NTP Working Group L. Melegassi Internet-Draft Catellix Intended status: Informational H. Stenn Expires: 15 December 2026 Network Time Foundation 15 June 2026 Cross-Vantage Clock-Offset Coherence Bounds for NTP-Disciplined Measurement Vantages draft-melegassi-ntp-mvps-clock-coherence-01 [EDITORIAL NOTE (to be removed before publication): co-authorship by H. Stenn (Network Time Foundation) is listed PENDING his confirmation. His feedback is already incorporated (R3/R4/R5 in Section 13 and Section 14); this byline records the intent to co-author and will be removed if he prefers not to be listed.] Abstract The Network Time Protocol version 4 (NTPv4) [RFC5905] specifies how a host disciplines its clock to a reference time scale; Network Time Security [RFC8915] and the Message Authentication Code [RFC8573] authenticate the client-server exchange; and the NTP Best Current Practices [RFC8633] direct operators to "monitor their NTP instances to detect attacks" (Section 5.3) without specifying a quantitative, cross-host monitoring procedure. The Security Requirements document [RFC7384] establishes that an on-path adversary can impose a clock offset (Sections 3.2.2, 3.2.3, 3.2.6) and that a single client cannot always detect such an offset by itself. This document makes ONE contribution and proves it: given two or more measurement vantages disciplined to a common reference and each declaring an NTP-tier offset bound, a deterministic cross-vantage detector exists that (a) NEVER fires on offsets that are legitimate under the [RFC5905] / [RFC8633] synchronization envelope, and (b) is GUARANTEED to fire on an injected single-clock offset above a closed- form threshold. Both properties are theorems with elementary proofs; no statistical assumption, no protocol change, and no claim about the NTP wire format are required. The detector is the cross-vantage clock-skew axis of the Multi-Vantage Path Snapshot (MVPS) framework [I-D.melegassi-ippm-mvps-bundle]; this document isolates and proves the part that is purely a consequence of [RFC5905]'s error envelope. A second result governs what happens AFTER detection, when the environment itself collapses (vantages go dark, telemetry thins). We prove (i) that the false-positive-free property survives any telemetry collapse with two or more surviving vantages, and (ii) a data-processing ceiling: an AI/LLM analysis layer riding the gated signal cannot recover information the surviving vantages did not observe. The LLM's role is therefore provably EXPLANATION of an already-detected collapse, never detection itself; its operating envelope (decision tiers, classification accuracy) is given honestly as a stated model, not a theorem. A third result governs SPEED. Driving the same cross-vantage comparison at a Bidirectional Forwarding Detection (BFD, [RFC5880]) cadence instead of the legacy 60-second coherence tick gives a closed-form detection-latency window (the L_DL lemma) whose worst case equals the BFD detection time plus one signalling delay. Because the false-positive-free property (Theorem 1) is independent of the sampling rate, the gate may run at the fastest BFD cadence (multiplier 1) WITHOUT trading away its zero-false-alarm guarantee, detecting an injected offset in tens of milliseconds rather than tens of seconds. This revision (-01) incorporates feedback received off-list from the IETF NTP community, including the observation by H. Stenn (Network Time Foundation) that local refclocks and the NTF Khronos mechanism offer a vantage-level complement to the cross-vantage gate proved here, and that the NTF General Timestamp API is a candidate self- describing carrier for the per-vantage error bound (tau_i) currently supplied by operator calibration. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 15 December 2026. Copyright Notice Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction and Scope 2. Terminology and Model 3. Hypotheses (the conditions the theorems depend on) 4. Lemma 1: Legitimate Cross-Vantage Span Bound 5. Theorem 1: A False-Positive-Free Threshold Exists and 2*tau Is the Smallest One 6. Theorem 2: Guaranteed Detection and the Minimum Detectable Offset 7. Corollary: Why a Single Host Cannot Self-Detect (and Two Can) 7.1. Theorem 6: The Walk-Off Separation Band (constant-rate stealth is invisible single-host, caught cross-vantage) 8. Post-Detection AI Layer over the Collapsed Environment 8.1. Theorem 3: Collapse-Robustness of the FP-Free Gate 8.2. Theorem 4: The Data-Processing Ceiling on the AI Layer 8.3. AI Decision Envelope (MODEL, not a theorem) 9. Detection Latency: Binding the Gate to BFD Timing (RFC 5880) 9.1. Theorem 5: Closed-Form Detection-Latency Window (L_DL) 9.2. Corollary: 1091x Dwell Reduction and M=1 Optimality 10. Mapping to RFC 8633 Section 5.3 and RFC 7384 11. What This Document Does NOT Claim 12. Empirical Confirmation (and the corner it does not exercise) 13. Refinements the Theorems Suggest (constructive, non-normative) 14. Acknowledgements 15. Security Considerations 16. IANA Considerations 17. References Appendix A. Worked Numbers per NTP Tier Appendix B. Detection-Latency Variants (L_DL receipt) Appendix C. Change Log 1. Introduction and Scope [RFC5905] disciplines one host's clock. [RFC8633] Section 5.3 asks operators to monitor for attack signatures and gives qualitative ones (bogus packet, zero-origin packet, bad MAC); a quantitative, cross-host agreement test is left, appropriately, to implementation. [RFC7384] Section 3.2 catalogues the offset-inducing attacks (spoofing, replay, delay manipulation) and observes that a delay attack in particular cannot be defeated by cryptography alone and benefits from path redundancy. This document takes that observation as its starting point and supplies one such quantitative test, with proofs, as a complement to -- never a replacement for -- the existing NTP work. The gap is therefore precise and acknowledged by the IETF: there is no standardized way to verify, from outside a host, that several NTP-disciplined hosts AGREE on the time to within what their declared stratum permits. This document does not propose to fill that gap by changing NTP. It proves that the agreement test is a one-line inequality on published offsets, and that with the correct threshold the test is provably free of false alarms against the [RFC5905] envelope while provably catching any large enough injected offset. This is deliberately the SMALLEST provable statement. Everything that is not a theorem is moved to Section 11 ("What This Document Does NOT Claim"). 2. Terminology and Model The key words "MUST", "MUST NOT", "SHOULD", "MAY" are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals. Vantage: an independent host running clock-disciplined measurement, synchronized to a common reference time scale per [RFC5905]. N: the number of vantages, N >= 2. epsilon_i: the true offset of vantage i's clock relative to the common reference at the measurement instant (epsilon_i > 0 means the clock is ahead). tau_i: a declared upper bound on |epsilon_i|, taken from the vantage's NTP tier (its stratum / synchronization class). tau_i is an operator-supplied calibration input, NOT a number normatively fixed by [RFC5905]; representative values are tabulated in Appendix A. See also R3 and R5 in Section 13 for how local refclocks or the NTF General Timestamp API [NTF-TSAPI] can replace operator calibration with a measured or self-described bound. tau: the worst (largest) declared bound in the bundle, tau := max_i tau_i. Mixed-tier bundles are bound by their loosest clock. o_i: the offset value vantage i PUBLISHES (its NTP-reported clock offset, e.g. the offset computed from the [RFC5905] Section 8 timestamp quadruple). S: the cross-vantage span, S := max_i o_i - min_i o_i. D_theta: the detector that raises a flag if and only if S > theta, for a fixed threshold theta >= 0. 3. Hypotheses (the conditions the theorems depend on) The theorems in Sections 4-7 are CONDITIONAL on the following. Each is stated with a falsification path so a reviewer can break it. H1 Common reference. All N vantages discipline to the same reference time scale (a common stratum-1/-2 source or an equivalent ensemble) for the duration of one measurement window. Falsification: per-vantage "refid" / source log diverges. H2 Honest offset publication under H0. Under the null hypothesis (no attack), each vantage publishes o_i = epsilon_i with |epsilon_i| <= tau_i. Estimator noise of the NTP offset computation is folded into tau_i (i.e. tau_i is taken large enough to also cover the measurement error of the offset itself). Falsification: a calibrated clock whose published offset exceeds its declared tier bound in the absence of attack. NOTE. H2 can be strengthened by either equipping a vantage with a local refclock (GPS/PPS), which gives a hardware- calibrated bound, or by enabling the Khronos mechanism [KHRONOS] on the vantage's NTP client, which supplies a provably-bounded tau_i from the NTP exchange itself without requiring server changes. Both approaches are described in R3 and R4 of Section 13. H3 Cardinality. N >= 2. (N >= 3 is required by the surrounding MVPS axioms for Byzantine tolerance, but the two theorems of this document hold for N >= 2.) Falsification: trivial. These three hypotheses are the ENTIRE basis. No distributional assumption on epsilon_i is made. 4. Lemma 1: Legitimate Cross-Vantage Span Bound STATEMENT. Under H1-H2 (no attack), the cross-vantage span satisfies S = max_i o_i - min_i o_i <= 2*tau . PROOF. By H2, o_i = epsilon_i and |epsilon_i| <= tau_i <= tau for every i, hence o_i in [-tau, +tau]. The span of a finite set contained in an interval of width 2*tau is at most 2*tau: max_i o_i - min_i o_i <= (+tau) - (-tau) = 2*tau . QED REMARK. This is exactly the "2*eps_NTP" term that already appears in the joint-skew bound of the MVPS BBF-mesh profile ([I-D.melegassi-ganascim-mvps-bbf-mesh] Theorem T-MESH-1), there written "maximum pairwise skew <= 2*eps_NTP + tau_RTT_max". Lemma 1 is the propagation-free specialization. 5. Theorem 1: A False-Positive-Free Threshold Exists and 2*tau Is the Smallest One STATEMENT. Let D_theta flag iff S > theta. (a) If theta >= 2*tau, then under H0 (H1-H2 hold, no attack) the detector NEVER flags: the false-positive probability against the [RFC5905]/[RFC8633] synchronization envelope is exactly zero, deterministically. (b) theta = 2*tau is the SMALLEST such threshold: for any theta < 2*tau there exists a legitimate H0 configuration on which D_theta flags. PROOF. (a) By Lemma 1, S <= 2*tau <= theta under H0, so the event S > theta cannot occur. No probability is involved; the bound is a set inclusion. (b) Take N = 2 with epsilon_1 = +tau, epsilon_2 = -tau, both within tier (admissible under H2). Then S = 2*tau. For any theta < 2*tau, S = 2*tau > theta, so D_theta flags on a fully legitimate configuration. Hence no threshold below 2*tau is false-positive free. QED COROLLARY 1.1. The unique smallest false-positive-free detector is D_{2*tau}. Operators SHOULD set theta = 2*tau, where tau is the worst declared tier bound in the bundle. 6. Theorem 2: Guaranteed Detection and the Minimum Detectable Offset We now model an on-path adversary consistent with [RFC7384] Section 3.2: by packet manipulation (3.2.1), spoofing (3.2.2), replay (3.2.3) or delay manipulation (3.2.6) the adversary imposes a single additive offset Delta > 0 on exactly one vantage k, so that vantage k publishes o_k = epsilon_k + Delta, while the other N-1 vantages remain within tier (|epsilon_i| <= tau, i != k). STATEMENT. (i) [Worst case over legitimate placements.] The infimum of the post-attack span over all admissible legitimate offsets is inf S' = max(0, Delta - 2*tau) . Consequently D_theta is GUARANTEED to flag (for every admissible placement of the honest clocks) if and only if Delta > theta + 2*tau . (ii) [Well-synchronized baseline.] If the honest vantages are tightly synchronized (epsilon_i = 0 for i != k, and epsilon_k = 0 before the attack), then S' = Delta and D_theta flags iff Delta > theta. Hence, writing Delta_min for the smallest reliably detected offset, theta < Delta_min <= theta + 2*tau , collapsing to Delta_min = theta in the tightly-synchronized baseline and to the worst-case guarantee Delta_min = theta + 2*tau in general. With the recommended theta = 2*tau (Corollary 1.1): Delta_min = 2*tau (baseline) to 4*tau (worst case). PROOF of (i). To minimize the post-attack span, the honest clocks and epsilon_k are chosen adversarially. Cluster the N-1 honest points at a single value a in [-tau, tau] and write the attacked point as b + Delta with b = epsilon_k in [-tau, tau]. The two distinct points are {a, b + Delta}, so S'(a,b) = | a - (b + Delta) | = | (a - b) - Delta | . Over a, b in [-tau, tau] the difference a - b ranges over [-2*tau, 2*tau]. Thus (a - b) - Delta ranges over [-2*tau - Delta, 2*tau - Delta], and inf_{a,b} |(a - b) - Delta| = 0, if Delta <= 2*tau (0 is attainable), = Delta - 2*tau, if Delta > 2*tau (interval lies > 0). i.e. inf S' = max(0, Delta - 2*tau). The detector is guaranteed to flag for ALL placements iff this infimum exceeds theta, i.e. iff Delta - 2*tau > theta. QED PROOF of (ii). With every honest offset 0 and epsilon_k = 0, the point set after attack is {0 (x (N-1)), Delta}, so S' = Delta and S' > theta iff Delta > theta. QED REMARK (interpretation). The "2*tau gap" between the baseline and the worst case is not slack to be engineered away: it is exactly the region in which a genuine within-tier skew of the honest clocks is indistinguishable from a small injected offset. This indistinguishability is the same fact proven in Theorem 1(b); it is a property of the [RFC5905] envelope, not a deficiency of the detector. Local refclocks (R3, Section 13) directly shrink this gap by reducing tau. 7. Corollary: Why a Single Host Cannot Self-Detect (and Two Can) STATEMENT. A single client with one time source cannot, from its own observations alone, detect a consistent symmetric offset attack of magnitude Delta. Two vantages on distinct paths can, per Theorem 2. ARGUMENT. [RFC5905] Section 8 computes a client's offset from the timestamp quadruple (T1, T2, T3, T4) as theta_hat = ((T2 - T1) + (T3 - T4)) / 2. A symmetric delay attack that adds d to both directions, or a server-time shift of Delta, leaves the client's internal consistency checks satisfied: there is no second, independent observable against which T-quadruple can be contradicted. [RFC7384] Section 3.2.6 states this directly -- delay attacks "cannot be prevented by cryptographic means" and mitigation requires redundant, diverse paths. The offset is therefore UNOBSERVABLE to a lone client. With N >= 2 vantages on distinct paths and a common reference, the attacked vantage's published offset diverges from the others, and Theorem 2 converts that divergence into a deterministic detection guarantee. This is the precise, provable sense in which a multi- vantage construction adds detection power that no single [RFC5905] client possesses. This document claims nothing stronger: it does not prevent the attack, does not authenticate the exchange (that is [RFC8915] / [RFC8573]), and does not identify WHICH vantage is wrong without the N >= 3 Byzantine machinery of the surrounding MVPS axioms. 7.1. Theorem 6: The Walk-Off Separation Band [ANALYTICAL + SIMULATION] Section 7 shows a lone client is blind to a STATIC offset. This refinement quantifies the more operationally relevant case the BCP monitoring guidance (RFC 8633 Section 5.3) implicitly worries about: a SLOW, CONSTANT-RATE walk-off, where the adversary (a lying server per [RFC7384] Section 3.2.2, or an on-path frequency bias) does not step the clock but adds a constant frequency error f_a so the true offset grows as f_a * t. This is the regime in which a client's own health indicators move the WRONG way -- it looks healthier while it is walked off. MODEL. A client disciplines its clock with a type-II control loop. This is not an assumption about one product; integral (frequency- holding) action is the defining feature of the disciplines in both ntpd and chrony, and is what gives NTP its hold-over behaviour. A type-II loop has, by the final-value theorem of linear control, ZERO steady-state error to a ramp input. A constant frequency bias is exactly a phase ramp. STATEMENT. (i) [Self-blindness.] Under a constant-rate walk-off f_a within the discipline's slew authority (|f_a| <= R_slew; R_slew ~ 500 ppm for ntpd's classic 0.5 ms/s limit), the client's self-measured offset residual x(t) -> 0 in steady state. Hence every purely local monitor -- thresholding |x| against the tier, the STA_UNSYNC kernel flag, or the reported root dispersion -- never fires, for arbitrarily large accumulated true offset. (ii) [Cross-vantage capture.] A second, un-attacked vantage makes the cross-vantage span equal the accumulated offset f_a * t. By Theorems 1 and 2 the gate D_theta fires deterministically at the closed-form time t_det = theta / f_a . (iii)[Separation.] Therefore for every rate in the band 0 < f_a <= R_slew the single-host detection set is EMPTY while the cross-vantage detection time is finite and bounded by theta / f_a. The stealth band is non-empty; the gap between single-host and cross-vantage detectability is the entire band. PROOF. (i) A type-II loop has two open-loop poles at the origin; the steady-state error to a ramp (the Laplace 1/s^2 input that a constant frequency bias presents to the phase comparator) is lim_{s->0} s * E(s) = 0 by the final-value theorem. Thus the measured residual, which is precisely that error signal, tends to 0; any local monitor that thresholds a quantity bounded by |x| or declares loss-of-lock from it cannot trip. The accumulated true offset is the integral of f_a, i.e. f_a * t, unbounded in t. (ii) The honest vantage holds |epsilon| <= tau while the attacked vantage's true offset is f_a * t; the span reaches theta at t = theta / f_a, where Theorem 2 guarantees a flag. (iii) is the conjunction of (i) and (ii) over the band. QED NOTE ON THE NOISE FLOOR (honest scope). The "x(t) -> 0" of part (i) is the deterministic steady state. Real disciplines carry measurement noise, so the residual settles to the loop's noise floor, not algebraically to zero -- but that floor is far below the tier, so the self-blindness conclusion is unchanged: the local monitor still never crosses theta. The simulation below reports the settled residual explicitly rather than asserting an idealized zero. NUMERICAL RECEIPT. A discrete critically-damped type-II loop (Tc = 64 s, dt = 1 s) was driven by the full stealth band up to the ntpd slew ceiling. At the worst rate f_a = 500 ppm the self-measured residual settles below the loop noise floor (< 1 us in the noise-free model) while the TRUE offset reaches 2000 ms after 4000 s -- a two- second walk-off the host never flags -- and the cross-vantage gate fires at t_det = theta / f_a = 50 ms / 500 ppm = 100 s, matching the closed form to within one sample. Every rate in {25, 50, 125, 250, 500} ppm is single-host-blind and cross-vantage-caught. Reproduce: scripts/validate_walkoff_separation.py evidence/walkoff_separation_receipt.json INTERPRETATION. This is NOT a new NTP attack -- a lying or on-path server shifting an unauthenticated client is [RFC7384] Section 3.2, and authentication is [RFC8915]. What is new is the QUANTIFIED SEPARATION: the constant-rate stealth band is structurally invisible to a host's own monitoring (its residual converges to zero precisely because the discipline is working), and is recovered only by the cross-vantage comparison, in bounded time theta / f_a. This is the sharpest form of the RFC 8633 Section 5.3 case for cross-host monitoring: self-monitoring is provably blind exactly where the discipline is healthy. 8. Post-Detection AI Layer over the Collapsed Environment The deterministic detector of Sections 4-7 answers one question: "do the vantages still agree on time within their envelope?" When the answer is no, the environment is, in the operational sense, COLLAPSING: clocks diverge, vantages may be going dark, telemetry thins. The MVPS framework places an AI/LLM analysis layer on top of that signal [I-D.melegassi-mvps-ai-coherence]. This section states precisely -- and proves where it can -- what that layer can and cannot do. The scope of every claim is tagged ANALYTICAL (a theorem), MODEL (a stated operating model), or CONJECTURE (open). Collapse model. Let each of the N vantages independently still report in the current window with probability h in (0, 1] (the "environment health"; 1-h is the fraction gone dark through link failure, blackhole, or noise). Let M be the number of survivors. 8.1. Theorem 3: Collapse-Robustness of the FP-Free Gate [ANALYTICAL] STATEMENT. (a) For EVERY realization with M >= 2 survivors, the false-positive- free property of Theorem 1 holds verbatim with theta = 2*tau. No degree of telemetry collapse can manufacture a false alarm. (b) If an offset Delta > theta is injected on one vantage k (baseline corner, Theorem 2(ii)), the probability the surviving bundle still catches it is, exactly, P_detect(h) = h * ( 1 - (1 - h)^(N-1) ) . PROOF. (a) Theorem 1(a) is a statement about the M surviving published offsets only; its proof (Lemma 1) used N nowhere. Restrict the index set to the survivors: S_survivors <= 2*tau <= theta still holds. Hence no false positive, for any M >= 2. (b) The injected offset is observable only if vantage k itself survives (probability h) AND at least one other vantage survives to form a span (probability 1 - (1-h)^(N-1), by independence). The two events are independent, giving the product. QED READING. Detection POWER degrades as the environment collapses, but the ZERO-false-alarm guarantee does not: the gate fails safe. An aggregate (rather than pairwise) coherent statistic degrades on the smooth A*sqrt(h) slope rather than a cliff [I-D.melegassi-mvps-ai-coherence]; that aggregate refinement is tagged MODEL there and is not needed for (a)-(b) here. 8.2. Theorem 4: The Data-Processing Ceiling on the AI Layer [ANALYTICAL] Let x be the (hidden) true state of the collapsed environment, y the published multi-vantage observations (offsets, spans, hop data) on which the gate fired, and g(y) any AI/LLM analysis of y -- a classification, an explanation, a remediation hint. Because the LLM sees only y, the variables form a Markov chain x -> y -> g(y) . STATEMENT. I( x ; g(y) ) <= I( x ; y ). PROOF. Direct application of the data-processing inequality [Cover-Thomas] to the chain x -> y -> g(y). QED CONSEQUENCE (the honest division of labour). No AI or LLM post- processing can recover information about the collapsed environment that the surviving vantages did not capture. Therefore: o DETECTION is the job of the deterministic gate (Theorems 1-3), whose guarantees are exact and adversary-independent. o The AI/LLM layer's job is EXPLANATION within the information y already contains: naming the likely failure cause, ranking hypotheses, drafting an operator-readable account of the collapse. It provably cannot substitute for a missing vantage. This is why adding the LLM does not weaken any guarantee in this document: it operates strictly downstream of, and bounded by, the gated signal. It also tells operators where the real lever is -- not a better model, but more/better-placed vantages (the Layer-3 program of [I-D.melegassi-mvps-ai-coherence], out of scope here). 8.3. AI Decision Envelope (MODEL, not a theorem) On top of the proven gate, the framework reports an AI decision tier as a function of the detection power p [MVPS-AI-ENVELOPE]: tier condition meaning --------- ----------- ----------------------------------- PERFECT p >= 0.90 full-confidence decision OPTIMAL 0.70 <= p<0.90 AI compensates; high confidence GOOD 0.55 <= p<0.70 AI still decides above legacy floor COLLAPSE p < 0.55 degraded toward chance For a coherent effect spread across N = 32 vantages with the A*sqrt(h) model, the tier holds at PERFECT/OPTIMAL/GOOD down to h = 0.5 (half the telemetry lost) while a single-vantage monitor of the same spread effect never leaves COLLAPSE -- the "AI prevails where the environment collapses" envelope. SCOPE. The tier thresholds (0.90 / 0.70 / 0.55) are DESIGN CHOICES, not theorems; the A*sqrt(h) degradation is a stated MODEL; embedding this envelope in a captured real attack is a CONJECTURE pending the live lab. Any classification accuracy figure (e.g. the diagonal- Gaussian failure-cause classifier reported elsewhere at macro-F1 ~ 0.72) is EMPIRICAL with a declared methodological semi-circularity and is explicitly NOT claimed as a guarantee here. 9. Detection Latency: Binding the Gate to BFD Timing (RFC 5880) A detector is only as useful as it is fast: an attacker's dwell time is exactly the detection latency. NTP's own disciplining is deliberately slow (poll intervals of seconds to thousands of seconds, [RFC5905] Section 13), and the legacy MVPS coherence tick is 60 s. This section binds the cross-vantage gate to the timing discipline of Bidirectional Forwarding Detection [RFC5880], whose detection time is itself a published closed form, and shows the gate inherits a tens-of-milliseconds latency WITHOUT weakening Theorem 1. Onset-phase model. The gate samples on a tick lattice t_k = k*T_tick. An injected offset Delta (large enough to be detectable by Theorem 2) appears at onset t_0 with phase phi := t_0 - floor(t_0/T_tick)*T_tick in [0, T_tick). An alarm requires M consecutive above-threshold ticks (the detection multiplier). tau_RTT >= 0 is the one-way latency for the alarm to reach the acting subscriber. 9.1. Theorem 5: Closed-Form Detection-Latency Window (L_DL) [ANALYTICAL] STATEMENT. Under the onset-phase model, the detection latency of the clock-skew gate is tau_detect(phi) = M*T_tick - phi + tau_RTT , and therefore tau_min = (M - 1)*T_tick + tau_RTT (best, phi -> T_tick^-) tau_E = (M - 1/2)*T_tick + tau_RTT (expected, phi uniform) tau_max = M*T_tick + tau_RTT (worst, phi = 0). All three are linear in M with slope T_tick; the spread tau_max - tau_min = T_tick is exactly one tick. PROOF. The alarm fires at tick index k_0 + M, i.e. at t_alarm = (k_0 + M)*T_tick, so t_alarm - t_0 = M*T_tick - phi; adding tau_RTT gives tau_detect(phi). The three corners follow by substituting phi -> T_tick^-, integrating uniformly, and substituting phi = 0. This is Lemma L_DL, proved in full in [MVPS-L-DL] Section 2 and validated to the millisecond against the Coherence-BFD benchmark in its Section 4. QED RFC 5880 binding. Identify M with the BFD Detection Multiplier and T_tick with the negotiated BFD transmit interval ([RFC5880] Section 6.8.4, Detection Time = Detection Multiplier x transmit interval). Then tau_max is exactly the BFD detection time plus one signalling latency tau_RTT. The gate thus rides BFD's own, already-standardized liveness clock. 9.2. Corollary: 1091x Dwell Reduction and M=1 Optimality [ANALYTICAL] COROLLARY 5.1 (dwell reduction). For the legacy tick (T_tick = 60000 ms, M = 1, tau_RTT = 5 ms), tau_max = 60005 ms. For a BFD- echo cadence (T_tick = 50 ms, M = 1, tau_RTT = 5 ms), tau_max = 55 ms. The attacker's offset-injection dwell window shrinks by a factor 60005/55 ~ 1091. COROLLARY 5.2 (M = 1 optimality for a deterministic gate). In a statistical detector the multiplier M > 1 exists to suppress false alarms. Here it is unnecessary: by Theorem 1 the false-positive rate is identically zero at EVERY tick, independent of T_tick and M. Hence the latency-minimizing configuration M = 1 (fire on the first above-threshold tick) loses NOTHING in false alarms while achieving the smallest possible tau_max = T_tick + tau_RTT. Acceleration to BFD cadence is, for this gate, free of any precision/false-alarm trade-off -- a property a statistical NTP-skew monitor does not have. READING. An on-path adversary who injects a detectable clock offset ([RFC7384] Sections 3.2.2/3.2.3/3.2.6) is caught within T_tick + tau_RTT ~ tens of milliseconds at BFD cadence, versus tens of seconds at the legacy tick and versus the seconds-to-kiloseconds of NTP's own poll discipline -- with zero false alarms either way. 10. Mapping to RFC 8633 Section 5.3 and RFC 7384 [RFC8633] Section 5.3 ("Detection of Attacks through Monitoring") asks operators to monitor for attack signatures. This document supplies one quantitative, host-external signature with proven error behavior: RFC 8633 Sec 5.3 request This document ------------------------ ----------------------------------- "monitor ... to detect" D_{2*tau} over published offsets signature: bogus/zero/MAC additive offset Delta (Theorem 2) (no false-alarm guarantee) zero false alarms vs RFC 5905 envelope (Theorem 1) RFC 7384 threat Detected when ... (Theorem 2) ------------------------ ----------------------------------- 3.2.2 Spoofing imposed offset Delta > theta+2*tau 3.2.3 Replay (worst case) / Delta > theta 3.2.6 Delay manipulation (baseline); single-host blind by the Corollary of Section 7 11. What This Document Does NOT Claim o No change to the NTP wire protocol, packet format, modes, or algorithms. NTPv4 [RFC5905] and NTPv5 (work in progress) are untouched. o No replacement for authentication. Integrity and server authentication remain [RFC8915] (NTS) and [RFC8573] (MAC). o No relativity. The only physical inequality used elsewhere in MVPS is the propagation lower bound RTT >= 2*d/v_g, a triangle inequality at the medium signal speed v_g. Terrestrial IP propagation is sub-relativistic; this document makes NO appeal to special relativity, and the "Einstein"/"Lorentz" labels used in some companion material are editorial only and are avoided here. o No detection below the envelope. A stationary offset Delta <= theta (and, in the worst placement, Delta <= theta+2*tau) is provably indistinguishable from legitimate within-tier skew (Theorems 1(b), 2). This is a hard limit, stated openly, not a deficiency to be tuned away. o No single-host capability (Section 7). o No AI/LLM detection. By Theorem 4 the AI layer cannot detect what the vantages did not observe; it explains an already-gated collapse. Its decision tiers and any accuracy figure are a stated MODEL / EMPIRICAL result (Section 8.3), never a guarantee. o The tier bounds tau_i (Appendix A) are operator calibration inputs, not numbers fixed by any RFC. See R3 and R5 in Section 13 for paths toward hardware-calibrated or self-described bounds. 12. Empirical Confirmation (and the corner it does not exercise) The reference implementation (MVPS axis C10) was run against a graded single-vantage offset sweep Delta in {0, 1, 3, 10, 50, 200, 500} ms with the other vantages published at offset 0 and a stratum-1 tier (tau-class threshold 50 ms). The detector did not fire at Delta <= 50 ms and fired at Delta = 200 ms and Delta = 500 ms. This is exactly Theorem 2(ii) (baseline corner, flag iff Delta > theta) for the implementation's configured threshold. HONEST GAP. Because every honest vantage was published at EXACTLY 0, this sweep exercises only the baseline corner. It does NOT exercise (a) the worst-case placement of Theorem 2(i) (honest clocks spread to +/- tau), nor (b) the false-positive boundary of Theorem 1(b) (legitimate span = 2*tau). A complete validation MUST add both corners; see the receipt produced alongside this document. WALK-OFF SEPARATION (Theorem 6). A separate, self-contained check simulates a type-II discipline loop under a constant-rate walk-off across the stealth band up to the ntpd 500 ppm slew ceiling. It confirms, for every rate, that the self-measured residual settles below the tier (host blind) while the cross-vantage gate fires at the closed-form t_det = theta / f_a; at 500 ppm the true offset reaches 2000 ms in 4000 s with no local flag, caught cross-vantage in 100 s. Reproduce: scripts/validate_walkoff_separation.py and evidence/walkoff_separation_receipt.json. 13. Refinements the Theorems Suggest (constructive, non-normative) This document builds ON the NTP architecture [RFC5905], its security analysis [RFC7384], and its operational guidance [RFC8633]; nothing here is a criticism of that body of work. The five items below are refinements the theorems let us make to OUR OWN reference implementation, and pointers to adjacent NTF work that addresses complementary problems. They are recorded so other implementers can reproduce them and so the working group can question the conventions differently if it prefers. R3, R4, and R5 were added in -01 in response to feedback from H. Stenn (Network Time Foundation). R1 Threshold convention (theta = tau vs theta = 2*tau). Our reference code currently uses the per-vantage tier bound directly as the span threshold (theta = tau). Theorem 1(b) shows the smallest FALSE-POSITIVE-FREE convention is theta = 2*tau, so we adopt 2*tau and state the choice openly. This is a definitional matter, not an error: an operator who declares tau as ALREADY a pairwise (max-minus-min) envelope would correctly keep theta = tau. The recommendation is therefore to state, per deployment, whether tau is a per-vantage or a pairwise bound, and to derive theta accordingly. Reviewers are invited to challenge this convention. R2 Explicit "unverified" status when telemetry is absent. When a bundle carries no clock-offset telemetry, the theorems say nothing can be concluded about agreement. For transparency we recommend reporting an explicit "clock_unverified" status in that case rather than a bare "ok", so that a consumer is never led to infer agreement that was never measured. This is a reporting improvement, fully backward compatible. R3 Local refclocks as the most direct tau tightener. This document treats tau_i as an operator-calibrated input derived from NTP tier class (Appendix A). A vantage equipped with a local reference clock -- GPS/PPS, chip-scale atomic, or equivalent -- can publish a hardware-calibrated tau_i that is 10-500x smaller than the tier-class value without any change to the detector algorithm. Because Delta_min scales linearly with tau (Section 6, Appendix A), one GPS-disciplined vantage in a stratum-2/3 bundle can reduce the bundle's worst-case Delta_min from ~800 ms to ~4 ms. This is the most direct, deployment-local path to a tighter detector; it requires no protocol change and is independent of the cross-vantage machinery proved here. Note that one or more local refclocks also directly strengthen H1 (the common-reference hypothesis): a vantage locked to GPS UTC is an independent, network-free anchor that cannot be displaced by an on-path adversary manipulating NTP packets. R4 Khronos as a vantage-level complement. The Khronos mechanism [KHRONOS] from the Network Time Foundation provides provably- bounded limits on a single NTP client's clock offset by making multiple queries and applying a Byzantine-fault-tolerant selection -- backward-compatible with existing NTP servers, requiring no server changes. A Khronos-enabled vantage can derive a cryptographically-bounded tau_i rather than a tier-class estimate, directly strengthening Hypothesis H2. Khronos operates at the per-vantage level (bounding the error of o_i); the cross-vantage gate of this document (bounding S = max o_i - min o_i) is a complementary outer layer. The two mechanisms address different halves of the time-security surface: Khronos layer: bounds per-vantage error, adversary-resistant at each NTP client. Cross-vantage gate: detects inter-vantage disagreement invisible to per-vantage checking. Together they provide defense-in-depth: Khronos constrains what each vantage can believe about its own time; the span gate detects coordinated or residual divergence between vantages. R5 General Timestamp as a self-describing tau carrier. This document requires operators to supply tau_i from tier tables or local calibration. The NTF General Timestamp API [NTF-TSAPI] proposes a timestamp structure that embeds the time value, a known correction to "true" time, accumulated error since the last synchronization with a believable source, and the timescale used. Were vantages to publish General Timestamps, tau_i could be read directly from the embedded error field rather than operator- configured -- eliminating a calibration step and making the H2 check auditable from the published data alone. This has a second consequence: for constrained devices (RTC-equipped, no network), the accumulated-error field of a General Timestamp is exactly the network-free clock-confidence primitive that is currently missing from the BRSKI clockless-pledge "honour expires-on" direction (the open question raised in the companion clock-confidence draft). We note it as the natural evolution of R3 once the API is standardized. 14. Acknowledgements The author thanks Michael Richardson for off-list correspondence that led to the refinement of the empirical evidence page and the honest separation of proved results from open questions. The author thanks Harlan Stenn (Network Time Foundation) for the observation that local refclocks offer a direct path to tightening the per-vantage error bound (R3), for pointing to the Khronos mechanism [KHRONOS] as a provably-bounded vantage-level complement (R4), and for the reference to the NTF General Timestamp API [NTF-TSAPI] as a candidate self-describing tau carrier and as a potential answer to the BRSKI clockless-pledge honour-direction gap (R5). These three additions constitute the principal change from version -00 to this version -01. 15. Security Considerations The detector is a monitoring aid, not a control: it raises a flag, it does not correct or authenticate time. An adversary who keeps an injected offset below the envelope (Delta <= theta in the baseline) is provably invisible to it; operators MUST treat the detector as a lower bound on detectable manipulation, layered beneath [RFC8915] authentication and [RFC8633] operational practice. An adversary able to corrupt all vantages' published offsets identically defeats the span test; path and reference diversity (per [RFC7384] Section 3.2.6) is therefore a precondition, captured by Hypothesis H1. Local refclocks (R3) raise the bar for H1 attacks: an adversary must now also defeat the physical GPS/PPS signal at the refclock vantage, not merely manipulate NTP packets. Khronos (R4) raises the bar for H2 attacks at the individual vantage. Neither replaces path diversity; they reduce the adversary's degree of freedom within it. 16. IANA Considerations This document has no IANA actions. 17. References 17.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC5905] Mills, D., Martin, J., Ed., Burbank, J., and W. Kasch, "Network Time Protocol Version 4: Protocol and Algorithms Specification", RFC 5905, June 2010, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, May 2017. 17.2. Informative References [RFC7384] Mizrahi, T., "Security Requirements of Time Protocols in Packet Switched Networks", RFC 7384, October 2014, . [RFC8573] Malhotra, A. and S. Goldberg, "Message Authentication Code for the Network Time Protocol", RFC 8573, June 2019. [RFC8633] Reilly, D., Ed., Stenn, H., and D. Sibold, "Network Time Protocol Best Current Practices", BCP 223, RFC 8633, July 2019, . [RFC8915] Franke, D., Sibold, D., Teichel, K., Dansarie, M., and R. Sundblad, "Network Time Security for the Network Time Protocol", RFC 8915, September 2020. [RFC5880] Katz, D. and D. Ward, "Bidirectional Forwarding Detection (BFD)", RFC 5880, June 2010, . [MVPS-L-DL] Melegassi, L., "MVPS Detection-Latency Unified Lemma (L_DL)", Catellix technical note (docs/MVPS_DETECTION_LATENCY_LEMMA.txt and scripts/validate_detection_latency_lemma.py), 2026. [I-D.melegassi-coherence-bfd] Melegassi, L., "Coherence-BFD: Sub-Second Multi-Vantage Coherence Liveness", Work in Progress, Internet-Draft. [I-D.melegassi-ippm-mvps-bundle] Melegassi, L., "Multi-Vantage Path Snapshot (MVPS)", Work in Progress, Internet-Draft. [I-D.melegassi-ganascim-mvps-bbf-mesh] Ganascim, R., Melegassi, L., and G. Ganascim, "MVPS over the Broadband Forum CPE Stack", Work in Progress, Internet-Draft. [I-D.melegassi-mvps-ai-coherence] Melegassi, L., "AI/LLM Coherence Layer over MVPS", Work in Progress, Internet-Draft. [MVPS-AI-ENVELOPE] Melegassi, L., "Stealth-vs-Detection Envelope and AI Decision Tiers for MVPS", Catellix technical note (docs/MVPS_STEALTH_DETECTION_AI_ENVELOPE.txt and scripts/analyze_stealth_detection_ai_envelope.py), 2026. [Cover-Thomas] Cover, T. and J. Thomas, "Elements of Information Theory", 2nd ed., Wiley, 2006 (data-processing inequality, Theorem 2.8.1). [KHRONOS] Network Time Foundation, "The Khronos Project: provably- bounded NTP client offset security", . Khronos achieves provable limits on "time" without server changes; applicable to any current or future time protocol. [NTF-TSAPI] Network Time Foundation, "General Timestamp API", . Defines a timestamp structure embedding time, expected correction to true time, accumulated error since last synchronization, and timescale; provides a portable library for conversion and comparison. Appendix A. Worked Numbers per NTP Tier The tau values below are calibration inputs, not RFC-normative. They reflect typical accuracy classes; operators MUST substitute their own. A vantage equipped with a local GPS/PPS refclock (R3, Section 13) would enter the "gps_ptp" row regardless of NTP stratum, replacing the stratum-2/3 rows for that vantage. tier tau (ms) theta = 2*tau Delta_min (baseline..worst) ------------ -------- ------------- --------------------------- atomic 1 2 2 ms .. 4 ms gps_ptp 5 10 10 ms .. 20 ms ntp_s1 50 100 100 ms .. 200 ms ntp_s2 200 400 400 ms .. 800 ms ntp_s3_plus 500 1000 1 s .. 2 s Reading: a bundle whose loosest clock is stratum-3+ cannot, by Theorem 1, detect any injected offset smaller than ~1 s without additional (e.g. longitudinal) information; tightening the worst clock is the only way to lower Delta_min. Adding a single GPS/PPS refclock vantage (tau = 5 ms) to a stratum-2 bundle (tau = 200 ms) does NOT tighten the bundle unless the stratum-2 clocks are also upgraded; tau := max_i tau_i, so the loosest clock sets the floor. Appendix B. Detection-Latency Variants (L_DL receipt) The worst-case latency tau_max = M*T_tick + tau_RTT of Theorem 5, evaluated for the five Coherence-BFD benchmark variants ([MVPS-L-DL] Section 4; tau_RTT = 5 ms throughout). The p95 column is the measured benchmark; it matches tau_max to the millisecond. variant T_tick(ms) M tau_max(ms) p95(ms) ---------------- ---------- -- ----------- ------- V0 legacy tick 60000 1 60005 60005 V1 BFD fast 50 3 155 155 V2 BFD demand 1000 1 1005 1005 V3 BFD echo 50 1 55 55 V4 BFD hybrid 50 3 155 155 The latency-minimizing, false-alarm-free configuration is V3 (M = 1, fastest tick): tau_max = T_tick + tau_RTT = 55 ms, a 1091x reduction from the legacy tick (Corollary 5.1) at zero false-alarm cost (Corollary 5.2). Appendix C. Change Log -01 (15 June 2026) * Added Section 7.1, Theorem 6 (the Walk-Off Separation Band): a constant-rate walk-off within the discipline's slew authority drives a type-II loop's self-residual to zero (the host is structurally blind, by the final-value theorem), while the cross-vantage gate fires at closed form t_det = theta / f_a. This quantifies Section 7: the entire stealth band is invisible single-host and caught cross-vantage. Explicit noise-floor caveat included. Walk-off receipt added to Section 12 (scripts/validate_walkoff_separation.py, evidence/walkoff_separation_receipt.json). * Added Sections R3, R4, R5 in Section 13, incorporating feedback from H. Stenn (NTF): local refclocks as the most direct tau tightener; Khronos as a vantage-level complement; General Timestamp API as a self-describing tau carrier and BRSKI-honour candidate. * Added [KHRONOS] and [NTF-TSAPI] as informative references. * Added Section 14 (Acknowledgements) crediting M. Richardson and H. Stenn. * Added note to H2 in Section 3 and Remark to Section 6 linking local refclocks and Khronos to the proof hypotheses. * Added note to Section 11 and to Appendix A clarifying that tau_i can be tightened via local refclocks. * Added Appendix C (this change log). * Editorial: fixed double-space in Abstract; updated all internal section-number forward-references. -00 (30 May 2026) * Initial submission. Authors' Addresses Leonardo Melegassi Catellix Andradina, SP, Brazil Email: melegassi@catellix.com Harlan Stenn (co-author pending confirmation) Network Time Foundation P.O. Box 918 Talent, OR 97540 United States of America Email: stenn@nwtime.org