Editing Network Time Protocol (section)

== Software implementations ==
{{Further|ntpd#Implementations}}
[[File:Ntpq on Windows 11 screenshot.webp|thumb|upright=1.2|The NTP management protocol utility <code>ntpq</code> under [[Windows 11]] being used to query the state of stratum 1 time servers and verify proper operation of the client.]]

=== Reference implementation ===
The NTP [[reference implementation]], along with the protocol, has been continuously developed for over 20 years. Backwards compatibility has been maintained as new features have been added. It contains several sensitive algorithms, especially to discipline the clock, that can misbehave when synchronized to servers that use different algorithms. The software has been [[ported]] to almost every computing platform, including personal computers. It runs as a [[Daemon (computing)|daemon]] called [[ntpd]] under Unix or as a [[Windows service|service]] under Windows. Reference clocks are supported and their offsets are filtered and analysed in the same way as remote servers, although they are usually polled more frequently.<ref name="Mills2010" />{{rp|15–19}} This implementation was audited in 2017, finding 14 potential security issues.<ref name="jAgTl">{{cite web | url=https://wiki.mozilla.org/images/e/ea/Ntp-report.pdf | title=Pentest-Report NTP 01.2017 | publisher=Cure53 | date=2017 | access-date=2019-07-03 | archive-url=https://web.archive.org/web/20181201232241/https://wiki.mozilla.org/images/e/ea/Ntp-report.pdf | archive-date=2018-12-01 | url-status=live}}</ref>

=== Windows Time ===
All [[Microsoft Windows]] versions since [[Windows 2000]] include the Windows Time service (W32Time),<ref name="ciu7z">{{cite web |url=https://technet.microsoft.com/en-us/library/cc773061%28WS.10%29.aspx |title=Windows Time Service Technical Reference |publisher=technet.microsoft.com |date=2011-08-17 |access-date=2011-09-19 |archive-url=https://web.archive.org/web/20110906143547/http://technet.microsoft.com/en-us/library/cc773061(WS.10).aspx |archive-date=2011-09-06 |url-status=live}}</ref> which has the ability to synchronize the computer clock to an NTP server.

W32Time was originally implemented for the purpose of the [[Kerberos (protocol)|Kerberos]] version 5 authentication protocol, which required time to be within 5 minutes of the correct value to prevent [[replay attack]]s. The network time server in Windows 2000 Server (and Windows XP) does not implement NTP disciplined synchronization, only locally disciplined synchronization with NTP/SNTP correction.<ref name="gn3Ev">{{cite web |url=https://support.ntp.org/bin/view/Support/WindowsTimeService |title=Windows Time Service page at NTP.org |website=Support.NTP.org |date=2008-02-25 |access-date=2017-05-01 |archive-url=https://web.archive.org/web/20170514214217/http://support.ntp.org/bin/view/Support/WindowsTimeService |archive-date=2017-05-14 |url-status=live}}</ref>

Beginning with [[Windows Server 2003]] and [[Windows Vista]], the NTP provider for W32Time became compatible with a significant subset of NTPv3.<ref name="AD2ab">{{cite web |url=https://technet.microsoft.com/en-us/library/cc773013%28WS.10%29.aspx |title=How the Windows Time Service Works |publisher=technet.microsoft.com |date=2010-03-12 |access-date=2011-09-19 |archive-url=https://web.archive.org/web/20110924184432/http://technet.microsoft.com/en-us/library/cc773013(WS.10).aspx |archive-date=2011-09-24 |url-status=live}}</ref> Microsoft states that W32Time cannot reliably maintain time synchronization with one second accuracy.<ref name="kb939322">{{cite web | url = http://support.microsoft.com/kb/939322 | title = Support boundary to configure the Windows Time service for high accuracy environments | date = 2011-10-19 | publisher = [[Microsoft]] | access-date = 2008-12-10 | archive-url = https://web.archive.org/web/20090112213922/http://support.microsoft.com/kb/939322 | archive-date = 2009-01-12 | url-status = live}}</ref> If higher accuracy is desired, Microsoft recommends using a newer version of Windows or different NTP implementation.<ref name="ihlx1">{{cite web | url = https://docs.microsoft.com/en-us/archive/blogs/askds/high-accuracy-w32time-requirements | title = High Accuracy W32time Requirements | date = 2007-10-23 | author = Ned Pyle | publisher = [[Microsoft]] | access-date = 2012-08-26 | archive-url = https://web.archive.org/web/20121017165107/http://blogs.technet.com/b/askds/archive/2007/10/23/high-accuracy-w32time-requirements.aspx | archive-date = 2012-10-17 | url-status = live}}</ref>

Beginning with [[Windows 10]] version 1607 and [[Windows Server 2016]], W32Time can be configured to reach time accuracy of 1 s, 50 ms or 1&nbsp;ms under certain specified operating conditions.<ref name="FvW7f">{{cite web |url=https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/get-started/windows-time-service/windows-2016-accurate-time |website=technet.microsoft.com |title=Windows Server 2016 Accurate Time |access-date=2016-12-07 |archive-url=https://web.archive.org/web/20161202233231/https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/get-started/windows-time-service/windows-2016-accurate-time |archive-date=2016-12-02 |url-status=live}}</ref><ref name="kb939322" /><ref>{{Cite web|last=dahavey|title=Support boundary for high-accuracy time|url=https://docs.microsoft.com/en-us/windows-server/networking/windows-time-service/support-boundary|access-date=2021-07-24|website=docs.microsoft.com|language=en-us|archive-date=2 May 2021|archive-url=https://web.archive.org/web/20210502120540/https://docs.microsoft.com/en-us/windows-server/networking/windows-time-service/support-boundary|url-status=live}}</ref>

=== OpenNTPD ===
In 2004, Henning Brauer of [[OpenBSD]] presented [[OpenNTPD]], an NTPv3/SNTPv4<ref>{{cite web |title=ntpd(8) - OpenBSD manual pages |url=https://man.openbsd.org/ntpd |website=man.openbsd.org |quote=It implements the Simple Network Time Protocol version 4, as described in RFC 5905, and the Network Time Protocol version 3, as described in RFC 1305.}}</ref> implementation with a focus on security and encompassing a privilege separated design. Whilst it is aimed more closely at the simpler generic needs of OpenBSD users, it also includes some protocol security improvements while still being compatible with existing NTP servers. The simpler code base sacrifices accuracy, deemed unnecessary in this use case.<ref name="accuracy">{{cite web |url = http://www.openbsd.org/faq/faq6.html#OpenNTPDaccurate |title = FAQ 6.12.1: 'But OpenNTPD isn't as accurate as the ntp.org daemon!' |author = The OpenBSD Project |date = 21 August 2006 |website = The OpenBSD Project |access-date = 2020-05-14 |archive-url = https://web.archive.org/web/20160205120110/http://www.openbsd.org/faq/faq6.html#OpenNTPDaccurate |archive-date = 2016-02-05 |url-status = dead}}</ref> A portable version is available in Linux package repositories.

=== NTPsec ===
NTPsec is a [[Fork (software development)|fork]] of the reference implementation that has been systematically [[Hardening (computing)|security-hardened]]. The fork point was in June 2015 and was in response to a series of compromises in 2014.<ref>{{Cite web |last=Raymond |first=Eric S. |date=2017-03-30 |title=NTPsec: a Secure, Hardened NTP Implementation {{!}} Linux Journal |url=https://www.linuxjournal.com/content/ntpsec-secure-hardened-ntp-implementation |url-status=live |archive-url=https://archive.today/20240126231434/https://www.linuxjournal.com/content/ntpsec-secure-hardened-ntp-implementation |archive-date=2024-01-26 |access-date=2024-01-26 |website=[[Linux Journal]]}}</ref> The first production release shipped in October 2017.<ref name="TLIYY">{{cite web|url=https://ntpsec.org|title=The Secure Network Time Protocol (NTPsec) Distribution|access-date=2019-01-12|archive-url=https://web.archive.org/web/20190113232124/https://ntpsec.org/|archive-date=2019-01-13|url-status=live}}</ref> Between removal of unsafe features, removal of support for obsolete hardware, and removal of support for obsolete Unix variants, NTPsec has been able to pare away 75% of the original codebase, making the remainder easier to [[Software quality assurance|audit]].<ref name="Liska2016">{{cite book|first=Allan|last=Liska|title=NTP Security: A Quick-Start Guide|url=https://books.google.com/books?id=AB-1DQAAQBAJ&pg=PA80|date=December 10, 2016|publisher=Apress|isbn=978-1-4842-2412-0|pages=80–}}</ref> A 2017 audit of the code showed eight security issues, including two that were not present in the original reference implementation, but NTPsec did not suffer from eight other issues that remained in the reference implementation.<ref name="5CF55">{{cite web |url=https://wiki.mozilla.org/images/1/10/Ntpsec-report.pdf |title=Pentest-Report NTPsec 01.2017 |publisher=Cure53 |date=2017 |access-date=2019-07-03 |archive-url=https://web.archive.org/web/20190704001204/https://wiki.mozilla.org/images/1/10/Ntpsec-report.pdf |archive-date=2019-07-04 |url-status=live}}</ref>

=== chrony ===
{{main|chrony}}
[[File:Chrony 4.6 screenshot.webp|thumb|upright=1.2|{{Proper name|chronyc}}, showing Network Time Security (NTS) sources and activity information.]]

[[chrony]] is an independent NTP implementation mainly sponsored by [[Red Hat]], who uses it as the default time program in their distributions.<ref name="Q91Af">{{cite web |url= http://rhelblog.redhat.com/2016/07/20/combining-ptp-with-ntp-to-get-the-best-of-both-worlds/ |title= Combining PTP with NTP to Get the Best of Both Worlds |access-date = 19 November 2017 |last= Lichvar |first= Miroslav |date= 20 July 2016 |website= Red Hat Enterprise Linux Blog |quote= Starting with Red Hat Enterprise Linux 7.0 (and now in Red Hat Enterprise Linux 6.8) a more versatile NTP implementation is also provided via the chrony package |publisher= [[Red Hat]] |archive-url= https://web.archive.org/web/20160730091110/http://rhelblog.redhat.com/2016/07/20/combining-ptp-with-ntp-to-get-the-best-of-both-worlds/ |archive-date= 30 July 2016}}</ref> Being written from scratch, {{Proper name|chrony}} has a simpler codebase allowing for better security<ref name="kYgFj">{{cite web |url= https://www.coreinfrastructure.org/news/blogs/2017/09/securing-network-time |title= Securing Network Time |access-date = 19 November 2017 |date= 27 September 2017 |website= Core Infrastructure Initiative, a Linux Foundation Collaborative Project |quote= In sum, the Chrony NTP software stands solid and can be seen as trustworthy |publisher= Core Infrastructure Initiative |archive-url= https://web.archive.org/web/20171028123642/https://www.coreinfrastructure.org/news/blogs/2017/09/securing-network-time |archive-date= 28 October 2017}}</ref> and lower resource consumption.<ref name="jR9Jg"/> It does not however compromise on accuracy, instead syncing faster and better than the reference ntpd in many circumstances. It is versatile enough for ordinary computers, which are unstable, go into sleep mode or have intermittent connection to the Internet. It is also designed for virtual machines, a more unstable environment.<ref name="Both2018">{{cite web |last1=Both |first1=David |title=Manage NTP with Chrony |url=https://opensource.com/article/18/12/manage-ntp-chrony |website=Opensource.com |access-date=29 June 2019 |language=en |archive-url=https://web.archive.org/web/20190629174030/https://opensource.com/article/18/12/manage-ntp-chrony |archive-date=29 June 2019 |url-status=live}}</ref>

{{Proper name|chrony}} has been evaluated as "trustworthy", with only a few incidents.<ref name="tN0aV">{{cite web |url= https://wiki.mozilla.org/images/e/e4/Chrony-report.pdf |title= Pentest-Report Chrony 08.2017 |access-date = 19 November 2017 |last= Heiderich |first= Mario |date= August 2017 |website= Cure53.de Team |language = en |quote= Withstanding eleven full days of on-remote testing in August of 2017 means that Chrony is robust, strong, and developed with security in mind. |publisher= wiki.mozilla.org, AKA MozillaWiki or WikiMO |archive-url= https://web.archive.org/web/20171005123643/https://wiki.mozilla.org/images/e/e4/Chrony-report.pdf |archive-date= 5 October 2017}}</ref> It is able to achieve improved precision on LAN connections, using hardware timestamping on the network adapter.<ref name="Ocilw">{{cite web |url= https://chrony.tuxfamily.org/doc/4.3/chrony.conf.html#hwtimestamp |title= chrony – chrony.conf(5) |access-date = 2 August 2020 |last= Lichvar |first= Miroslav |date= 18 September 2018 |website= Chrony project |language= en |quote= This directive enables hardware timestamping of NTP packets sent to and received from the specified network interface. }}</ref> Support for Network Time Security (NTS) was added on version 4.0.<ref>{{Cite web|title=chrony/chrony.git - Official Git repository for the Chrony project.|url=https://git.tuxfamily.org/chrony/chrony.git/tree/NEWS?id=4.0#n6|access-date=2021-07-31|website=git.tuxfamily.org}}</ref> {{Proper name|chrony}} is available under [[GNU General Public License version 2]], was created by [[Richard Curnow]] in 1997 and is currently maintained by [[Miroslav Lichvar]].<ref name="jR9Jg">{{cite web |url= https://chrony.tuxfamily.org/ |title= chrony introduction |access-date = 19 November 2017 |website= TuxFamily, a non-profit organization. |quote= The software is supported on Linux, FreeBSD, NetBSD, macOS, and Solaris. |publisher= chrony |archive-url= https://web.archive.org/web/20091209115945/https://chrony.tuxfamily.org/ |archive-date= 9 December 2009}}</ref>

=== ntpd-rs ===
[[File:Ntp-ctl screenshot.webp|thumb|upright=1.2|{{Proper name|ntp-ctl}} (part of ntpd-rs), showing synchronization information and NTS sources.]]
ntpd-rs is a security-focused implementation of the NTP protocol, founded by the [[Internet Security Research Group]] as part of their Prossimo initiative for the creation of memory safe Internet infrastructure. ntpd-rs is implemented in [[Rust (programming language)|Rust programming language]] which offers [[memory safety]] guarantees in addition to the [[Real-time computing]] capabilities which are required for an NTP implementation. ntpd-rs is used in security-sensitive environments such as the [[Let's Encrypt]] non-profit Certificate Authority.<ref>{{cite web |last1=Aas |first1=Josh |title=More Memory Safety for Let’s Encrypt: Deploying ntpd-rs |url=https://letsencrypt.org/2024/06/24/ntpd-rs-deployment/ |website=Let's Encrypt |publisher=Let's Encrypt |access-date=18 December 2024 |ref=LEntpd}}</ref> Support for NTS is available.<ref>{{Cite web |title=Network Time Security - ntpd-rs documentation |url=https://docs.ntpd-rs.pendulum-project.org/guide/nts/ |access-date=2025-01-13 |website=docs.ntpd-rs.pendulum-project.org}}</ref> ntpd-rs is part of the "Pendulum" project which also includes a [[Precision Time Protocol]] implementation "statime". Both projects are available under [[Apache License|Apache]] and [[MIT License|MIT]] software licenses.

=== Others ===
* {{vanchor|Ntimed}} was started by [[Poul-Henning Kamp]] of [[FreeBSD]] in 2014 and abandoned in 2015.<ref name="F7zIq">{{cite web|last1=Poul-Henning|first1=Kamp|title=20140926 – Playing with time again|url=http://phk.freebsd.dk/time/20140926|website=PHK's Bikeshed|access-date=4 June 2015|archive-url=https://web.archive.org/web/20191220015844/http://phk.freebsd.dk/time/20140926/|archive-date=20 December 2019|url-status=live}}</ref> The implementation was sponsored by the [[Linux Foundation]].<ref name="HA4P8">{{cite web|last1=Poul-Henning|first1=Kamp|title=Network time synchronization software, NTPD replacement.|url=https://github.com/bsdphk/Ntimed|website=ntimed git repository README file|publisher=Github|access-date=4 June 2015|archive-url=https://web.archive.org/web/20150802090927/https://github.com/bsdphk/Ntimed/|archive-date=2 August 2015|url-status=live}}</ref>
* {{vanchor|systemd-timesyncd}} is the SNTP client built into [[systemd]]. It is used by [[Debian]] since version "bookworm"<ref>{{cite web |title=Switching from OpenNTPd to Chrony - anarcat |url=https://anarc.at/blog/2022-01-23-chrony/ |website=anarc.at|quote=So in effect, systemd-timesyncd became the default NTP daemon in Debian in bookworm, which I find somewhat surprising.}}</ref> and the downstream Ubuntu.