netsec-sig - Re: [Security-WG] I2 - Turning off NTP?
Subject: Internet2 Network Security SIG
List archive
- From: Steven Wallace <>
- To:
- Subject: Re: [Security-WG] I2 - Turning off NTP?
- Date: Tue, 25 Jul 2017 10:07:40 -0400
- Ironport-phdr: 9a23:GvcNGRTp/essgDlTPCPVh/QpC9psv+yvbD5Q0YIujvd0So/mwa69YBeN2/xhgRfzUJnB7Loc0qyN4vCmATRIyK3CmUhKSIZLWR4BhJdetC0bK+nBN3fGKuX3ZTcxBsVIWQwt1Xi6NU9IBJS2PAWK8TW94jEIBxrwKxd+KPjrFY7OlcS30P2594HObwlSijewZbB/IA+qoQnNq8IbnZZsJqEtxxXTv3BGYf5WxWRmJVKSmxbz+MK994N9/ipTpvws6ddOXb31cKokQ7NYCi8mM30u683wqRbDVwqP6WACXWgQjxFFHhLK7BD+Xpf2ryv6qu9w0zSUMMHqUbw5Xymp4qF2QxHqlSgHLSY0/mHLhcN/kaxVrhyhqQJ9zIDXe4yVO+ZyfqbHcN8GWWZMXMBcXDFBDIOmaIsPCvIMM/tEr4bjuVsBsx2+DhSsC+z1zj9IgmX50rEk3O88FgzGxxcgHtwVvXTVsdX5LrkdXv2ozKTRyzjIcv1Y2TD46IfScxAhp+mBXbBtccrXyEkvDx3Kjk+KpYzjITyVyuIAuHWY4ep4Te+jlXIrpx1srjWq28shiZfGi4EQx1DK+yV13Jo5KNimREN1ZNOpFZtduzycOoBrWM0tWXtotzw/yrAeuZ60YiwKyJM/yh7acfOHcoyI7gj/W+aNPTh0nn1leKi5hxa17Ues0Oz8VtSu3FlUsyVFj8HAtnEL1xPN9siKUuVx8lu91TqS0g3f9+JJLl43mKfeJZ4hzKI8moYWvEjdECL7nUD7ga+Lekk8/+in8eXnYrHopp+GMI90jxnzMr81ms2xGuk4MxUOU3KF9uuhyb3v5Vf5T6lSjv0qjqnZt4jXJd8FqaGlHg9VyIcj6wq/Dju/3tUYkmIKLFZEeBKck4jpIE/CLOr5Dfe5n1Sjji1rx/bYMb39HJnBNGbMn6r8feU110kJ0wc40Mpe+4MRFb4pIfTvV1X3ucCCSBI1Ll+a2eHiXe5h250TXyqwC6udOajf+QuT/f0HIvTKaYMI7mWuY8M57uLj2Cdq0WQWerOkiMMa
Does this suggest they can be configured in client-only mode?
https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/network-time-protocol-time-server-time-services-configuring-qfx-series.html
> On Jul 25, 2017, at 9:59 AM, gcbrowni
> <>
> wrote:
>
> I wonder if anyone would be interested in engaging in a though experiment
> with me on turning off NTP on the routers?
>
> The Junipers, I believe, act as both clients and servers for NTP, with no
> options for disabling the server capability other than through filtering. I
> wonder, then, what the impact of simply disabling ALL NTP on the router
> would be?
>
> 1) I think you loose some convenance capabilities as you look through log
> files on the router, assuming non-trivial clock drift. You have to show
> system time to recall that the router thinks its yesterday, before looking
> at the log files on the box proper.
>
> 2) You loose the ability to easily correlate messages between routers if
> their clocks don’t match. I suspect this is mostly a non-issue since
> most(?) are sending logs to something like Splunk which can stamp the time
> for correlation purposes? IE: the you stamp on Splunk and only look at time
> correlated/aggravated messages on that box then why do you need accurate
> clock on the routers proper?
>
> 3) I suppose there’s a corner case of a corner case where you loose your
> Splunk logs, and thus correlation and are forced to correlate ‘by hand’
> from the router logs proper.
>
> Anyone have thoughts or observations on this? I’m not proposing it be done,
> just asking some thought questions … is NTP still relevant on routers
> and/or does it justify the risk of running it?
>
> -G
>
>
>
>
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
- [Security-WG] I2 - Turning off NTP?, gcbrowni, 07/25/2017
- Re: [Security-WG] I2 - Turning off NTP?, Steven Wallace, 07/25/2017
- Re: [Security-WG] I2 - Turning off NTP?, Spurling, Shannon, 07/25/2017
- Re: [Security-WG] I2 - Turning off NTP?, Jeff Bartig, 07/25/2017
- Re: [Security-WG] I2 - Turning off NTP?, Andrew Gallo, 07/25/2017
- <Possible follow-up(s)>
- Re: [Security-WG] I2 - Turning off NTP?, John Kristoff, 07/25/2017
- RE: [Security-WG] I2 - Turning off NTP?, Anthony Brock, 07/25/2017
- Re: [Security-WG] I2 - Turning off NTP?, Jeff Bartig, 07/25/2017
- Re: [Security-WG] I2 - Turning off NTP?, Andrew Gallo, 07/25/2017
- Message not available
- Re: [Security-WG] I2 - Turning off NTP?, John Kristoff, 07/25/2017
- Re: [Security-WG] I2 - Turning off NTP?, gcbrowni, 07/26/2017
- Re: [Security-WG] I2 - Turning off NTP?, Andrew Gallo, 07/26/2017
- Re: [Security-WG] I2 - Turning off NTP?, gcbrowni, 07/26/2017
- Re: [Security-WG] I2 - Turning off NTP?, John Kristoff, 07/25/2017
- Re: [Security-WG] I2 - Turning off NTP?, Jeff Bartig, 07/25/2017
- RE: [Security-WG] I2 - Turning off NTP?, Anthony Brock, 07/25/2017
- Re: [Security-WG] I2 - Turning off NTP?, Steven Wallace, 07/25/2017
Archive powered by MHonArc 2.6.19.