fully implement all of the refclocks we currently support. Harlan thinks this language would need basic math and expression support, execution flow (loop, conditional, exception, etc.) support, and subroutine support (calls to pre-defined subroutines for I/O, logging, etc.) The implemented language should be demonstrably "safe" (bounds checking, etc.), perhaps implemented as a small "virtual refclock machine", either inside NTP or as a separate program that communicates with NTP using, eg, the SHM refclock.

Related Topics: LoadableRefclockDrivers

Study the usefulness of different clock models for NTP

This project is best suited for students in post-doc or doctoral programs who have a good understanding of clock statistics. It is possible that a graduate student would also be considered for this project. The rare undergraduate who can demonstrate proficiency will also be considered.

There are two issues that could be considered for study. The first is a parameter that provides an explicit connection between the polling interval and the accuracy of the synchronization process. This is useful because the polling interval can be increased by a large factor if the client system does not require the full accuracy that NTP can typically support. The second issue is a more sophisticated model for the performance of the clock on the local system and for the network delay. The Kalman filter formalism is promising in this respect, because it provides a much more general method for specifying the noise characteristics of a process.

Convert the distribution from a recursive to a non-recursive Makefile framework

The codebase uses a traditional recursive Makefile framework. If the package could be converted to a non-recursive Makefile framework (hopefully one that continued to use AutoMake) then after running configure one could cd ntpd && make and all prerequisite libraries would be built and then ntpd would be produced, as efficiently as possible. A make from the top-level of the build tree would build the entire package, very efficiently. Note that typically a non-recursive project does not allow make anywhere but the top level, yet we would like to preserve that functionality of recursive make builds. The solution should handle "sub-packages" - for example, the sntp/ directory is moving toward being a full tear-off, and the solution should work for a stand-alone sntp package or the complete NTP distribution (that includes sntp). Further, sntp carries a sub-package libevent which uses a recursive Autoconf/Automake build, and there is probably not enough benefit to be had from non-recursive libevent build to justify maintaining separate build infrastructure from upstream. One can install libevent systemwide and avoid building the NTP bundled copy entirely. This would imply a mostly non-recursive framework that nonetheless recurses if building the bundled libevent. Similarly, to preserve the intended ability of sntp to be built from a tearoff tarball containing only the sntp subtree without duplicating logic between the top-level NTP Makefile and sntp/Makefile, it may make sense to retain recursion from the top-level Makefile to build sntp.

Update ntpq

  • IPv6 address display. (DaveHart believes ntpq has long supported IPv6 address display and is puzzled by mention here.)
  • Provide real decoding of Authentication Status information and other status bytes / flags. (DaveHart agrees decoded Authentication Status is worthwhile but believes strongly such decoding belongs in ntpd, not ntpq, because ntpq should not be required to exactly match the version of ntpd for management convenience, and these values' interpretation has changed in the past and likely will in the future, if nothing else by adding more defined bits -- potentially this can be done in ntpd by changing the response for peer variable authstatus from a simple numeric value to a string containing the decoded flag values, with or without the simple numeric value -- but this seems to DaveHart to be far too little work to constitute a GSoC project.)

Related Topics: NtpVariablesAndNtpq, UpdatingTheRefidFormat, bug_small.png Bug #820

Identity Scheme Configuration Tool

  • TUI/GUI front end for Identity Scheme Deployment / Management

How is this project different from the "Autokey configuration wizard"?

Autokey configuration wizard

  • Lead user through a series of comprehensible questions.
  • Invoke ntp-keygen repeatedly to generate per-trusted-host, per-group, and per-client keysdir files
  • Generate ntp.conf snippets for each host.
  • Verify every supported scheme works as intended by testing all paths through wizard.

How is this project different from the "Identity Scheme Configuration Tool"?

Monitoring / Management front end

  • cross-platform TUI/GUI front end for ntpq and the content of the scripts directory
  • ncurses, perl/tk, WxWindows
  • provide log access tools, graphing, etc.

Update the SHM refclock

  • Clean up the protocol
  • Possibly offer a "client library"
  • include some unit and stress tests to demonstrate that the protocol works and does not have race conditions or mutex problems
  • Also see RefclockShmV2

Finish the autogen tag translators

We use GNU autogen to handle our options processing and to produce manual pages in man and mdoc formats, and also .texi, .info, and .html formats. The "source" format for these pages use man, mdoc, or .texi tags (probably html as well), and autogen needs translations scripts to convert from one tag format to the other. Right now, the mdoc2man and mdoc2texi scripts are fairly complete, but we need:
  • all of the other combinations finished
  • a test suite (this will actually be pretty easy to do)

Related Topics: bug_small.png Bug #2311

System clock startup analysis

When NTP starts up there is value in quickly learning the offset to the correct time and the frequency adjustment that is needed to keep the clock sync'd. This can be thought of as y=mx+b, where y is the actual time, m is the needed frequency adjustment, x is the correct time, and b is the offset between the system time and the correct time.

There are at least two interesting aspects of this perspective.

One is that since the frequency adjustment is usually measured in "parts per million", there is something to be said for calculating y=(m+1)x+b so the slope correction value is "normalized" relative to 0 instead of relative to 1 and the double value of m provides the most number of significant bits.

The other has to do with how we get the time - we've heard that if we are using a wired LAN we should be able to determine the offset and frequency adjustment in 30-45 seconds' time. It may take a minute or two to get this same level of accuracy using a wireless LAN.

One obvious way to get this is thru a least-squares analysis of the time returned from some number of time servers, external or possibly local refclocks. A good starting point for this is http://www.dragonflybsd.org/cvsweb/src/usr.sbin/dntpd/ .

If one wanted to use a local GPS refclock for getting time signals, gpsd might be a good way to go.

One should be aware of the rate at which one can send packets to a remote ntpd, and one should study a range of "collection times" to see what the differences are between, say, checking to see how well we can figure out the offset and drift over a useful range of time periods.

Create a web-based ntp.conf file generator

Different versions of NTP support different options in the configuration file. It would be good to have a web-based service that would ask the user for the version of NTP they are using, ask them some basic questions, and generate an ntp.conf file. The generated file should contain the version number of the script that generated the file, and would ideally include a URL that would re-generate the configuration file with any newer version of the generation script.

Upgrade NTP's monitoring mechanisms

Traditionally, ntpd has used ntpq (mode 6) and ntpdc (mode 7) UDP packets to monitor and control ntpd. With the recent awareness by black-hats that mis-configured older ntpd instances can be used for significant reflection attacks, the monitoring capabilities of NTP should be re-examined. This may include TCP options.

Related Topics: ConfigurationAndAuthorizationLevelsForNtpd

Other ideas


Under Monitoring Management front end, what about adding SNMP support for Windows?

-- DavidTaylor - 2012-03-17

Edit | WYSIWYG | Attach | Printable | Raw View | Backlinks: Web, All Webs | History: r44 | r42 < r41 < r40 < r39 | More topic actions...
SSL security by CAcert
Get the CAcert Root Certificate
This site is powered by the TWiki collaboration platform
IPv6 Ready
Copyright & 1999-2021 by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding the site? Send feedback