NTP Working Group L. Melegassi Internet-Draft Catellix Intended status: Informational 30 May 2026 Expires: 1 December 2026 Cross-Vantage Clock-Offset Coherence Bounds for NTP-Disciplined Measurement Vantages draft-melegassi-ntp-mvps-clock-coherence-00 Abstract The Network Time Protocol version 4 (NTPv4) [RFC5905] specifies how a host disciplines its clock to a reference time scale; Network Time Security [RFC8915] and the Message Authentication Code [RFC8573] authenticate the client-server exchange; and the NTP Best Current Practices [RFC8633] direct operators to "monitor their NTP instances to detect attacks" (Section 5.3) without specifying a quantitative, cross-host monitoring procedure. The Security Requirements document [RFC7384] establishes that an on-path adversary can impose a clock offset (Sections 3.2.2, 3.2.3, 3.2.6) and that a single client cannot always detect such an offset by itself. This document makes ONE contribution and proves it: given two or more measurement vantages disciplined to a common reference and each declaring an NTP-tier offset bound, a deterministic cross-vantage detector exists that (a) NEVER fires on offsets that are legitimate under the [RFC5905] / [RFC8633] synchronization envelope, and (b) is GUARANTEED to fire on an injected single-clock offset above a closed- form threshold. Both properties are theorems with elementary proofs; no statistical assumption, no protocol change, and no claim about the NTP wire format are required. The detector is the cross-vantage clock-skew axis of the Multi-Vantage Path Snapshot (MVPS) framework [I-D.melegassi-ippm-mvps-bundle]; this document isolates and proves the part that is purely a consequence of [RFC5905]'s error envelope. A second result governs what happens AFTER detection, when the environment itself collapses (vantages go dark, telemetry thins). We prove (i) that the false-positive-free property survives any telemetry collapse with two or more surviving vantages, and (ii) a data-processing ceiling: an AI/LLM analysis layer riding the gated signal cannot recover information the surviving vantages did not observe. The LLM's role is therefore provably EXPLANATION of an already-detected collapse, never detection itself; its operating envelope (decision tiers, classification accuracy) is given honestly as a stated model, not a theorem. A third result governs SPEED. Driving the same cross-vantage comparison at a Bidirectional Forwarding Detection (BFD, [RFC5880]) cadence instead of the legacy 60-second coherence tick gives a closed-form detection-latency window (the L_DL lemma) whose worst case equals the BFD detection time plus one signalling delay. Because the false-positive-free property (Theorem 1) is independent of the sampling rate, the gate may run at the fastest BFD cadence (multiplier 1) WITHOUT trading away its zero-false-alarm guarantee, detecting an injected offset in tens of milliseconds rather than tens of seconds. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 1 December 2026. Copyright Notice Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction and Scope 2. Terminology and Model 3. Hypotheses (the conditions the theorems depend on) 4. Lemma 1: Legitimate Cross-Vantage Span Bound 5. Theorem 1: A False-Positive-Free Threshold Exists and 2*tau Is the Smallest One 6. Theorem 2: Guaranteed Detection and the Minimum Detectable Offset 7. Corollary: Why a Single Host Cannot Self-Detect (and Two Can) 8. Post-Detection AI Layer over the Collapsed Environment 8.1. Theorem 3: Collapse-Robustness of the FP-Free Gate 8.2. Theorem 4: The Data-Processing Ceiling on the AI Layer 8.3. AI Decision Envelope (MODEL, not a theorem) 9. Detection Latency: Binding the Gate to BFD Timing (RFC 5880) 9.1. Theorem 5: Closed-Form Detection-Latency Window (L_DL) 9.2. Corollary: 1091x Dwell Reduction and M=1 Optimality 10. Mapping to RFC 8633 Section 5.3 and RFC 7384 11. What This Document Does NOT Claim 12. Empirical Confirmation (and the corner it does not exercise) 13. Refinements the Theorems Suggest (constructive, non-normative) 14. Security Considerations 15. IANA Considerations 16. References Appendix A. Worked Numbers per NTP Tier Appendix B. Detection-Latency Variants (L_DL receipt) 1. Introduction and Scope [RFC5905] disciplines one host's clock. [RFC8633] Section 5.3 asks operators to monitor for attack signatures and gives qualitative ones (bogus packet, zero-origin packet, bad MAC); a quantitative, cross-host agreement test is left, appropriately, to implementation. [RFC7384] Section 3.2 catalogues the offset-inducing attacks (spoofing, replay, delay manipulation) and observes that a delay attack in particular cannot be defeated by cryptography alone and benefits from path redundancy. This document takes that observation as its starting point and supplies one such quantitative test, with proofs, as a complement to -- never a replacement for -- the existing NTP work. The gap is therefore precise and acknowledged by the IETF: there is no standardized way to verify, from outside a host, that several NTP-disciplined hosts AGREE on the time to within what their declared stratum permits. This document does not propose to fill that gap by changing NTP. It proves that the agreement test is a one-line inequality on published offsets, and that with the correct threshold the test is provably free of false alarms against the [RFC5905] envelope while provably catching any large enough injected offset. This is deliberately the SMALLEST provable statement. Everything that is not a theorem is moved to Section 9 ("What This Document Does NOT Claim"). 2. Terminology and Model The key words "MUST", "MUST NOT", "SHOULD", "MAY" are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals. Vantage: an independent host running clock-disciplined measurement, synchronized to a common reference time scale per [RFC5905]. N: the number of vantages, N >= 2. epsilon_i: the true offset of vantage i's clock relative to the common reference at the measurement instant (epsilon_i > 0 means the clock is ahead). tau_i: a declared upper bound on |epsilon_i|, taken from the vantage's NTP tier (its stratum / synchronization class). tau_i is an operator-supplied calibration input, NOT a number normatively fixed by [RFC5905]; representative values are tabulated in Appendix A. tau: the worst (largest) declared bound in the bundle, tau := max_i tau_i. Mixed-tier bundles are bound by their loosest clock. o_i: the offset value vantage i PUBLISHES (its NTP-reported clock offset, e.g. the offset computed from the [RFC5905] Section 8 timestamp quadruple). S: the cross-vantage span, S := max_i o_i - min_i o_i. D_theta: the detector that raises a flag if and only if S > theta, for a fixed threshold theta >= 0. 3. Hypotheses (the conditions the theorems depend on) The theorems in Sections 4-7 are CONDITIONAL on the following. Each is stated with a falsification path so a reviewer can break it. H1 Common reference. All N vantages discipline to the same reference time scale (a common stratum-1/-2 source or an equivalent ensemble) for the duration of one measurement window. Falsification: per-vantage "refid" / source log diverges. H2 Honest offset publication under H0. Under the null hypothesis (no attack), each vantage publishes o_i = epsilon_i with |epsilon_i| <= tau_i. Estimator noise of the NTP offset computation is folded into tau_i (i.e. tau_i is taken large enough to also cover the measurement error of the offset itself). Falsification: a calibrated clock whose published offset exceeds its declared tier bound in the absence of attack. H3 Cardinality. N >= 2. (N >= 3 is required by the surrounding MVPS axioms for Byzantine tolerance, but the two theorems of this document hold for N >= 2.) Falsification: trivial. These three hypotheses are the ENTIRE basis. No distributional assumption on epsilon_i is made. 4. Lemma 1: Legitimate Cross-Vantage Span Bound STATEMENT. Under H1-H2 (no attack), the cross-vantage span satisfies S = max_i o_i - min_i o_i <= 2*tau . PROOF. By H2, o_i = epsilon_i and |epsilon_i| <= tau_i <= tau for every i, hence o_i in [-tau, +tau]. The span of a finite set contained in an interval of width 2*tau is at most 2*tau: max_i o_i - min_i o_i <= (+tau) - (-tau) = 2*tau . QED REMARK. This is exactly the "2*eps_NTP" term that already appears in the joint-skew bound of the MVPS BBF-mesh profile ([I-D.melegassi-ganascim-mvps-bbf-mesh] Theorem T-MESH-1), there written "maximum pairwise skew <= 2*eps_NTP + tau_RTT_max". Lemma 1 is the propagation-free specialization. 5. Theorem 1: A False-Positive-Free Threshold Exists and 2*tau Is the Smallest One STATEMENT. Let D_theta flag iff S > theta. (a) If theta >= 2*tau, then under H0 (H1-H2 hold, no attack) the detector NEVER flags: the false-positive probability against the [RFC5905]/[RFC8633] synchronization envelope is exactly zero, deterministically. (b) theta = 2*tau is the SMALLEST such threshold: for any theta < 2*tau there exists a legitimate H0 configuration on which D_theta flags. PROOF. (a) By Lemma 1, S <= 2*tau <= theta under H0, so the event S > theta cannot occur. No probability is involved; the bound is a set inclusion. (b) Take N = 2 with epsilon_1 = +tau, epsilon_2 = -tau, both within tier (admissible under H2). Then S = 2*tau. For any theta < 2*tau, S = 2*tau > theta, so D_theta flags on a fully legitimate configuration. Hence no threshold below 2*tau is false-positive free. QED COROLLARY 1.1. The unique smallest false-positive-free detector is D_{2*tau}. Operators SHOULD set theta = 2*tau, where tau is the worst declared tier bound in the bundle. 6. Theorem 2: Guaranteed Detection and the Minimum Detectable Offset We now model an on-path adversary consistent with [RFC7384] Section 3.2: by packet manipulation (3.2.1), spoofing (3.2.2), replay (3.2.3) or delay manipulation (3.2.6) the adversary imposes a single additive offset Delta > 0 on exactly one vantage k, so that vantage k publishes o_k = epsilon_k + Delta, while the other N-1 vantages remain within tier (|epsilon_i| <= tau, i != k). STATEMENT. (i) [Worst case over legitimate placements.] The infimum of the post-attack span over all admissible legitimate offsets is inf S' = max(0, Delta - 2*tau) . Consequently D_theta is GUARANTEED to flag (for every admissible placement of the honest clocks) if and only if Delta > theta + 2*tau . (ii) [Well-synchronized baseline.] If the honest vantages are tightly synchronized (epsilon_i = 0 for i != k, and epsilon_k = 0 before the attack), then S' = Delta and D_theta flags iff Delta > theta. Hence, writing Delta_min for the smallest reliably detected offset, theta < Delta_min <= theta + 2*tau , collapsing to Delta_min = theta in the tightly-synchronized baseline and to the worst-case guarantee Delta_min = theta + 2*tau in general. With the recommended theta = 2*tau (Corollary 1.1): Delta_min = 2*tau (baseline) to 4*tau (worst case). PROOF of (i). To minimize the post-attack span, the honest clocks and epsilon_k are chosen adversarially. Cluster the N-1 honest points at a single value a in [-tau, tau] and write the attacked point as b + Delta with b = epsilon_k in [-tau, tau]. The two distinct points are {a, b + Delta}, so S'(a,b) = | a - (b + Delta) | = | (a - b) - Delta | . Over a, b in [-tau, tau] the difference a - b ranges over [-2*tau, 2*tau]. Thus (a - b) - Delta ranges over [-2*tau - Delta, 2*tau - Delta], and inf_{a,b} |(a - b) - Delta| = 0, if Delta <= 2*tau (0 is attainable), = Delta - 2*tau, if Delta > 2*tau (interval lies > 0). i.e. inf S' = max(0, Delta - 2*tau). The detector is guaranteed to flag for ALL placements iff this infimum exceeds theta, i.e. iff Delta - 2*tau > theta. QED PROOF of (ii). With every honest offset 0 and epsilon_k = 0, the point set after attack is {0 (x (N-1)), Delta}, so S' = Delta and S' > theta iff Delta > theta. QED REMARK (interpretation). The "2*tau gap" between the baseline and the worst case is not slack to be engineered away: it is exactly the region in which a genuine within-tier skew of the honest clocks is indistinguishable from a small injected offset. This indistinguish- ability is the same fact proven in Theorem 1(b); it is a property of the [RFC5905] envelope, not a deficiency of the detector. 7. Corollary: Why a Single Host Cannot Self-Detect (and Two Can) STATEMENT. A single client with one time source cannot, from its own observations alone, detect a consistent symmetric offset attack of magnitude Delta. Two vantages on distinct paths can, per Theorem 2. ARGUMENT. [RFC5905] Section 8 computes a client's offset from the timestamp quadruple (T1, T2, T3, T4) as theta_hat = ((T2 - T1) + (T3 - T4)) / 2. A symmetric delay attack that adds d to both directions, or a server-time shift of Delta, leaves the client's internal consistency checks satisfied: there is no second, independent observable against which T-quadruple can be contradicted. [RFC7384] Section 3.2.6 states this directly -- delay attacks "cannot be prevented by cryptographic means" and mitigation requires redundant, diverse paths. The offset is therefore UNOBSERVABLE to a lone client. With N >= 2 vantages on distinct paths and a common reference, the attacked vantage's published offset diverges from the others, and Theorem 2 converts that divergence into a deterministic detection guarantee. This is the precise, provable sense in which a multi- vantage construction adds detection power that no single [RFC5905] client possesses. This document claims nothing stronger: it does not prevent the attack, does not authenticate the exchange (that is [RFC8915] / [RFC8573]), and does not identify WHICH vantage is wrong without the N >= 3 Byzantine machinery of the surrounding MVPS axioms. 8. Post-Detection AI Layer over the Collapsed Environment The deterministic detector of Sections 4-7 answers one question: "do the vantages still agree on time within their envelope?" When the answer is no, the environment is, in the operational sense, COLLAPSING: clocks diverge, vantages may be going dark, telemetry thins. The MVPS framework places an AI/LLM analysis layer on top of that signal [I-D.melegassi-mvps-ai-coherence]. This section states precisely -- and proves where it can -- what that layer can and cannot do. The scope of every claim is tagged ANALYTICAL (a theorem), MODEL (a stated operating model), or CONJECTURE (open). Collapse model. Let each of the N vantages independently still report in the current window with probability h in (0, 1] (the "environment health"; 1-h is the fraction gone dark through link failure, blackhole, or noise). Let M be the number of survivors. 8.1. Theorem 3: Collapse-Robustness of the FP-Free Gate [ANALYTICAL] STATEMENT. (a) For EVERY realization with M >= 2 survivors, the false-positive- free property of Theorem 1 holds verbatim with theta = 2*tau. No degree of telemetry collapse can manufacture a false alarm. (b) If an offset Delta > theta is injected on one vantage k (baseline corner, Theorem 2(ii)), the probability the surviving bundle still catches it is, exactly, P_detect(h) = h * ( 1 - (1 - h)^(N-1) ) . PROOF. (a) Theorem 1(a) is a statement about the M surviving published offsets only; its proof (Lemma 1) used N nowhere. Restrict the index set to the survivors: S_survivors <= 2*tau <= theta still holds. Hence no false positive, for any M >= 2. (b) The injected offset is observable only if vantage k itself survives (probability h) AND at least one other vantage survives to form a span (probability 1 - (1-h)^(N-1), by independence). The two events are independent, giving the product. QED READING. Detection POWER degrades as the environment collapses, but the ZERO-false-alarm guarantee does not: the gate fails safe. An aggregate (rather than pairwise) coherent statistic degrades on the smooth A*sqrt(h) slope rather than a cliff [I-D.melegassi-mvps-ai-coherence]; that aggregate refinement is tagged MODEL there and is not needed for (a)-(b) here. 8.2. Theorem 4: The Data-Processing Ceiling on the AI Layer [ANALYTICAL] Let x be the (hidden) true state of the collapsed environment, y the published multi-vantage observations (offsets, spans, hop data) on which the gate fired, and g(y) any AI/LLM analysis of y -- a classification, an explanation, a remediation hint. Because the LLM sees only y, the variables form a Markov chain x -> y -> g(y) . STATEMENT. I( x ; g(y) ) <= I( x ; y ). PROOF. Direct application of the data-processing inequality [Cover-Thomas] to the chain x -> y -> g(y). QED CONSEQUENCE (the honest division of labour). No AI or LLM post- processing can recover information about the collapsed environment that the surviving vantages did not capture. Therefore: o DETECTION is the job of the deterministic gate (Theorems 1-3), whose guarantees are exact and adversary-independent. o The AI/LLM layer's job is EXPLANATION within the information y already contains: naming the likely failure cause, ranking hypotheses, drafting an operator-readable account of the collapse. It provably cannot substitute for a missing vantage. This is why adding the LLM does not weaken any guarantee in this document: it operates strictly downstream of, and bounded by, the gated signal. It also tells operators where the real lever is -- not a better model, but more/better-placed vantages (the Layer-3 program of [I-D.melegassi-mvps-ai-coherence], out of scope here). 8.3. AI Decision Envelope (MODEL, not a theorem) On top of the proven gate, the framework reports an AI decision tier as a function of the detection power p [MVPS-AI-ENVELOPE]: tier condition meaning --------- ----------- ----------------------------------- PERFECT p >= 0.90 full-confidence decision OPTIMAL 0.70 <= p<0.90 AI compensates; high confidence GOOD 0.55 <= p<0.70 AI still decides above legacy floor COLLAPSE p < 0.55 degraded toward chance For a coherent effect spread across N = 32 vantages with the A*sqrt(h) model, the tier holds at PERFECT/OPTIMAL/GOOD down to h = 0.5 (half the telemetry lost) while a single-vantage monitor of the same spread effect never leaves COLLAPSE -- the "AI prevails where the environment collapses" envelope. SCOPE. The tier thresholds (0.90 / 0.70 / 0.55) are DESIGN CHOICES, not theorems; the A*sqrt(h) degradation is a stated MODEL; embedding this envelope in a captured real attack is a CONJECTURE pending the live lab. Any classification accuracy figure (e.g. the diagonal- Gaussian failure-cause classifier reported elsewhere at macro-F1 ~ 0.72) is EMPIRICAL with a declared methodological semi-circularity and is explicitly NOT claimed as a guarantee here. 9. Detection Latency: Binding the Gate to BFD Timing (RFC 5880) A detector is only as useful as it is fast: an attacker's dwell time is exactly the detection latency. NTP's own disciplining is deliberately slow (poll intervals of seconds to thousands of seconds, [RFC5905] Section 13), and the legacy MVPS coherence tick is 60 s. This section binds the cross-vantage gate to the timing discipline of Bidirectional Forwarding Detection [RFC5880], whose detection time is itself a published closed form, and shows the gate inherits a tens-of-milliseconds latency WITHOUT weakening Theorem 1. Onset-phase model. The gate samples on a tick lattice t_k = k*T_tick. An injected offset Delta (large enough to be detectable by Theorem 2) appears at onset t_0 with phase phi := t_0 - floor(t_0/T_tick)*T_tick in [0, T_tick). An alarm requires M consecutive above-threshold ticks (the detection multiplier). tau_RTT >= 0 is the one-way latency for the alarm to reach the acting subscriber. 9.1. Theorem 5: Closed-Form Detection-Latency Window (L_DL) [ANALYTICAL] STATEMENT. Under the onset-phase model, the detection latency of the clock-skew gate is tau_detect(phi) = M*T_tick - phi + tau_RTT , and therefore tau_min = (M - 1)*T_tick + tau_RTT (best, phi -> T_tick^-) tau_E = (M - 1/2)*T_tick + tau_RTT (expected, phi uniform) tau_max = M*T_tick + tau_RTT (worst, phi = 0). All three are linear in M with slope T_tick; the spread tau_max - tau_min = T_tick is exactly one tick. PROOF. The alarm fires at tick index k_0 + M, i.e. at t_alarm = (k_0 + M)*T_tick, so t_alarm - t_0 = M*T_tick - phi; adding tau_RTT gives tau_detect(phi). The three corners follow by substituting phi -> T_tick^-, integrating uniformly, and substituting phi = 0. This is Lemma L_DL, proved in full in [MVPS-L-DL] Section 2 and validated to the millisecond against the Coherence-BFD benchmark in its Section 4. QED RFC 5880 binding. Identify M with the BFD Detection Multiplier and T_tick with the negotiated BFD transmit interval ([RFC5880] Section 6.8.4, Detection Time = Detection Multiplier x transmit interval). Then tau_max is exactly the BFD detection time plus one signalling latency tau_RTT. The gate thus rides BFD's own, already-standardized liveness clock. 9.2. Corollary: 1091x Dwell Reduction and M=1 Optimality [ANALYTICAL] COROLLARY 5.1 (dwell reduction). For the legacy tick (T_tick = 60000 ms, M = 1, tau_RTT = 5 ms), tau_max = 60005 ms. For a BFD-echo cadence (T_tick = 50 ms, M = 1, tau_RTT = 5 ms), tau_max = 55 ms. The attacker's offset-injection dwell window shrinks by a factor 60005/55 ~ 1091. COROLLARY 5.2 (M = 1 optimality for a deterministic gate). In a statistical detector the multiplier M > 1 exists to suppress false alarms. Here it is unnecessary: by Theorem 1 the false-positive rate is identically zero at EVERY tick, independent of T_tick and M. Hence the latency-minimizing configuration M = 1 (fire on the first above-threshold tick) loses NOTHING in false alarms while achieving the smallest possible tau_max = T_tick + tau_RTT. Acceleration to BFD cadence is, for this gate, free of any precision/false-alarm trade-off -- a property a statistical NTP-skew monitor does not have. READING. An on-path adversary who injects a detectable clock offset ([RFC7384] Sections 3.2.2/3.2.3/3.2.6) is caught within T_tick + tau_RTT ~ tens of milliseconds at BFD cadence, versus tens of seconds at the legacy tick and versus the seconds-to-kiloseconds of NTP's own poll discipline -- with zero false alarms either way. 10. Mapping to RFC 8633 Section 5.3 and RFC 7384 [RFC8633] Section 5.3 ("Detection of Attacks through Monitoring") asks operators to monitor for attack signatures. This document supplies one quantitative, host-external signature with proven error behavior: RFC 8633 Sec 5.3 request This document ------------------------ ----------------------------------- "monitor ... to detect" D_{2*tau} over published offsets signature: bogus/zero/MAC additive offset Delta (Theorem 2) (no false-alarm guarantee) zero false alarms vs RFC 5905 envelope (Theorem 1) RFC 7384 threat Detected when ... (Theorem 2) ------------------------ ----------------------------------- 3.2.2 Spoofing imposed offset Delta > theta+2*tau 3.2.3 Replay (worst case) / Delta > theta 3.2.6 Delay manipulation (baseline); single-host blind by the Corollary of Section 7 11. What This Document Does NOT Claim o No change to the NTP wire protocol, packet format, modes, or algorithms. NTPv4 [RFC5905] and NTPv5 (work in progress) are untouched. o No replacement for authentication. Integrity and server authentication remain [RFC8915] (NTS) and [RFC8573] (MAC). o No relativity. The only physical inequality used elsewhere in MVPS is the propagation lower bound RTT >= 2*d/v_g, a triangle inequality at the medium signal speed v_g. Terrestrial IP propagation is sub-relativistic; this document makes NO appeal to special relativity, and the "Einstein"/"Lorentz" labels used in some companion material are editorial only and are avoided here. o No detection below the envelope. A stationary offset Delta <= theta (and, in the worst placement, Delta <= theta+2*tau) is provably indistinguishable from legitimate within-tier skew (Theorems 1(b), 2). This is a hard limit, stated openly, not a deficiency to be tuned away. o No single-host capability (Section 7). o No AI/LLM detection. By Theorem 4 the AI layer cannot detect what the vantages did not observe; it explains an already-gated collapse. Its decision tiers and any accuracy figure are a stated MODEL / EMPIRICAL result (Section 8.3), never a guarantee. o The tier bounds tau_i (Appendix A) are operator calibration inputs, not numbers fixed by any RFC. 12. Empirical Confirmation (and the corner it does not exercise) The reference implementation (MVPS axis C10) was run against a graded single-vantage offset sweep Delta in {0, 1, 3, 10, 50, 200, 500} ms with the other vantages published at offset 0 and a stratum-1 tier (tau-class threshold 50 ms). The detector did not fire at Delta <= 50 ms and fired at Delta = 200 ms and Delta = 500 ms. This is exactly Theorem 2(ii) (baseline corner, flag iff Delta > theta) for the implementation's configured threshold. HONEST GAP. Because every honest vantage was published at EXACTLY 0, this sweep exercises only the baseline corner. It does NOT exercise (a) the worst-case placement of Theorem 2(i) (honest clocks spread to +/- tau), nor (b) the false-positive boundary of Theorem 1(b) (legitimate span = 2*tau). A complete validation MUST add both corners; see the receipt produced alongside this document. 13. Refinements the Theorems Suggest (constructive, non-normative) This document builds ON the NTP architecture [RFC5905], its security analysis [RFC7384], and its operational guidance [RFC8633]; nothing here is a criticism of that body of work. The two items below are refinements the theorems let us make to OUR OWN reference implementation, recorded so other implementers can reproduce them and so the working group can question the conventions differently if it prefers. R1 Threshold convention (theta = tau vs theta = 2*tau). Our reference code currently uses the per-vantage tier bound directly as the span threshold (theta = tau). Theorem 1(b) shows the smallest FALSE-POSITIVE-FREE convention is theta = 2*tau, so we adopt 2*tau and state the choice openly. This is a definitional matter, not an error: an operator who declares tau as ALREADY a pairwise (max-minus-min) envelope would correctly keep theta = tau. The recommendation is therefore to state, per deployment, whether tau is a per-vantage or a pairwise bound, and to derive theta accordingly. Reviewers are invited to challenge this convention. R2 Explicit "unverified" status when telemetry is absent. When a bundle carries no clock-offset telemetry, the theorems say nothing can be concluded about agreement. For transparency we recommend reporting an explicit "clock_unverified" status in that case rather than a bare "ok", so that a consumer is never led to infer agreement that was never measured. This is a reporting improvement, fully backward compatible. 14. Security Considerations The detector is a monitoring aid, not a control: it raises a flag, it does not correct or authenticate time. An adversary who keeps an injected offset below the envelope (Delta <= theta in the baseline) is provably invisible to it; operators MUST treat the detector as a lower bound on detectable manipulation, layered beneath [RFC8915] authentication and [RFC8633] operational practice. An adversary able to corrupt all vantages' published offsets identically defeats the span test; path and reference diversity (per [RFC7384] Section 3.2.6) is therefore a precondition, captured by Hypothesis H1. 15. IANA Considerations This document has no IANA actions. 16. References 16.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC5905] Mills, D., Martin, J., Ed., Burbank, J., and W. Kasch, "Network Time Protocol Version 4: Protocol and Algorithms Specification", RFC 5905, June 2010, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, May 2017. 16.2. Informative References [RFC7384] Mizrahi, T., "Security Requirements of Time Protocols in Packet Switched Networks", RFC 7384, October 2014, . [RFC8573] Malhotra, A. and S. Goldberg, "Message Authentication Code for the Network Time Protocol", RFC 8573, June 2019. [RFC8633] Reilly, D., Ed., Stenn, H., and D. Sibold, "Network Time Protocol Best Current Practices", BCP 223, RFC 8633, July 2019, . [RFC8915] Franke, D., Sibold, D., Teichel, K., Dansarie, M., and R. Sundblad, "Network Time Security for the Network Time Protocol", RFC 8915, September 2020. [RFC5880] Katz, D. and D. Ward, "Bidirectional Forwarding Detection (BFD)", RFC 5880, June 2010, . [MVPS-L-DL] Melegassi, L., "MVPS Detection-Latency Unified Lemma (L_DL)", Catellix technical note (docs/MVPS_DETECTION_LATENCY_LEMMA.txt and scripts/validate_detection_latency_lemma.py), 2026. [I-D.melegassi-coherence-bfd] Melegassi, L., "Coherence-BFD: Sub-Second Multi-Vantage Coherence Liveness", Work in Progress, Internet-Draft. [I-D.melegassi-ippm-mvps-bundle] Melegassi, L., "Multi-Vantage Path Snapshot (MVPS)", Work in Progress, Internet-Draft. [I-D.melegassi-ganascim-mvps-bbf-mesh] Ganascim, R., Melegassi, L., and G. Ganascim, "MVPS over the Broadband Forum CPE Stack", Work in Progress, Internet-Draft. [I-D.melegassi-mvps-ai-coherence] Melegassi, L., "AI/LLM Coherence Layer over MVPS", Work in Progress, Internet-Draft. [MVPS-AI-ENVELOPE] Melegassi, L., "Stealth-vs-Detection Envelope and AI Decision Tiers for MVPS", Catellix technical note (docs/MVPS_STEALTH_DETECTION_AI_ENVELOPE.txt and scripts/analyze_stealth_detection_ai_envelope.py), 2026. [Cover-Thomas] Cover, T. and J. Thomas, "Elements of Information Theory", 2nd ed., Wiley, 2006 (data-processing inequality, Theorem 2.8.1). Appendix A. Worked Numbers per NTP Tier The tau values below are calibration inputs, not RFC-normative. They reflect typical accuracy classes; operators MUST substitute their own. tier tau (ms) theta = 2*tau Delta_min (baseline..worst) ------------ -------- ------------- --------------------------- atomic 1 2 2 ms .. 4 ms gps_ptp 5 10 10 ms .. 20 ms ntp_s1 50 100 100 ms .. 200 ms ntp_s2 200 400 400 ms .. 800 ms ntp_s3_plus 500 1000 1 s .. 2 s Reading: a bundle whose loosest clock is stratum-3+ cannot, by Theorem 1, detect any injected offset smaller than ~1 s without additional (e.g. longitudinal) information; tightening the worst clock is the only way to lower Delta_min. Appendix B. Detection-Latency Variants (L_DL receipt) The worst-case latency tau_max = M*T_tick + tau_RTT of Theorem 5, evaluated for the five Coherence-BFD benchmark variants ([MVPS-L-DL] Section 4; tau_RTT = 5 ms throughout). The p95 column is the measured benchmark; it matches tau_max to the millisecond. variant T_tick(ms) M tau_max(ms) p95(ms) ---------------- ---------- -- ----------- ------- V0 legacy tick 60000 1 60005 60005 V1 BFD fast 50 3 155 155 V2 BFD demand 1000 1 1005 1005 V3 BFD echo 50 1 55 55 V4 BFD hybrid 50 3 155 155 The latency-minimizing, false-alarm-free configuration is V3 (M = 1, fastest tick): tau_max = T_tick + tau_RTT = 55 ms, a 1091x reduction from the legacy tick (Corollary 5.1) at zero false-alarm cost (Corollary 5.2). Author's Address Leonardo Melegassi Catellix Email: melegassi@catellix.com