Internet2 Network Security SIG

[Andrew Gallo <>]

On a whim, I tried adding restriction configurations to ntp.conf directly on 
an MX (/var/etc/ntp.conf):
restrict -4 default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery


You have to HUP the process (because there is no 'restart ntp' in the CLI).  
The daemon will honor this configuration, but I'm sure you can figure out 
what happens next- if any changes to ntp are made via the CLI, and the daemon 
is restarted during a commit, these lines disappear.




On 7/25/2017 1:13 PM, Jeff Bartig wrote:
> That page is specific to the Juniper E-series, a TDM aggregation 
> platform Juniper had acquired.  It doesn't run JUNOS.  Seeing "junose" 
> (note the "E" on the end) in the URL is a good indication you've 
> wandered onto pages you aren't interested in on Juniper's web site.
>
> On 7/25/17, 11:53 AM, Anthony Brock wrote:
> > We don't run Juniper (yet), but doesn't the following imply that an 
> > ACL can be applied?
> >
> > http://www.juniper.net/documentation/en_US/junose14.2/topics/reference/command-summary/ntp-access-group.html 
> >
> >
> > Also, I am very concerned about local clock drift. While we do send 
> > logs to an external collector, I've been involved in too many 
> > situations where the logs failed to be sent (either due to high CPU 
> > load, loss of connectivity, or some other weird event) to be 
> > comfortable without NTP on the individual routers.
> >
> > Tony
> >
> >
> > -----Original Message-----
> > From:  
> > [mailto:] On Behalf Of John Kristoff
> > Sent: Tuesday, July 25, 2017 9:07 AM
> > To: 
> > gcbrowni<>
> > Cc: 
> >
> > Subject: Re: [Security-WG] I2 - Turning off NTP?
> >
> > On Tue, 25 Jul 2017 13:59:47 +0000
> > gcbrowni<>
> >   wrote:
> >
> > > I wonder if anyone would be interested in engaging in a though
> > > experiment with me on turning off NTP on the routers?
> >
> > Might the question be more general, such as "what would the effect of 
> > not having a synchronized clock on a router be?"  Or do you care 
> > specifically about NTP?
> >
> > > 2) You loose the ability to easily correlate messages between routers
> > > if their clocks don’t match. I suspect this is mostly a non-issue
> > > since most(?) are sending logs to something like Splunk which can
> > > stamp the time for correlation purposes?
> >
> > Won't some log collectors also keep the time stamp from the local 
> > system?  So the inconvenience may be more widespread.
> >
> > If you want to do RPKI, having an accurate notion is going to be 
> > desirable.
> >
> > You might also want good clocks for NetFlow/IPFIX collectors if you 
> > export flows.
> >
> > > Anyone have thoughts or observations on this?
> >
> > It seems unlikely to cause any serious operational issues on most 
> > networks, but I'm not convinced removing it is better than keeping it.
> > I think the inconvenience is going to add up quickly for most "serious"
> > operators.
> >
> > > is NTP still relevant on routers and/or does it justify the risk of
> > > running it?
> >
> > Perhaps enumerate the risks as well.  Depending on the router for 
> > example, a default, accessible NTP service:
> >
> >    * may unwittingly become a reflector/amplifier
> >    * may enable an information leak
> >    * may present a CPU/packet DoS condition
> >    * may expose an unauthenticated path into the system
> >
> > John

--
________________________________
Andrew Gallo
The George Washington University

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature