Charles Barry, Luminous Cyber

View Abstract Sign in for premium content


Time Determination is a novel approach to network event timestamping. Network Time Protocol (NTP) and Precision Time Protocol (PTP/IEEE1588) protocols distribute time from a Server/Grandmaster to Clients/Clocks. NTP/PTP Clients each recover their own time by processing timestamps exchanged with the server using protocol specific packets. Network queuing, variations in physical or logical path, forwarding behavior of network elements, network outages, line rate, rate of the protocol specific packets and even packet size all conspire to the detriment of the client’s recovered time. Making matters worse, the rapid and nearly ubiquitous rise of cloud-based systems has seen the diminution of NTP/PTP for virtual machine time with the result that time and timestamps are less accurate, or even unavailable, in the cloud. Time Determination (TD), on the other hand, relies on software Agents that passively observe up to all ingress and egress packets at a node (e.g., server) for all of its links and communication paths. Each TD Agent computes unique metadata for every packet. This metadata is timestamped using a free running clock as reference. Each Agent then sends its timestamped metadata to a centralized "Aggregator". The Aggregator correlates the timestamped metadata for all of the packets, regardless of size, along all paths in and between all clients. In addition, the Aggregator fuses timestamp data with network physical and logical topology. In doing so, the TD Aggregator has a rich set of data from which to recover event time. In addition, TD enforces all event timestamps to be consistent with network-wide causality. This enforcement of network-wide event causality greatly enhances root cause analysis of network failures above and beyond what is currently possible using NTP/PTP methods.