



NTP Working Group                                           L. Melegassi
Internet-Draft                                                  Catellix
Intended status: Informational                              30 May 2026
Expires: 1 December 2026


      Cross-Vantage Clock-Offset Coherence Bounds for NTP-Disciplined
                          Measurement Vantages
              draft-melegassi-ntp-mvps-clock-coherence-00

Abstract

   The Network Time Protocol version 4 (NTPv4) [RFC5905] specifies how a
   host disciplines its clock to a reference time scale; Network Time
   Security [RFC8915] and the Message Authentication Code [RFC8573]
   authenticate the client-server exchange; and the NTP Best Current
   Practices [RFC8633] direct operators to "monitor their NTP instances
   to detect attacks" (Section 5.3) without specifying a quantitative,
   cross-host monitoring procedure.  The Security Requirements document
   [RFC7384] establishes that an on-path adversary can impose a clock
   offset (Sections 3.2.2, 3.2.3, 3.2.6) and that a single client cannot
   always detect such an offset by itself.

   This document makes ONE contribution and proves it: given two or more
   measurement vantages disciplined to a common reference and each
   declaring an NTP-tier offset bound, a deterministic cross-vantage
   detector exists that (a) NEVER fires on offsets that are legitimate
   under the [RFC5905] / [RFC8633] synchronization envelope, and (b) is
   GUARANTEED to fire on an injected single-clock offset above a closed-
   form threshold.  Both properties are theorems with elementary proofs;
   no statistical assumption, no protocol change, and no claim about the
   NTP wire format are required.  The detector is the cross-vantage
   clock-skew axis of the Multi-Vantage Path Snapshot (MVPS) framework
   [I-D.melegassi-ippm-mvps-bundle]; this document isolates and proves
   the part that is purely a consequence of [RFC5905]'s error envelope.

   A second result governs what happens AFTER detection, when the
   environment itself collapses (vantages go dark, telemetry thins).
   We prove (i) that the false-positive-free property survives any
   telemetry collapse with two or more surviving vantages, and (ii) a
   data-processing ceiling: an AI/LLM analysis layer riding the gated
   signal cannot recover information the surviving vantages did not
   observe.     The LLM's role is therefore provably EXPLANATION of an
   already-detected collapse, never detection itself; its operating
   envelope (decision tiers, classification accuracy) is given honestly
   as a stated model, not a theorem.

   A third result governs SPEED.  Driving the same cross-vantage
   comparison at a Bidirectional Forwarding Detection (BFD, [RFC5880])
   cadence instead of the legacy 60-second coherence tick gives a
   closed-form detection-latency window (the L_DL lemma) whose worst
   case equals the BFD detection time plus one signalling delay.
   Because the false-positive-free property (Theorem 1) is independent
   of the sampling rate, the gate may run at the fastest BFD cadence
   (multiplier 1) WITHOUT trading away its zero-false-alarm guarantee,
   detecting an injected offset in tens of milliseconds rather than
   tens of seconds.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 1 December 2026.

Copyright Notice

   Copyright (c) 2026 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Revised BSD License text as described in Section 4.e of the
   Trust Legal Provisions and are provided without warranty as described
   in the Revised BSD License.

Table of Contents

   1.  Introduction and Scope
   2.  Terminology and Model
   3.  Hypotheses (the conditions the theorems depend on)
   4.  Lemma 1: Legitimate Cross-Vantage Span Bound
   5.  Theorem 1: A False-Positive-Free Threshold Exists and 2*tau
       Is the Smallest One
   6.  Theorem 2: Guaranteed Detection and the Minimum Detectable
       Offset
   7.  Corollary: Why a Single Host Cannot Self-Detect (and Two Can)
   8.  Post-Detection AI Layer over the Collapsed Environment
       8.1.  Theorem 3: Collapse-Robustness of the FP-Free Gate
       8.2.  Theorem 4: The Data-Processing Ceiling on the AI Layer
       8.3.  AI Decision Envelope (MODEL, not a theorem)
   9.  Detection Latency: Binding the Gate to BFD Timing (RFC 5880)
       9.1.  Theorem 5: Closed-Form Detection-Latency Window (L_DL)
       9.2.  Corollary: 1091x Dwell Reduction and M=1 Optimality
   10. Mapping to RFC 8633 Section 5.3 and RFC 7384
   11. What This Document Does NOT Claim
   12. Empirical Confirmation (and the corner it does not exercise)
   13. Refinements the Theorems Suggest (constructive, non-normative)
   14. Security Considerations
   15. IANA Considerations
   16. References
   Appendix A.  Worked Numbers per NTP Tier
   Appendix B.  Detection-Latency Variants (L_DL receipt)


1.  Introduction and Scope

   [RFC5905] disciplines one host's clock.  [RFC8633] Section 5.3 asks
   operators to monitor for attack signatures and gives qualitative
   ones (bogus packet, zero-origin packet, bad MAC); a quantitative,
   cross-host agreement test is left, appropriately, to implementation.
   [RFC7384] Section 3.2 catalogues the offset-inducing attacks
   (spoofing, replay, delay manipulation) and observes that a delay
   attack in particular cannot be defeated by cryptography alone and
   benefits from path redundancy.  This document takes that observation
   as its starting point and supplies one such quantitative test, with
   proofs, as a complement to -- never a replacement for -- the existing
   NTP work.

   The gap is therefore precise and acknowledged by the IETF: there is
   no standardized way to verify, from outside a host, that several
   NTP-disciplined hosts AGREE on the time to within what their declared
   stratum permits.  This document does not propose to fill that gap by
   changing NTP.  It proves that the agreement test is a one-line
   inequality on published offsets, and that with the correct threshold
   the test is provably free of false alarms against the [RFC5905]
   envelope while provably catching any large enough injected offset.

   This is deliberately the SMALLEST provable statement.  Everything
   that is not a theorem is moved to Section 9 ("What This Document Does
   NOT Claim").


2.  Terminology and Model

   The key words "MUST", "MUST NOT", "SHOULD", "MAY" are to be
   interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only
   when, they appear in all capitals.

   Vantage:        an independent host running clock-disciplined
                   measurement, synchronized to a common reference time
                   scale per [RFC5905].

   N:              the number of vantages, N >= 2.

   epsilon_i:      the true offset of vantage i's clock relative to the
                   common reference at the measurement instant
                   (epsilon_i > 0 means the clock is ahead).

   tau_i:          a declared upper bound on |epsilon_i|, taken from the
                   vantage's NTP tier (its stratum / synchronization
                   class).  tau_i is an operator-supplied calibration
                   input, NOT a number normatively fixed by [RFC5905];
                   representative values are tabulated in Appendix A.

   tau:            the worst (largest) declared bound in the bundle,
                   tau := max_i tau_i.  Mixed-tier bundles are bound by
                   their loosest clock.

   o_i:            the offset value vantage i PUBLISHES (its NTP-reported
                   clock offset, e.g. the offset computed from the
                   [RFC5905] Section 8 timestamp quadruple).

   S:              the cross-vantage span, S := max_i o_i - min_i o_i.

   D_theta:        the detector that raises a flag if and only if
                   S > theta, for a fixed threshold theta >= 0.


3.  Hypotheses (the conditions the theorems depend on)

   The theorems in Sections 4-7 are CONDITIONAL on the following.  Each
   is stated with a falsification path so a reviewer can break it.

   H1  Common reference.  All N vantages discipline to the same
       reference time scale (a common stratum-1/-2 source or an
       equivalent ensemble) for the duration of one measurement window.
       Falsification: per-vantage "refid" / source log diverges.

   H2  Honest offset publication under H0.  Under the null hypothesis
       (no attack), each vantage publishes o_i = epsilon_i with
       |epsilon_i| <= tau_i.  Estimator noise of the NTP offset
       computation is folded into tau_i (i.e. tau_i is taken large
       enough to also cover the measurement error of the offset itself).
       Falsification: a calibrated clock whose published offset exceeds
       its declared tier bound in the absence of attack.

   H3  Cardinality.  N >= 2.  (N >= 3 is required by the surrounding
       MVPS axioms for Byzantine tolerance, but the two theorems of this
       document hold for N >= 2.)  Falsification: trivial.

   These three hypotheses are the ENTIRE basis.  No distributional
   assumption on epsilon_i is made.


4.  Lemma 1: Legitimate Cross-Vantage Span Bound

   STATEMENT.  Under H1-H2 (no attack), the cross-vantage span satisfies

        S = max_i o_i - min_i o_i  <=  2*tau .

   PROOF.  By H2, o_i = epsilon_i and |epsilon_i| <= tau_i <= tau for
   every i, hence o_i in [-tau, +tau].  The span of a finite set
   contained in an interval of width 2*tau is at most 2*tau:

        max_i o_i - min_i o_i  <=  (+tau) - (-tau)  =  2*tau .   QED

   REMARK.  This is exactly the "2*eps_NTP" term that already appears in
   the joint-skew bound of the MVPS BBF-mesh profile
   ([I-D.melegassi-ganascim-mvps-bbf-mesh] Theorem T-MESH-1), there
   written "maximum pairwise skew <= 2*eps_NTP + tau_RTT_max".  Lemma 1
   is the propagation-free specialization.


5.  Theorem 1: A False-Positive-Free Threshold Exists and 2*tau Is the
    Smallest One

   STATEMENT.  Let D_theta flag iff S > theta.

   (a)  If theta >= 2*tau, then under H0 (H1-H2 hold, no attack) the
        detector NEVER flags: the false-positive probability against the
        [RFC5905]/[RFC8633] synchronization envelope is exactly zero,
        deterministically.

   (b)  theta = 2*tau is the SMALLEST such threshold: for any
        theta < 2*tau there exists a legitimate H0 configuration on
        which D_theta flags.

   PROOF.  (a)  By Lemma 1, S <= 2*tau <= theta under H0, so the event
   S > theta cannot occur.  No probability is involved; the bound is a
   set inclusion.

   (b)  Take N = 2 with epsilon_1 = +tau, epsilon_2 = -tau, both within
   tier (admissible under H2).  Then S = 2*tau.  For any theta < 2*tau,
   S = 2*tau > theta, so D_theta flags on a fully legitimate
   configuration.  Hence no threshold below 2*tau is false-positive
   free.   QED

   COROLLARY 1.1.  The unique smallest false-positive-free detector is
   D_{2*tau}.  Operators SHOULD set theta = 2*tau, where tau is the
   worst declared tier bound in the bundle.


6.  Theorem 2: Guaranteed Detection and the Minimum Detectable Offset

   We now model an on-path adversary consistent with [RFC7384]
   Section 3.2: by packet manipulation (3.2.1), spoofing (3.2.2), replay
   (3.2.3) or delay manipulation (3.2.6) the adversary imposes a single
   additive offset Delta > 0 on exactly one vantage k, so that vantage k
   publishes o_k = epsilon_k + Delta, while the other N-1 vantages remain
   within tier (|epsilon_i| <= tau, i != k).

   STATEMENT.

   (i)  [Worst case over legitimate placements.]  The infimum of the
        post-attack span over all admissible legitimate offsets is

             inf S'  =  max(0, Delta - 2*tau) .

        Consequently D_theta is GUARANTEED to flag (for every admissible
        placement of the honest clocks) if and only if

             Delta  >  theta + 2*tau .

   (ii) [Well-synchronized baseline.]  If the honest vantages are tightly
        synchronized (epsilon_i = 0 for i != k, and epsilon_k = 0 before
        the attack), then S' = Delta and D_theta flags iff Delta > theta.

   Hence, writing Delta_min for the smallest reliably detected offset,

             theta  <  Delta_min  <=  theta + 2*tau ,

   collapsing to Delta_min = theta in the tightly-synchronized baseline
   and to the worst-case guarantee Delta_min = theta + 2*tau in general.
   With the recommended theta = 2*tau (Corollary 1.1):

             Delta_min = 2*tau (baseline)   to   4*tau (worst case).

   PROOF of (i).  To minimize the post-attack span, the honest clocks and
   epsilon_k are chosen adversarially.  Cluster the N-1 honest points at
   a single value a in [-tau, tau] and write the attacked point as
   b + Delta with b = epsilon_k in [-tau, tau].  The two distinct points
   are {a, b + Delta}, so

             S'(a,b) = | a - (b + Delta) | = | (a - b) - Delta | .

   Over a, b in [-tau, tau] the difference a - b ranges over
   [-2*tau, 2*tau].  Thus (a - b) - Delta ranges over
   [-2*tau - Delta, 2*tau - Delta], and

        inf_{a,b} |(a - b) - Delta|
            = 0,              if Delta <= 2*tau  (0 is attainable),
            = Delta - 2*tau,  if Delta >  2*tau  (interval lies > 0).

   i.e. inf S' = max(0, Delta - 2*tau).  The detector is guaranteed to
   flag for ALL placements iff this infimum exceeds theta, i.e. iff
   Delta - 2*tau > theta.   QED

   PROOF of (ii).  With every honest offset 0 and epsilon_k = 0, the
   point set after attack is {0 (x (N-1)), Delta}, so S' = Delta and
   S' > theta iff Delta > theta.   QED

   REMARK (interpretation).  The "2*tau gap" between the baseline and the
   worst case is not slack to be engineered away: it is exactly the
   region in which a genuine within-tier skew of the honest clocks is
   indistinguishable from a small injected offset.  This indistinguish-
   ability is the same fact proven in Theorem 1(b); it is a property of
   the [RFC5905] envelope, not a deficiency of the detector.


7.  Corollary: Why a Single Host Cannot Self-Detect (and Two Can)

   STATEMENT.  A single client with one time source cannot, from its own
   observations alone, detect a consistent symmetric offset attack of
   magnitude Delta.  Two vantages on distinct paths can, per Theorem 2.

   ARGUMENT.  [RFC5905] Section 8 computes a client's offset from the
   timestamp quadruple (T1, T2, T3, T4) as
   theta_hat = ((T2 - T1) + (T3 - T4)) / 2.  A symmetric delay attack
   that adds d to both directions, or a server-time shift of Delta,
   leaves the client's internal consistency checks satisfied: there is
   no second, independent observable against which T-quadruple can be
   contradicted.  [RFC7384] Section 3.2.6 states this directly -- delay
   attacks "cannot be prevented by cryptographic means" and mitigation
   requires redundant, diverse paths.  The offset is therefore
   UNOBSERVABLE to a lone client.

   With N >= 2 vantages on distinct paths and a common reference, the
   attacked vantage's published offset diverges from the others, and
   Theorem 2 converts that divergence into a deterministic detection
   guarantee.  This is the precise, provable sense in which a multi-
   vantage construction adds detection power that no single [RFC5905]
   client possesses.

   This document claims nothing stronger: it does not prevent the
   attack, does not authenticate the exchange (that is [RFC8915] /
   [RFC8573]), and does not identify WHICH vantage is wrong without the
   N >= 3 Byzantine machinery of the surrounding MVPS axioms.


8.  Post-Detection AI Layer over the Collapsed Environment

   The deterministic detector of Sections 4-7 answers one question:
   "do the vantages still agree on time within their envelope?"  When
   the answer is no, the environment is, in the operational sense,
   COLLAPSING: clocks diverge, vantages may be going dark, telemetry
   thins.  The MVPS framework places an AI/LLM analysis layer on top of
   that signal [I-D.melegassi-mvps-ai-coherence].  This section states
   precisely -- and proves where it can -- what that layer can and
   cannot do.  The scope of every claim is tagged ANALYTICAL (a
   theorem), MODEL (a stated operating model), or CONJECTURE (open).

   Collapse model.  Let each of the N vantages independently still
   report in the current window with probability h in (0, 1] (the
   "environment health"; 1-h is the fraction gone dark through link
   failure, blackhole, or noise).  Let M be the number of survivors.

8.1.  Theorem 3: Collapse-Robustness of the FP-Free Gate  [ANALYTICAL]

   STATEMENT.

   (a)  For EVERY realization with M >= 2 survivors, the false-positive-
        free property of Theorem 1 holds verbatim with theta = 2*tau.
        No degree of telemetry collapse can manufacture a false alarm.

   (b)  If an offset Delta > theta is injected on one vantage k
        (baseline corner, Theorem 2(ii)), the probability the surviving
        bundle still catches it is, exactly,

           P_detect(h) = h * ( 1 - (1 - h)^(N-1) ) .

   PROOF.  (a)  Theorem 1(a) is a statement about the M surviving
   published offsets only; its proof (Lemma 1) used N nowhere.  Restrict
   the index set to the survivors: S_survivors <= 2*tau <= theta still
   holds.  Hence no false positive, for any M >= 2.

   (b)  The injected offset is observable only if vantage k itself
   survives (probability h) AND at least one other vantage survives to
   form a span (probability 1 - (1-h)^(N-1), by independence).  The two
   events are independent, giving the product.   QED

   READING.  Detection POWER degrades as the environment collapses, but
   the ZERO-false-alarm guarantee does not: the gate fails safe.  An
   aggregate (rather than pairwise) coherent statistic degrades on the
   smooth A*sqrt(h) slope rather than a cliff
   [I-D.melegassi-mvps-ai-coherence]; that aggregate refinement is
   tagged MODEL there and is not needed for (a)-(b) here.

8.2.  Theorem 4: The Data-Processing Ceiling on the AI Layer
      [ANALYTICAL]

   Let x be the (hidden) true state of the collapsed environment, y the
   published multi-vantage observations (offsets, spans, hop data) on
   which the gate fired, and g(y) any AI/LLM analysis of y -- a
   classification, an explanation, a remediation hint.  Because the LLM
   sees only y, the variables form a Markov chain

           x  ->  y  ->  g(y) .

   STATEMENT.  I( x ; g(y) )  <=  I( x ; y ).

   PROOF.  Direct application of the data-processing inequality
   [Cover-Thomas] to the chain x -> y -> g(y).   QED

   CONSEQUENCE (the honest division of labour).  No AI or LLM post-
   processing can recover information about the collapsed environment
   that the surviving vantages did not capture.  Therefore:

   o  DETECTION is the job of the deterministic gate (Theorems 1-3),
      whose guarantees are exact and adversary-independent.

   o  The AI/LLM layer's job is EXPLANATION within the information y
      already contains: naming the likely failure cause, ranking
      hypotheses, drafting an operator-readable account of the collapse.
      It provably cannot substitute for a missing vantage.

   This is why adding the LLM does not weaken any guarantee in this
   document: it operates strictly downstream of, and bounded by, the
   gated signal.  It also tells operators where the real lever is -- not
   a better model, but more/better-placed vantages (the Layer-3 program
   of [I-D.melegassi-mvps-ai-coherence], out of scope here).

8.3.  AI Decision Envelope (MODEL, not a theorem)

   On top of the proven gate, the framework reports an AI decision tier
   as a function of the detection power p
   [MVPS-AI-ENVELOPE]:

      tier        condition      meaning
      ---------   -----------    -----------------------------------
      PERFECT     p >= 0.90      full-confidence decision
      OPTIMAL     0.70 <= p<0.90 AI compensates; high confidence
      GOOD        0.55 <= p<0.70 AI still decides above legacy floor
      COLLAPSE    p <  0.55      degraded toward chance

   For a coherent effect spread across N = 32 vantages with the
   A*sqrt(h) model, the tier holds at PERFECT/OPTIMAL/GOOD down to
   h = 0.5 (half the telemetry lost) while a single-vantage monitor of
   the same spread effect never leaves COLLAPSE -- the "AI prevails
   where the environment collapses" envelope.

   SCOPE.  The tier thresholds (0.90 / 0.70 / 0.55) are DESIGN CHOICES,
   not theorems; the A*sqrt(h) degradation is a stated MODEL; embedding
   this envelope in a captured real attack is a CONJECTURE pending the
   live lab.  Any classification accuracy figure (e.g. the diagonal-
   Gaussian failure-cause classifier reported elsewhere at macro-F1
   ~ 0.72) is EMPIRICAL with a declared methodological semi-circularity
   and is explicitly NOT claimed as a guarantee here.


9.  Detection Latency: Binding the Gate to BFD Timing (RFC 5880)

   A detector is only as useful as it is fast: an attacker's dwell time
   is exactly the detection latency.  NTP's own disciplining is
   deliberately slow (poll intervals of seconds to thousands of
   seconds, [RFC5905] Section 13), and the legacy MVPS coherence tick is
   60 s.  This section binds the cross-vantage gate to the timing
   discipline of Bidirectional Forwarding Detection [RFC5880], whose
   detection time is itself a published closed form, and shows the gate
   inherits a tens-of-milliseconds latency WITHOUT weakening Theorem 1.

   Onset-phase model.  The gate samples on a tick lattice
   t_k = k*T_tick.  An injected offset Delta (large enough to be
   detectable by Theorem 2) appears at onset t_0 with phase
   phi := t_0 - floor(t_0/T_tick)*T_tick in [0, T_tick).  An alarm
   requires M consecutive above-threshold ticks (the detection
   multiplier).  tau_RTT >= 0 is the one-way latency for the alarm to
   reach the acting subscriber.

9.1.  Theorem 5: Closed-Form Detection-Latency Window (L_DL)
      [ANALYTICAL]

   STATEMENT.  Under the onset-phase model, the detection latency of the
   clock-skew gate is

        tau_detect(phi)  =  M*T_tick  -  phi  +  tau_RTT ,

   and therefore

        tau_min  =  (M - 1)*T_tick + tau_RTT      (best, phi -> T_tick^-)
        tau_E    =  (M - 1/2)*T_tick + tau_RTT     (expected, phi uniform)
        tau_max  =  M*T_tick + tau_RTT            (worst, phi = 0).

   All three are linear in M with slope T_tick; the spread
   tau_max - tau_min = T_tick is exactly one tick.

   PROOF.  The alarm fires at tick index k_0 + M, i.e. at
   t_alarm = (k_0 + M)*T_tick, so t_alarm - t_0 = M*T_tick - phi; adding
   tau_RTT gives tau_detect(phi).  The three corners follow by
   substituting phi -> T_tick^-, integrating uniformly, and substituting
   phi = 0.  This is Lemma L_DL, proved in full in
   [MVPS-L-DL] Section 2 and validated to the millisecond against the
   Coherence-BFD benchmark in its Section 4.   QED

   RFC 5880 binding.  Identify M with the BFD Detection Multiplier and
   T_tick with the negotiated BFD transmit interval ([RFC5880]
   Section 6.8.4, Detection Time = Detection Multiplier x transmit
   interval).  Then tau_max is exactly the BFD detection time plus one
   signalling latency tau_RTT.  The gate thus rides BFD's own,
   already-standardized liveness clock.

9.2.  Corollary: 1091x Dwell Reduction and M=1 Optimality  [ANALYTICAL]

   COROLLARY 5.1 (dwell reduction).  For the legacy tick (T_tick =
   60000 ms, M = 1, tau_RTT = 5 ms), tau_max = 60005 ms.  For a BFD-echo
   cadence (T_tick = 50 ms, M = 1, tau_RTT = 5 ms), tau_max = 55 ms.
   The attacker's offset-injection dwell window shrinks by a factor
   60005/55 ~ 1091.

   COROLLARY 5.2 (M = 1 optimality for a deterministic gate).  In a
   statistical detector the multiplier M > 1 exists to suppress false
   alarms.  Here it is unnecessary: by Theorem 1 the false-positive rate
   is identically zero at EVERY tick, independent of T_tick and M.
   Hence the latency-minimizing configuration M = 1 (fire on the first
   above-threshold tick) loses NOTHING in false alarms while achieving
   the smallest possible tau_max = T_tick + tau_RTT.  Acceleration to
   BFD cadence is, for this gate, free of any precision/false-alarm
   trade-off -- a property a statistical NTP-skew monitor does not have.

   READING.  An on-path adversary who injects a detectable clock offset
   ([RFC7384] Sections 3.2.2/3.2.3/3.2.6) is caught within
   T_tick + tau_RTT ~ tens of milliseconds at BFD cadence, versus tens
   of seconds at the legacy tick and versus the seconds-to-kiloseconds
   of NTP's own poll discipline -- with zero false alarms either way.


10.  Mapping to RFC 8633 Section 5.3 and RFC 7384

   [RFC8633] Section 5.3 ("Detection of Attacks through Monitoring")
   asks operators to monitor for attack signatures.  This document
   supplies one quantitative, host-external signature with proven error
   behavior:

      RFC 8633 Sec 5.3 request     This document
      ------------------------     -----------------------------------
      "monitor ... to detect"      D_{2*tau} over published offsets
      signature: bogus/zero/MAC    additive offset Delta (Theorem 2)
      (no false-alarm guarantee)   zero false alarms vs RFC 5905
                                   envelope (Theorem 1)

      RFC 7384 threat              Detected when ... (Theorem 2)
      ------------------------     -----------------------------------
      3.2.2 Spoofing               imposed offset Delta > theta+2*tau
      3.2.3 Replay                 (worst case) / Delta > theta
      3.2.6 Delay manipulation     (baseline); single-host blind by
                                   the Corollary of Section 7


11.  What This Document Does NOT Claim

   o  No change to the NTP wire protocol, packet format, modes, or
      algorithms.  NTPv4 [RFC5905] and NTPv5 (work in progress) are
      untouched.

   o  No replacement for authentication.  Integrity and server
      authentication remain [RFC8915] (NTS) and [RFC8573] (MAC).

   o  No relativity.  The only physical inequality used elsewhere in
      MVPS is the propagation lower bound RTT >= 2*d/v_g, a triangle
      inequality at the medium signal speed v_g.  Terrestrial IP
      propagation is sub-relativistic; this document makes NO appeal to
      special relativity, and the "Einstein"/"Lorentz" labels used in
      some companion material are editorial only and are avoided here.

   o  No detection below the envelope.  A stationary offset
      Delta <= theta (and, in the worst placement, Delta <= theta+2*tau)
      is provably indistinguishable from legitimate within-tier skew
      (Theorems 1(b), 2).  This is a hard limit, stated openly, not a
      deficiency to be tuned away.

   o  No single-host capability (Section 7).

   o  No AI/LLM detection.  By Theorem 4 the AI layer cannot detect what
      the vantages did not observe; it explains an already-gated
      collapse.  Its decision tiers and any accuracy figure are a stated
      MODEL / EMPIRICAL result (Section 8.3), never a guarantee.

   o  The tier bounds tau_i (Appendix A) are operator calibration
      inputs, not numbers fixed by any RFC.


12.  Empirical Confirmation (and the corner it does not exercise)

   The reference implementation (MVPS axis C10) was run against a graded
   single-vantage offset sweep Delta in {0, 1, 3, 10, 50, 200, 500} ms
   with the other vantages published at offset 0 and a stratum-1 tier
   (tau-class threshold 50 ms).  The detector did not fire at
   Delta <= 50 ms and fired at Delta = 200 ms and Delta = 500 ms.  This
   is exactly Theorem 2(ii) (baseline corner, flag iff Delta > theta)
   for the implementation's configured threshold.

   HONEST GAP.  Because every honest vantage was published at EXACTLY 0,
   this sweep exercises only the baseline corner.  It does NOT exercise
   (a) the worst-case placement of Theorem 2(i) (honest clocks spread to
   +/- tau), nor (b) the false-positive boundary of Theorem 1(b)
   (legitimate span = 2*tau).  A complete validation MUST add both
   corners; see the receipt produced alongside this document.


13.  Refinements the Theorems Suggest (constructive, non-normative)

   This document builds ON the NTP architecture [RFC5905], its security
   analysis [RFC7384], and its operational guidance [RFC8633]; nothing
   here is a criticism of that body of work.  The two items below are
   refinements the theorems let us make to OUR OWN reference
   implementation, recorded so other implementers can reproduce them and
   so the working group can question the conventions differently if it
   prefers.

   R1  Threshold convention (theta = tau vs theta = 2*tau).  Our
       reference code currently uses the per-vantage tier bound directly
       as the span threshold (theta = tau).  Theorem 1(b) shows the
       smallest FALSE-POSITIVE-FREE convention is theta = 2*tau, so we
       adopt 2*tau and state the choice openly.  This is a definitional
       matter, not an error: an operator who declares tau as ALREADY a
       pairwise (max-minus-min) envelope would correctly keep
       theta = tau.  The recommendation is therefore to state, per
       deployment, whether tau is a per-vantage or a pairwise bound, and
       to derive theta accordingly.  Reviewers are invited to challenge
       this convention.

   R2  Explicit "unverified" status when telemetry is absent.  When a
       bundle carries no clock-offset telemetry, the theorems say
       nothing can be concluded about agreement.  For transparency we
       recommend reporting an explicit "clock_unverified" status in that
       case rather than a bare "ok", so that a consumer is never led to
       infer agreement that was never measured.  This is a reporting
       improvement, fully backward compatible.


14.  Security Considerations

   The detector is a monitoring aid, not a control: it raises a flag,
   it does not correct or authenticate time.  An adversary who keeps an
   injected offset below the envelope (Delta <= theta in the baseline)
   is provably invisible to it; operators MUST treat the detector as a
   lower bound on detectable manipulation, layered beneath [RFC8915]
   authentication and [RFC8633] operational practice.  An adversary able
   to corrupt all vantages' published offsets identically defeats the
   span test; path and reference diversity (per [RFC7384] Section 3.2.6)
   is therefore a precondition, captured by Hypothesis H1.


15.  IANA Considerations

   This document has no IANA actions.


16.  References

16.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC5905]  Mills, D., Martin, J., Ed., Burbank, J., and W. Kasch,
              "Network Time Protocol Version 4: Protocol and Algorithms
              Specification", RFC 5905, June 2010,
              <https://www.rfc-editor.org/info/rfc5905>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in
              RFC 2119 Key Words", BCP 14, RFC 8174, May 2017.

16.2.  Informative References

   [RFC7384]  Mizrahi, T., "Security Requirements of Time Protocols in
              Packet Switched Networks", RFC 7384, October 2014,
              <https://www.rfc-editor.org/info/rfc7384>.

   [RFC8573]  Malhotra, A. and S. Goldberg, "Message Authentication Code
              for the Network Time Protocol", RFC 8573, June 2019.

   [RFC8633]  Reilly, D., Ed., Stenn, H., and D. Sibold, "Network Time
              Protocol Best Current Practices", BCP 223, RFC 8633,
              July 2019, <https://www.rfc-editor.org/info/rfc8633>.

   [RFC8915]  Franke, D., Sibold, D., Teichel, K., Dansarie, M., and
              R. Sundblad, "Network Time Security for the Network Time
              Protocol", RFC 8915, September 2020.

   [RFC5880]  Katz, D. and D. Ward, "Bidirectional Forwarding Detection
              (BFD)", RFC 5880, June 2010,
              <https://www.rfc-editor.org/info/rfc5880>.

   [MVPS-L-DL]
              Melegassi, L., "MVPS Detection-Latency Unified Lemma
              (L_DL)", Catellix technical note
              (docs/MVPS_DETECTION_LATENCY_LEMMA.txt and
              scripts/validate_detection_latency_lemma.py), 2026.

   [I-D.melegassi-coherence-bfd]
              Melegassi, L., "Coherence-BFD: Sub-Second Multi-Vantage
              Coherence Liveness", Work in Progress, Internet-Draft.

   [I-D.melegassi-ippm-mvps-bundle]
              Melegassi, L., "Multi-Vantage Path Snapshot (MVPS)",
              Work in Progress, Internet-Draft.

   [I-D.melegassi-ganascim-mvps-bbf-mesh]
              Ganascim, R., Melegassi, L., and G. Ganascim, "MVPS over
              the Broadband Forum CPE Stack", Work in Progress,
              Internet-Draft.

   [I-D.melegassi-mvps-ai-coherence]
              Melegassi, L., "AI/LLM Coherence Layer over MVPS", Work in
              Progress, Internet-Draft.

   [MVPS-AI-ENVELOPE]
              Melegassi, L., "Stealth-vs-Detection Envelope and AI
              Decision Tiers for MVPS", Catellix technical note
              (docs/MVPS_STEALTH_DETECTION_AI_ENVELOPE.txt and
              scripts/analyze_stealth_detection_ai_envelope.py), 2026.

   [Cover-Thomas]
              Cover, T. and J. Thomas, "Elements of Information Theory",
              2nd ed., Wiley, 2006 (data-processing inequality,
              Theorem 2.8.1).


Appendix A.  Worked Numbers per NTP Tier

   The tau values below are calibration inputs, not RFC-normative.  They
   reflect typical accuracy classes; operators MUST substitute their own.

      tier            tau (ms)   theta = 2*tau   Delta_min (baseline..worst)
      ------------    --------   -------------   ---------------------------
      atomic              1            2          2 ms  .. 4 ms
      gps_ptp             5           10         10 ms  .. 20 ms
      ntp_s1             50          100        100 ms  .. 200 ms
      ntp_s2            200          400        400 ms  .. 800 ms
      ntp_s3_plus       500         1000          1 s   .. 2 s

   Reading: a bundle whose loosest clock is stratum-3+ cannot, by
   Theorem 1, detect any injected offset smaller than ~1 s without
   additional (e.g. longitudinal) information; tightening the worst
   clock is the only way to lower Delta_min.


Appendix B.  Detection-Latency Variants (L_DL receipt)

   The worst-case latency tau_max = M*T_tick + tau_RTT of Theorem 5,
   evaluated for the five Coherence-BFD benchmark variants
   ([MVPS-L-DL] Section 4; tau_RTT = 5 ms throughout).  The p95 column
   is the measured benchmark; it matches tau_max to the millisecond.

      variant            T_tick(ms)  M   tau_max(ms)  p95(ms)
      ----------------   ----------  --  -----------  -------
      V0 legacy tick        60000     1      60005     60005
      V1 BFD fast              50     3        155       155
      V2 BFD demand          1000     1       1005      1005
      V3 BFD echo              50     1         55        55
      V4 BFD hybrid            50     3        155       155

   The latency-minimizing, false-alarm-free configuration is V3
   (M = 1, fastest tick): tau_max = T_tick + tau_RTT = 55 ms, a 1091x
   reduction from the legacy tick (Corollary 5.1) at zero false-alarm
   cost (Corollary 5.2).


Author's Address

   Leonardo Melegassi
   Catellix
   Email: melegassi@catellix.com
