netsec-sig - Re: [Security-WG] I2 - Turning off NTP?
Subject: Internet2 Network Security SIG
List archive
- From: Michael H Lambert <>
- To:
- Subject: Re: [Security-WG] I2 - Turning off NTP?
- Date: Wed, 26 Jul 2017 10:12:02 -0400
- Dkim-filter: OpenDKIM Filter v2.11.0 mailer2.psc.edu v6QEC4GW009913
- Ironport-phdr: 9a23:hmfhTBLH4Ur2cGPs5dmcpTZWNBhigK39O0sv0rFitYgRKf3xwZ3uMQTl6Ol3ixeRBMOAuqIC07KempujcFRI2YyGvnEGfc4EfD4+ouJSoTYdBtWYA1bwNv/gYn9yNs1DUFh44yPzahANS47xaFLIv3K98yMZFAnhOgppPOT1HZPZg9iq2+yo9ZDeZwZFiCChbb9uMR67sRjfus4KjIV4N60/0AHJonxGe+RXwWNnO1eelAvi68mz4ZBu7T1et+ou+MBcX6r6eb84TaFDAzQ9L281/szrugLdQgaJ+3ART38ZkhtMAwjC8RH6QpL8uTb0u+ZhxCWXO9D9QLYpUjqg8qhrUgflhicEOTEl/27ZhNF+g6BFrhKvoBJy2IHUbJ2QNPdkfqPRYdEXSGxcVchRTSxBBYa8YpMIAeoAIelYr5PyqEUKrRCjBwenGeXhxSVNhnDtw6I6yfghGhzB0QwkBd0OtW/bo8vvNKcOSu211LLIwinZY/xIxDj99ZHFfxY8qv+PRbJ9adfdxVcsGg/fk1mdqpLpMymX2+gRqWSX8vZsWOO3h2I6tQ18oSKjytovh4XXnI4Z11HJ+TljzIorONG1Skh2asO+HpRKrSGVLY52T9siQ252vCY6zaULuZuhcygLzJQo2QTfZ+Kdf4iQ+RLsSPydLilli3J4YL6/hhCy/la8yuDkS8W4zlVHojBYntTPqHwBzR7e5tSdRvdg4kus2C6D1wXJ5eFFJUA0m7DbK5kkwrMokpocq0HDETTol0XskK+bbV0k+vO05Oj9fLrpu4KcO5duig7iKqQuhtC/AeMgPwgVQWeU5fm81Kfi/U3lQLRGl/M3kqbCvZDeJMQbvbK5AxRL3oo56ha/CSum38oCnXkBMl1FZAyLg5L3NF7TPfCrRcu41k+hmypxxuzXe6LuKpTLMnXZlrr9J/Bw51MP5hA0yIV65plUA7wFaNK7fkb0vtHCEldtNwWxyev9FP1lzYhYVG6SVPzKeJjOuEOFs7p8a9KHY5UY7W7w
Would PTP be an option and, if so, does it expose the same risks as NTP?
Michael
> On 26 Jul 2017, at 09:16, gcbrowni
> <>
> wrote:
>
> Great points in the discussion.
>
> *) Accurate clock is convenient for looking at local logs
> *) More than Syslog timestamps, and third-party stamping can suffer from
> delays almost certainly resulting in out of order messages in some
> situations. (Corner? Common? Corner but when you need it most?)
> *) A potential impact to RPKI & route validation
> *) A Juniper website that turns up EX switch docs more than real JunOS
> docs. :)
>
>
> And on the risk
> *) Being forced to run a server. I find this decision from Juniper
> puzzling. There’s lots of filter/acl options, but "just don’t listen on the
> port" doesn’t seem to one of them, beyond turning the entire NTP system off.
> *) There’s some cost in man-hours to this, from getting the filters on the
> loop and edge and NTP correct, maintaining them, and dealing with anomalous
> message sin the syslog about xntpd … which STILL seem to occur. IE: you
> have to do everything you should do when running a server.
> *) The … risk? of running a server that is a known vector if misconfigured,
> as well as yet another server for a "if the packet reaches the loopback
> filter it is too late" security advisory from Juniper.
>
>
> I don’t think I2 has the "personalized support person" maintenance option
> anymore; does anyone else? It might be worth it to see what Juniper
> response is to "why do have to have a server to have correct time?" … and
> then of course the associated coordinated feature request. :)
-----
Michael H Lambert, GigaPoP Manager Phone: +1 412 268-4960
Pittsburgh Supercomputing Center/3ROX FAX: +1 412 268-5832
300 S Craig St, Pittsburgh, PA 15213 USA
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
- Re: [Security-WG] I2 - Turning off NTP?, (continued)
- Re: [Security-WG] I2 - Turning off NTP?, Andrew Gallo, 07/25/2017
- Re: [Security-WG] I2 - Turning off NTP?, John Kristoff, 07/25/2017
- RE: [Security-WG] I2 - Turning off NTP?, Anthony Brock, 07/25/2017
- Re: [Security-WG] I2 - Turning off NTP?, Jeff Bartig, 07/25/2017
- Re: [Security-WG] I2 - Turning off NTP?, Andrew Gallo, 07/25/2017
- Message not available
- Re: [Security-WG] I2 - Turning off NTP?, John Kristoff, 07/25/2017
- Re: [Security-WG] I2 - Turning off NTP?, gcbrowni, 07/26/2017
- Re: [Security-WG] I2 - Turning off NTP?, Andrew Gallo, 07/26/2017
- Re: [Security-WG] I2 - Turning off NTP?, Montgomery, Douglas (Fed), 07/26/2017
- Re: [Security-WG] I2 - Turning off NTP?, Montgomery, Douglas (Fed), 07/26/2017
- Re: [Security-WG] I2 - Turning off NTP?, gcbrowni, 07/26/2017
- Re: [Security-WG] I2 - Turning off NTP?, Michael H Lambert, 07/26/2017
- RE: [Security-WG] I2 - Turning off NTP?, Magorian, Daniel F., 07/26/2017
- Re: [Security-WG] I2 - Turning off NTP?, John Kristoff, 07/25/2017
- RE: [Security-WG] I2 - Turning off NTP?, Michael Hare, 07/27/2017
- Message not available
- Re: [Security-WG] I2 - Turning off NTP?, John Kristoff, 07/26/2017
- Re: [Security-WG] I2 - Turning off NTP?, Jeff Bartig, 07/25/2017
- RE: [Security-WG] I2 - Turning off NTP?, Anthony Brock, 07/25/2017
Archive powered by MHonArc 2.6.19.