Skip to Content.
Sympa Menu

netsec-sig - Re: [Security-WG] I2 - Turning off NTP?

Subject: Internet2 Network Security SIG

List archive

Re: [Security-WG] I2 - Turning off NTP?


Chronological Thread 
  • From: Andrew Gallo <>
  • To:
  • Subject: Re: [Security-WG] I2 - Turning off NTP?
  • Date: Wed, 26 Jul 2017 09:47:33 -0400
  • Ironport-phdr: 9a23:DnztmxM63amwyYc4qXYl6mtUPXoX/o7sNwtQ0KIMzox0Lf7yrarrMEGX3/hxlliBBdydsKMUzbKO+4nbGkU4qa6bt34DdJEeHzQksu4x2zIaPcieFEfgJ+TrZSFpVO5LVVti4m3peRMNQJW2aFLduGC94iAPERvjKwV1Ov71GonPhMiryuy+4ZPebgFLiTanfb9+MAi9oBnMuMURnYZsMLs6xAHTontPdeRWxGdoKkyWkh3h+Mq+/4Nt/jpJtf45+MFOTav1f6IjTbxFFzsmKHw65NfqtRbYUwSC4GYXX3gMnRpJBwjF6wz6Xov0vyDnuOdxxDWWMMvrRr0yRD+s7bpkSAXwhSkaKTA5/mHZhM9+gq1Vrx2upQBwzpXbYI2JLvdzYr/RcN0YSGdHQ81fVzZBAoS5b4YXE+cBO/tXr5PjqFoAsBCwBBOjBOfryj9Pm3T72rc10+s7HgHC2AwgGMkDsHvardXoLqsdT/26zLTRwDjFcvhY2i/95ZDVfhw/ovyAR698fMvexEU1GA7Ijk+cpZH7Mz+Ny+gBrWuW4/B9We+uhGMrsRx9rza1yssyjITCm5gbxUre9SpjxYY4Pd24R1B/Yd6jCJZQsjuVN4pyQsM6WWFnpSg6xaYbtp6+fSkG1Y0rxwXaa/yba4iE+AzsVP2LLTd3inNlZaiziAiv/ki90uH8V8+030hWriddj9XAqHMA2wbO5sWGRfZx5Eis1DaV2wzO9O1IOUU0mrDaK54lzL4wjJ0TsUHbEyDsl0X5lquWdkEj+uWz5OTmbKjmqoWCOIBplwHyKr4uldCnAeQkLggOWHCW+f+i27L/4E35WrRKjuE2k6XAvpHaKt8Wpqq4Aw9OzoYj8AizAy2n0NQegXkIMkhFeBSZgIj1JV3COu73AuqigwfkrDA+3P3NI6fgHoSIMXfrkbH9cKx75lIGjgc/0INx/ZVRX5gHLOj+RQfevdjcCVdtOgO9x+LgINpiy8UTVX/ZUfzRC7/brVLdvrFnGOKLfoJA4Ds=
I don't think that RPKI (origin validation) would be affected, since the crypto processing is done by an external validator. What I *think* might be a problem is full path validation, where each hop in an AS path has to sign advertisements and do crypto processing, most likely on the router. At least that's my understanding of how secureBGP is supposed to work. I'll see if I can glean anything from the SIDR working group docs.




On 7/26/2017 9:16 AM, gcbrowni wrote:
Great points in the discussion.

*) Accurate clock is convenient for looking at local logs
*) More than Syslog timestamps, and third-party stamping can suffer from
delays almost certainly resulting in out of order messages in some
situations. (Corner? Common? Corner but when you need it most?)
*) A potential impact to RPKI & route validation
*) A Juniper website that turns up EX switch docs more than real JunOS docs.
:)


And on the risk
*) Being forced to run a server. I find this decision from Juniper puzzling. There’s
lots of filter/acl options, but "just don’t listen on the port" doesn’t seem
to one of them, beyond turning the entire NTP system off.
*) There’s some cost in man-hours to this, from getting the filters on the
loop and edge and NTP correct, maintaining them, and dealing with anomalous
message sin the syslog about xntpd … which STILL seem to occur. IE: you have
to do everything you should do when running a server.
*) The … risk? of running a server that is a known vector if misconfigured, as well as
yet another server for a "if the packet reaches the loopback filter it is too
late" security advisory from Juniper.


I don’t think I2 has the "personalized support person" maintenance option anymore; does
anyone else? It might be worth it to see what Juniper response is to "why do have to have a
server to have correct time?" … and then of course the associated coordinated feature
request. :)



John & Andrew, could I get you to elaborate more on the potential drift
implications in RPKI & route validation?






--
________________________________
Andrew Gallo
The George Washington University


Attachment: smime.p7s
Description: S/MIME Cryptographic Signature


Archive powered by MHonArc 2.6.19.

Top of Page