Skip to Content.
Sympa Menu

netsec-sig - Re: [Security-WG] I2 - Turning off NTP?

Subject: Internet2 Network Security SIG

List archive

Re: [Security-WG] I2 - Turning off NTP?


Chronological Thread 
  • From: Andrew Gallo <>
  • To:
  • Subject: Re: [Security-WG] I2 - Turning off NTP?
  • Date: Tue, 25 Jul 2017 17:07:18 -0400
  • Ironport-phdr: 9a23:Bt81URcaFH3lJkwryd9hK1IhlGMj4u6mDksu8pMizoh2WeGdxcu8bR7h7PlgxGXEQZ/co6odzbGH4+a4ASQp2tWoiDg6aptCVhsI2409vjcLJ4q7M3D9N+PgdCcgHc5PBxdP9nC/NlVJSo6lPwWB6nK94iQPFRrhKAF7Ovr6GpLIj8Swyuu+54Dfbx9GiTe5Yr5+Ngm6oRnMvcQKnIVuLbo8xAHUqXVSYeRWwm1oJVOXnxni48q74YBu/SdNtf8/7sBMSar1cbg2QrxeFzQmLns65Nb3uhnZTAuA/WUTX2MLmRdVGQfF7RX6XpDssivms+d2xSeXMdHqQb0yRD+v6bpgRh31hycdLzM37X/ZisJwgqxYrhyuqRNwzIzIb4yOO/pyYrnQcM8GSWdPXMtcUTFKDIOmb4sICuoMJfpVr4/gqFsUsxS/CxSnCuL1xT9Mgn/22rAx3uM7HgHJxgMgG9YOsHPPodX6OqYSTPq5w7fVwjXedv5b3yr25obPchAku/6MXLRwfNLTyUkyEQPFj02QppL/Pz+P0OQCrXSb4ux9Xuysk24qsxx9riasy8s2l4XEh40YxkrL+Ch52oo5OMO0RFZmbdK6E5ZcrTyWOop5T884Xm1ltjw2xqMAtJWmZiYF0o4nyATaa/Gfc4iH/BbjVOGJLDd9nn1leba/hw6o8Ue9xO3zTdS70FNLryZYi9XMrXUN1wDL6sSdVPR95V2t2TmB1gDO8O1LP107lbfDJ54gxL4/iIYTvFzeEiPom0j6lrKae0Qr9+Sy5OnqYq/qqoKCO4NsjwHxKKUumsixAeQiNQgOWnCW9v6z1LL5+U35RLJKg+Y5kqjXrZDWP9oUqbOkAwNNyIYs9w6/Dyu60NQfhXQHN0xKdw6aj4jzOlHOPPD5Ae6xglSjizprw/HGPqb9ApXWMHTPirbhfbBh60FC0gozy85Q545KBr0bPv38R1Lx55TkCUoiPgep2ef7GZBi2asfX36CGKmULPmUvFOVtcw1JOzZTYkZojviY9cs4/rpxSswllYZea6B0oQKLn20A6I1cA2ifXPwj4JZQi8xtQ0kQbmyhQ==

On a whim, I tried adding restriction configurations to ntp.conf directly on
an MX (/var/etc/ntp.conf):
restrict -4 default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery


You have to HUP the process (because there is no 'restart ntp' in the CLI).
The daemon will honor this configuration, but I'm sure you can figure out
what happens next- if any changes to ntp are made via the CLI, and the daemon
is restarted during a commit, these lines disappear.




On 7/25/2017 1:13 PM, Jeff Bartig wrote:

That page is specific to the Juniper E-series, a TDM aggregation platform Juniper had acquired. It doesn't run JUNOS. Seeing "junose" (note the "E" on the end) in the URL is a good indication you've wandered onto pages you aren't interested in on Juniper's web site.

On 7/25/17, 11:53 AM, Anthony Brock wrote:
We don't run Juniper (yet), but doesn't the following imply that an ACL can be applied?

http://www.juniper.net/documentation/en_US/junose14.2/topics/reference/command-summary/ntp-access-group.html

Also, I am very concerned about local clock drift. While we do send logs to an external collector, I've been involved in too many situations where the logs failed to be sent (either due to high CPU load, loss of connectivity, or some other weird event) to be comfortable without NTP on the individual routers.

Tony


-----Original Message-----
From: [mailto:] On Behalf Of John Kristoff
Sent: Tuesday, July 25, 2017 9:07 AM
To:
gcbrowni<>
Cc:

Subject: Re: [Security-WG] I2 - Turning off NTP?

On Tue, 25 Jul 2017 13:59:47 +0000
gcbrowni<>
wrote:

I wonder if anyone would be interested in engaging in a though
experiment with me on turning off NTP on the routers?

Might the question be more general, such as "what would the effect of not having a synchronized clock on a router be?" Or do you care specifically about NTP?

2) You loose the ability to easily correlate messages between routers
if their clocks don’t match. I suspect this is mostly a non-issue
since most(?) are sending logs to something like Splunk which can
stamp the time for correlation purposes?

Won't some log collectors also keep the time stamp from the local system? So the inconvenience may be more widespread.

If you want to do RPKI, having an accurate notion is going to be desirable.

You might also want good clocks for NetFlow/IPFIX collectors if you export flows.

Anyone have thoughts or observations on this?

It seems unlikely to cause any serious operational issues on most networks, but I'm not convinced removing it is better than keeping it.
I think the inconvenience is going to add up quickly for most "serious"
operators.

is NTP still relevant on routers and/or does it justify the risk of
running it?

Perhaps enumerate the risks as well. Depending on the router for example, a default, accessible NTP service:

* may unwittingly become a reflector/amplifier
* may enable an information leak
* may present a CPU/packet DoS condition
* may expose an unauthenticated path into the system

John



--
________________________________
Andrew Gallo
The George Washington University


Attachment: smime.p7s
Description: S/MIME Cryptographic Signature




Archive powered by MHonArc 2.6.19.

Top of Page