Internet2 Network Security SIG

[Steven Wallace <>]

Does this suggest they can be configured in client-only mode?

https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/network-time-protocol-time-server-time-services-configuring-qfx-series.html


> On Jul 25, 2017, at 9:59 AM, gcbrowni 
> <>
>  wrote:
> 
> I wonder if anyone would be interested in engaging in a though experiment 
> with me on turning off NTP on the routers?
> 
> The Junipers, I believe, act as both clients and servers for NTP, with no 
> options for disabling the server capability other than through filtering. I 
> wonder, then, what the impact of simply disabling ALL NTP on the router 
> would be?
> 
> 1) I think you loose some convenance capabilities as you look through log 
> files on the router, assuming non-trivial clock drift. You have to show 
> system time to recall that the router thinks its yesterday, before looking 
> at the log files on the box proper.
> 
> 2) You loose the ability to easily correlate messages between routers if 
> their clocks don’t match. I suspect this is mostly a non-issue since 
> most(?) are sending logs to something like Splunk which can stamp the time 
> for correlation purposes? IE: the you stamp on Splunk and only look at time 
> correlated/aggravated messages on that box then why do you need accurate 
> clock on the routers proper?
> 
> 3) I suppose there’s a corner case of a corner case where you loose your 
> Splunk logs, and thus correlation and are forced to correlate ‘by hand’ 
> from the router logs proper. 
> 
> Anyone have thoughts or observations on this? I’m not proposing it be done, 
> just asking some thought questions … is NTP still relevant on routers 
> and/or does it justify the risk of running it?
> 
> -G
> 
> 
> 
>

Attachment: smime.p7s
Description: S/MIME cryptographic signature