netsec-sig - Re: [Security-WG] I2 - Turning off NTP?

Subject: Internet2 Network Security SIG

List archive

Re: [Security-WG] I2 - Turning off NTP?

From: Jeff Bartig <>
To:
Cc: 'gcbrowni' <>
Subject: Re: [Security-WG] I2 - Turning off NTP?
Date: Tue, 25 Jul 2017 12:13:52 -0500
Authentication-results: internet2.edu; dkim=none (message not signed) header.d=none;internet2.edu; dmarc=none action=none header.from=internet2.edu;
Ironport-phdr: 9a23:ShRWsxbbnHJZusRof/FDxQD/LSx+4OfEezUN459isYplN5qZr8u5bnLW6fgltlLVR4KTs6sC0LuG9fi4EUU7or+5+EgYd5JNUxJXwe43pCcHRPC/NEvgMfTxZDY7FskRHHVs/nW8LFQHUJ2mPw6arXK99yMdFQviPgRpOOv1BpTSj8Oq3Oyu5pHfeQtFiT6+bL9oMBm6sRjau9ULj4dlNqs/0AbCrGFSe+RRy2NoJFaTkAj568yt4pNt8Dletuw4+cJYXqr0Y6o3TbpDDDQ7KG81/9HktQPCTQSU+HQRVHgdnwdSDAjE6BH6WYrxsjf/u+Fg1iSWIdH6QLYpUjmk8qxlSgLniD0fOjA6/m/ZisJ/g61Frhy8qRxwwZLbYICOOfVkYq/SZ8kVSXZbU8tTUSFKH4Oyb5EID+oEJetWq5fyp1UArRCjGASjHvnvyiNJhn/5wKY31OYhHhrc0ww6A9IOsXvUoc70NKcUTeC60rPIzTPdYPNKxzvx8pbHfQ08ofyVW797bMTfyU4qFwzfj1WQr5ToPyuL2esTqWib7uxgVe2yhGE8sQ1+vj+vxsI0honLm4IVzFHE9T1nz4YvP9G4TlB0YcKiHZBNtC+aL5N7Tt0/T2xpoio3xKMKtYSmcCUJ1Jgr3QPTZv+Zf4SQ/x7vSOmcLS1miH9qdr+znQu+/Eeix+HmSMW4zVlHoyxYmdfWrH8NzQbc6s2fR/t94Eih3TGP2hjL5OxYJk44ibfXJ4c8z7AomJcfqEPDETTol0nsi6+Wa1kk9fOv6+T6ZLXpu4WQN5duigH5LqQhhNCwAfg5MggJWWiX4+O81KD//U39R7VKif42nrPFv5DdIMQXvq+5AwlL3YY/8xuzESqq3dUCkXQJMl5JYg+Lgov1N13UPfz1Dumzj0ypkDhxxvDGOrPhAo/KLnjGiLrhf61y5FRGyAovzNBf6IlZCrAHIPLvREDxrtrYAQElMwCq2eroFshy1p4GVWKVHqCZKL/SsUOP5u83OOmDepMauCvnK/gk+/7vjWY1mFESfaSy2ZsXaWu4Huh9I0mHe3bsg9EBEXsUsQokSuzllkGCXSBJa3msQq08+2JzNIXzForIW5qsnK3EwyiTH5tKa3pAB0zWV3rkataqQfAJPQCfLMEpuDUeSbmuA9sj3xi0qA7147thMufO/CAE79Tu2MUjtL6brg076TEhV5fV6GqKVWwhxm4=
Spamdiagnosticoutput: 1:0

That page is specific to the Juniper E-series, a TDM aggregation platform Juniper had acquired. It doesn't run JUNOS. Seeing "junose" (note the "E" on the end) in the URL is a good indication you've wandered onto pages you aren't interested in on Juniper's web site.

On 7/25/17, 11:53 AM, Anthony Brock wrote:

We don't run Juniper (yet), but doesn't the following imply that an ACL can be applied?

http://www.juniper.net/documentation/en_US/junose14.2/topics/reference/command-summary/ntp-access-group.html

Also, I am very concerned about local clock drift. While we do send logs to an external collector, I've been involved in too many situations where the logs failed to be sent (either due to high CPU load, loss of connectivity, or some other weird event) to be comfortable without NTP on the individual routers.

Tony


-----Original Message-----
From:  [] On Behalf Of John Kristoff
Sent: Tuesday, July 25, 2017 9:07 AM
To: gcbrowni 
Cc: 
Subject: Re: [Security-WG] I2 - Turning off NTP?

On Tue, 25 Jul 2017 13:59:47 +0000
gcbrowni  wrote:

I wonder if anyone would be interested in engaging in a though 
experiment with me on turning off NTP on the routers?

Might the question be more general, such as "what would the effect of not having a synchronized clock on a router be?"  Or do you care specifically about NTP?

2) You loose the ability to easily correlate messages between routers 
if their clocks don’t match. I suspect this is mostly a non-issue 
since most(?) are sending logs to something like Splunk which can 
stamp the time for correlation purposes?

Won't some log collectors also keep the time stamp from the local system?  So the inconvenience may be more widespread.

If you want to do RPKI, having an accurate notion is going to be desirable.

You might also want good clocks for NetFlow/IPFIX collectors if you export flows.

Anyone have thoughts or observations on this?

It seems unlikely to cause any serious operational issues on most networks, but I'm not convinced removing it is better than keeping it.
I think the inconvenience is going to add up quickly for most "serious"
operators.

is NTP still relevant on routers and/or does it justify the risk of 
running it?

Perhaps enumerate the risks as well.  Depending on the router for example, a default, accessible NTP service:

  * may unwittingly become a reflector/amplifier
  * may enable an information leak
  * may present a CPU/packet DoS condition
  * may expose an unauthenticated path into the system

John

--
Jeff Bartig
Interconnection Architect
Internet2 AS11164 / AS11537
+1-608-616-9908

[Security-WG] I2 - Turning off NTP?, gcbrowni, 07/25/2017
- Re: [Security-WG] I2 - Turning off NTP?, Steven Wallace, 07/25/2017
  - Re: [Security-WG] I2 - Turning off NTP?, Spurling, Shannon, 07/25/2017
  - Re: [Security-WG] I2 - Turning off NTP?, Jeff Bartig, 07/25/2017
- Re: [Security-WG] I2 - Turning off NTP?, Andrew Gallo, 07/25/2017
- <Possible follow-up(s)>
- Re: [Security-WG] I2 - Turning off NTP?, John Kristoff, 07/25/2017
  - RE: [Security-WG] I2 - Turning off NTP?, Anthony Brock, 07/25/2017
    - Re: [Security-WG] I2 - Turning off NTP?, Jeff Bartig, 07/25/2017
      - Re: [Security-WG] I2 - Turning off NTP?, Andrew Gallo, 07/25/2017
      - Message not available
        
        Re: [Security-WG] I2 - Turning off NTP?, John Kristoff, 07/25/2017
        
        Re: [Security-WG] I2 - Turning off NTP?, gcbrowni, 07/26/2017
        
        Re: [Security-WG] I2 - Turning off NTP?, Andrew Gallo, 07/26/2017
        Re: [Security-WG] I2 - Turning off NTP?, Montgomery, Douglas (Fed), 07/26/2017
        Re: [Security-WG] I2 - Turning off NTP?, Montgomery, Douglas (Fed), 07/26/2017
        
        Re: [Security-WG] I2 - Turning off NTP?, Michael H Lambert, 07/26/2017
        RE: [Security-WG] I2 - Turning off NTP?, Magorian, Daniel F., 07/26/2017
        
        RE: [Security-WG] I2 - Turning off NTP?, Michael Hare, 07/27/2017
        
        Message not available
        
        Re: [Security-WG] I2 - Turning off NTP?, John Kristoff, 07/26/2017

List archive

Re: [Security-WG] I2 - Turning off NTP?