Clockwire: Secure and Dependable Clock Synchronization on SCION

Clockwire: Secure and Dependable Clock Synchronization on SCION

Status

This project started in October 2022 and is ongoing.

Researchers

Marc Frei (ETH)
Dr. Jonghoon Kwon (ETH)
Seyedali Tabaeiaghdaei (ETH)
Marc Wyss (ETH)
Prof. Dr. Adrian Perrig (ETH)
Dr. Christoph Lenzen (CISPA)

Description

Accurate and dependable time synchronization is essential for many industries, from finance and telecommunications to electric power distribution and media production. New developments, such as 5G cellular networks and the digitalization of electrical substations, further increase the importance of wide-area clock synchronization, which relies on Global Navigation Satellite Systems (GNSSes) as the most practical and cost-effective source of reference time.

Given this critical reliance, security and dependability concerns around GNSSes in the form of jamming, spoofing, and even space warfare or solar superstorms are widely discussed in the time synchronization community. Operators, equipment manufacturers, and service providers are looking for alternative and complementary sources of reference time, understanding that no single solution will cover all requirements.

Local solutions like high-precision atomic holdover clocks mitigate some of the risks but cannot eliminate them completely. Operational and cost concerns further limit their applicability. While wide-area timing solutions can improve reliability, they also introduce new challenges related to security risks in network-based communication for critical infrastructure. Many organizations face an additional challenge: commercial or national time distribution networks are often neither readily available nor practically feasible to implement as custom one-off solutions. Notable exceptions include an innovative public-private partnership in Sweden aiming to take the lead in time-as-a-service delivery, and a massive-scale timing network currently being built in China to provide a terrestrial backup for GNSSes.

Given this background and based on earlier theoretical work on global clock synchronization, we are developing Clockwire: a cost-effective and flexible network-based clock synchronization approach deployed as an active standby solution alongside existing GNSS-based synchronization setups.

Clockwire builds on decades of fault-tolerant clock synchronization research [1] and leverages the path-aware SCION Internet architecture [2]. This combination directly addresses the challenges of introducing network-based time transfers in systems with high security and dependability demands.

At the application layer, our approach implements a Byzantine fault-tolerant, multi-source clock synchronization algorithm that does not place trust in any single entity. The system can tolerate a fraction of faulty entities while maintaining accurate synchronization among participating sites, even when GNSSes are unavailable or untrustworthy.

The networking layer of the Clockwire protocol stack uses SCION. SCION’s unique features make it an ideal substrate for a wide range of critical infrastructure services. Time distribution networks, in particular, can greatly benefit from its advantages. One such advantage is the ability for end hosts to select and use multiple network paths concurrently, thereby improving fault tolerance. Furthermore, SCION paths are reversible and symmetric, which helps enhance synchronization quality compared to offset measurements over today’s often-asymmetric Internet paths.

Thanks to SCION’s growing commercial deployment, Clockwire enables new types of time distribution networks. These networks combine Internet-like flexibility and cost-effectiveness with many of the quality-of-service and control benefits typical of dedicated leased-line networks. In Switzerland, organizations can obtain native SCION connectivity for end hosts through standard business accounts from multiple providers, enabling dependable time distribution where existing solutions would be too expensive, inflexible, or insecure.

Building on this foundation, we are finalizing a first release of Clockwire, working toward production readiness. This development critically relies on early feedback from cooperation with industry partners. Through our initial pilot deployment with interested organizations we hope to:

• Refine the offset measurement algorithm using multiple reversible and symmetric network paths concurrently.
• Improve multi-source clock steering that synthesizes GNSS-based reference time with system-wide agreed-upon network time.
• Integrate a simulation layer to deterministically test Clockwire’s resilience against low-probability, high-impact events that would otherwise be difficult to prepare for.

Interested parties can contact Marc Frei <marc.frei@inf.ethz.ch> to participate in the pilot.

Publications

[1] Marc Frei, Jonghoon Kwon, Seyedali Tabaeiaghdaei, Marc Wyss, Christoph Lenzen, and Adrian Perrig.
G-SINC: Global Synchronization Infrastructure for Network Clocks.
In Proceedings of the Symposium on Reliable Distributed Systems (SRDS) 2022.
[PDF] [arXiv]

[2] Laurent Chuat, Markus Legner, David Basin, David Hausheer, Samuel Hitz, Peter Müller, and Adrian Perrig.
The Complete Guide to SCION. From Design Principles to Formal Verification.
In Springer International Publishing AG, 2022.
[PDF]