Skip to Content.
Sympa Menu

netsec-sig - Re: [Security-WG] I2 - Turning off NTP?

Subject: Internet2 Network Security SIG

List archive

Re: [Security-WG] I2 - Turning off NTP?


Chronological Thread 
  • From: gcbrowni <>
  • To: "" <>
  • Subject: Re: [Security-WG] I2 - Turning off NTP?
  • Date: Wed, 26 Jul 2017 09:16:36 -0400
  • Ironport-phdr: 9a23:8coFfBz7bf/c0OjXCy+O+j09IxM/srCxBDY+r6Qd1OwUIJqq85mqBkHD//Il1AaPBtSLraocw8Pt8InYEVQa5piAtH1QOLdtbDQizfssogo7HcSeAlf6JvO5JwYzHcBFSUM3tyrjaRsdF8nxfUDdrWOv5jAOBBr/KRB1JuPoEYLOksi7ze6/9pnQbglSmDaxfa55IQmrownWqsQYm5ZpJLwryhvOrHtIeuBWyn1tKFmOgRvy5dq+8YB6/ShItP0v68BPUaPhf6QlVrNYFygpM3o05MLwqxbOSxaE62YGXWUXlhpIBBXF7A3/U5zsvCb2qvZx1S+HNsDwULs6Wymt771zRRHolCgIOCM3/m/ZisJujq1VowmspxNjz47ReoyZKOZyc6HbcNgHRWRBRMFRVylZD4Ozc4QAFPABPeFWron7plsFsByzBQawC+z00D9IgXH33as70+k6HgHG2AsgEMkUv3TQqtX1M7sdXfq0zKnV1znMce5Z2Srk5YXObxsvoumMUKptfcfezUQjDR7Jg1SQpID/Ij+Y2OsAv3KZ4udvU++klnQppBtroje1w8chkonJiZwRylDD7Sh5xZw6Jdy8SEJhfdGkDIdfuzuVN4tsRMMiRH1ntDw7yr0bo5K0YjUFyIk/yx7ebfyIbZSI7wr+WOueJTp0nm9pdbO/ihqo7EStxOLxWtO23VtFtiZFl8PDtnEJ1xzd8MiHTf5981+u2TmTzA/T8OZEIE4ylaraMJMhzbowlp0IvkvZGi/2nkL2g7OMekUl5+ik8frobaj7ppOELY97lhn+Mrgymsy4Gek4KRYBUHSG+eSm1b3j4U34TKxEj/05iaTZtJHaJd8Hpq6iHQNZyIcj6xCjDzi4ytQYm2cILE5bdB6dkYfmJkzOc7jECqL1mFmnjS1q2+GDIbLJA5PRI2LFnau7O7tx9gQUnBE+xs1F5o5FT64OCPP1RkLrstHEVFk0PxHikMj9D9Ao2YgUQ2WQBK7RZKzZu0WP+eQuC+aIY4UcvDD6IL4k+rjjgWJvygxVRrWgwZZCMCPwJf9hOUjMOXc=

Great points in the discussion.

*) Accurate clock is convenient for looking at local logs
*) More than Syslog timestamps, and third-party stamping can suffer from
delays almost certainly resulting in out of order messages in some
situations. (Corner? Common? Corner but when you need it most?)
*) A potential impact to RPKI & route validation
*) A Juniper website that turns up EX switch docs more than real JunOS docs.
:)


And on the risk
*) Being forced to run a server. I find this decision from Juniper puzzling.
There’s lots of filter/acl options, but "just don’t listen on the port"
doesn’t seem to one of them, beyond turning the entire NTP system off.
*) There’s some cost in man-hours to this, from getting the filters on the
loop and edge and NTP correct, maintaining them, and dealing with anomalous
message sin the syslog about xntpd … which STILL seem to occur. IE: you have
to do everything you should do when running a server.
*) The … risk? of running a server that is a known vector if misconfigured,
as well as yet another server for a "if the packet reaches the loopback
filter it is too late" security advisory from Juniper.


I don’t think I2 has the "personalized support person" maintenance option
anymore; does anyone else? It might be worth it to see what Juniper response
is to "why do have to have a server to have correct time?" … and then of
course the associated coordinated feature request. :)



John & Andrew, could I get you to elaborate more on the potential drift
implications in RPKI & route validation?





Attachment: smime.p7s
Description: S/MIME cryptographic signature




Archive powered by MHonArc 2.6.19.

Top of Page