netsec-sig - Re: [Security-WG] I2 - Turning off NTP?
Subject: Internet2 Network Security SIG
List archive
- From: Andrew Gallo <>
- To:
- Subject: Re: [Security-WG] I2 - Turning off NTP?
- Date: Tue, 25 Jul 2017 10:17:06 -0400
- Ironport-phdr: 9a23:lNkuxxCV+5gyZPzthz7kUyQJP3N1i/DPJgcQr6AfoPdwSPv+rsbcNUDSrc9gkEXOFd2CrakV26yO6+jJYi8p2d65qncMcZhBBVcuqP49uEgeOvODElDxN/XwbiY3T4xoXV5h+GynYwAOQJ6tL1LdrWev4jEMBx7xKRR6JvjvGo7Vks+7y/2+94fdbghMhzexe69+IAmrpgjNq8cahpdvJLwswRXTuHtIfOpWxWJsJV2Nmhv3+9m98p1+/SlOovwt78FPX7n0cKQ+VrxYES8pM3sp683xtBnMVhWA630BWWgLiBVIAgzF7BbnXpfttybxq+Rw1DWGMcDwULs5Xymp4aV2Rx/ykCoJKiA38G/XhMJzgqxUrh2uqB5jzIPPb4GZKOBzc7/Bcd4UR2dMWNtaWSxbAoO7aosCF/YMPeBFoInnuVQPowa1Cwi2C+Przj9IgWL90Kog3OQuCw7G2AggH9UVvXvKqdX6LqYSUeSvwKnHwzTDcula1ing54jVax0sp+yHU7FoccfJ1EUjCQDIgk+NpYHkMD6ZzOsAvmiB4+Z9S+6jk3Mrpx9yrzS128shi4bEipgIxl3K7yl13oA4LsCiRkFhe96rCp5QujmaN4RoRsMiRHlluCMgxb0HvZ67ZDIKx4kpxxHEdvOHdomJ7g/6WOaKJDd4mGpldKihiBap60SgxeP9VtSu3FlUsyVFj8HAtnEL1xPN9siKUuZx8lmi1DqVygze6+5JLVo7mKfbMZIt36A8moIWsUvZHy/2nEv2jLWRdkUh4uWn8evnba/ipp+YMI95kR/xMqE0lcy+BeQ0KAcOXmaG+eimyrLs4FD5TK1QjvIqiqnZrIzaJcMDq66iHQBazpsj6wy+Dze60NUUhHcGLF1edRKDjojpIE3OIOvmAfulglSslitryO7cPr3nHJrNMmbPnK3/crlg9k4PgDY0mMtS7I9OC60QZe38ck73qNHCCBIlaUq5z/u0Js9609Y3X26VD7DRH6rWtVjAsusgKu2IY6cYvT/8L74q+OOogHMkzwxONZK11IcaPSjrVs9tJF+UNCLh
I'd be very wary of turning off NTP.
I agree that most devices are sending log messages to something that will timestamp them. But, the loss of Splunk or its data isn't necessarily an issue, but I can easily imagine a scenario where a device gets isolated and can't send its logs, having locallogs with accurate timestamps is helpful.
Shouldn't clients be denied from reaching the NTP daemon on the router via loopback filters? In our env, I can query the router's NTP daemon only if I'm on a trusted subnet. From any other subnet, ntpq times out.
Also, what would this mean for anything requiring certificates, specifically BGP path validation? Wouldn't the routers need to agree on a common clock?
On 7/25/2017 9:59 AM, gcbrowni wrote:
I wonder if anyone would be interested in engaging in a though experiment
with me on turning off NTP on the routers?
The Junipers, I believe, act as both clients and servers for NTP, with no
options for disabling the server capability other than through filtering. I
wonder, then, what the impact of simply disabling ALL NTP on the router would
be?
1) I think you loose some convenance capabilities as you look through log
files on the router, assuming non-trivial clock drift. You have to show
system time to recall that the router thinks its yesterday, before looking at
the log files on the box proper.
2) You loose the ability to easily correlate messages between routers if
their clocks don’t match. I suspect this is mostly a non-issue since most(?)
are sending logs to something like Splunk which can stamp the time for
correlation purposes? IE: the you stamp on Splunk and only look at time
correlated/aggravated messages on that box then why do you need accurate
clock on the routers proper?
3) I suppose there’s a corner case of a corner case where you loose your
Splunk logs, and thus correlation and are forced to correlate ‘by hand’ from
the router logs proper.
Anyone have thoughts or observations on this? I’m not proposing it be done,
just asking some thought questions … is NTP still relevant on routers and/or
does it justify the risk of running it?
-G
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
- [Security-WG] I2 - Turning off NTP?, gcbrowni, 07/25/2017
- Re: [Security-WG] I2 - Turning off NTP?, Steven Wallace, 07/25/2017
- Re: [Security-WG] I2 - Turning off NTP?, Spurling, Shannon, 07/25/2017
- Re: [Security-WG] I2 - Turning off NTP?, Jeff Bartig, 07/25/2017
- Re: [Security-WG] I2 - Turning off NTP?, Andrew Gallo, 07/25/2017
- <Possible follow-up(s)>
- Re: [Security-WG] I2 - Turning off NTP?, John Kristoff, 07/25/2017
- RE: [Security-WG] I2 - Turning off NTP?, Anthony Brock, 07/25/2017
- Re: [Security-WG] I2 - Turning off NTP?, Jeff Bartig, 07/25/2017
- Re: [Security-WG] I2 - Turning off NTP?, Andrew Gallo, 07/25/2017
- Message not available
- Re: [Security-WG] I2 - Turning off NTP?, John Kristoff, 07/25/2017
- Re: [Security-WG] I2 - Turning off NTP?, gcbrowni, 07/26/2017
- Re: [Security-WG] I2 - Turning off NTP?, Andrew Gallo, 07/26/2017
- Re: [Security-WG] I2 - Turning off NTP?, Montgomery, Douglas (Fed), 07/26/2017
- Re: [Security-WG] I2 - Turning off NTP?, Montgomery, Douglas (Fed), 07/26/2017
- Re: [Security-WG] I2 - Turning off NTP?, gcbrowni, 07/26/2017
- Re: [Security-WG] I2 - Turning off NTP?, Michael H Lambert, 07/26/2017
- Re: [Security-WG] I2 - Turning off NTP?, John Kristoff, 07/25/2017
- Re: [Security-WG] I2 - Turning off NTP?, Jeff Bartig, 07/25/2017
- RE: [Security-WG] I2 - Turning off NTP?, Anthony Brock, 07/25/2017
- Re: [Security-WG] I2 - Turning off NTP?, Steven Wallace, 07/25/2017
Archive powered by MHonArc 2.6.19.