Internet2 Network Security SIG

[gcbrowni <>]

I wonder if anyone would be interested in engaging in a though experiment 
with me on turning off NTP on the routers?

The Junipers, I believe, act as both clients and servers for NTP, with no 
options for disabling the server capability other than through filtering. I 
wonder, then, what the impact of simply disabling ALL NTP on the router would 
be?

1) I think you loose some convenance capabilities as you look through log 
files on the router, assuming non-trivial clock drift. You have to show 
system time to recall that the router thinks its yesterday, before looking at 
the log files on the box proper.

2) You loose the ability to easily correlate messages between routers if 
their clocks don’t match. I suspect this is mostly a non-issue since most(?) 
are sending logs to something like Splunk which can stamp the time for 
correlation purposes? IE: the you stamp on Splunk and only look at time 
correlated/aggravated messages on that box then why do you need accurate 
clock on the routers proper?

3) I suppose there’s a corner case of a corner case where you loose your 
Splunk logs, and thus correlation and are forced to correlate ‘by hand’ from 
the router logs proper. 

Anyone have thoughts or observations on this? I’m not proposing it be done, 
just asking some thought questions … is NTP still relevant on routers and/or 
does it justify the risk of running it?

-G

Attachment: smime.p7s
Description: S/MIME cryptographic signature