Skip to Content.
Sympa Menu

netsec-sig - RE: [Security-WG] I2 - Turning off NTP?

Subject: Internet2 Network Security SIG

List archive

RE: [Security-WG] I2 - Turning off NTP?


Chronological Thread 
  • From: "Magorian, Daniel F." <>
  • To: "" <>
  • Subject: RE: [Security-WG] I2 - Turning off NTP?
  • Date: Wed, 26 Jul 2017 14:23:28 +0000
  • Accept-language: en-US
  • Ironport-phdr: 9a23:l3/nuxLrLDebzcOEANmcpTZWNBhigK39O0sv0rFitYgeLfXxwZ3uMQTl6Ol3ixeRBMOAuqIC07KempujcFRI2YyGvnEGfc4EfD4+ouJSoTYdBtWYA1bwNv/gYn9yNs1DUFh44yPzahANS47xaFLIv3K98yMZFAnhOgppPOT1HZPZg9iq2+yo9ZDeZwZFiCChbb9uMR67sRjfus4KjIV4N60/0AHJonxGe+RXwWNnO1eelAvi68mz4ZBu7T1et+ou+MBcX6r6eb84TaFDAzQ9L281/szrugLdQgaJ+3ART38ZkhtMAwjC8RH6QpL8uTb0u+ZhxCWXO9D9QLYpUjqg8qhrUgflhicZOTAk7GHZhM9+jKxZrxKguxNwzJXZYI6JOPZiZq7RYc8WSGhHU81MVyJBGIS8b44XAuYPOuhXtYb9p1wUrRu/HwasAvvjwSJGiHDs26060vouEQXb1wIgBd4CvmnfodL7OqgIV+C51q7Gwi/Mb/NRwzf96ZLHchY6rPGOXbJwbNDeyVErFw/fkFqftJHlMiqT2+8QsGab9/JtWf+xh2MksQ19vDeiy8g2hoXXho8Z10rI+Th4zYsxPdG0VVB3bN2+HJdOuCyXOJF6Tt4mTmxroio217wLtJ2jcCgE1psqxALTZvmCfoeU4h/uVemcLDJ6iX55Zr2yhBO//Ey7xeLhSMa51VZHoTBbntTNsH0Gygbd5dKdSvRn+0eswTaP2B7X6uFDOU07j7LbK5o/zb4/mJsfrVrPEjX0mEX2ka+ZbF0k+uyy5+v5f7rmu4eQN45yig7gLqQjgtGzDfo7PwQUQWSW9uux2Kf98UD5XblGlOA6n6jdvZzCIMQUvK+5Awtb0oY57Ba/Ci+r3toCknkBNl5LfwiIj4fuO1HUIfD3F/G/jk+ukDdr2vDJJKXhApHXInfdjbjhYK5x61RAxwor0dBf+5VUB6kaIP3tRkDxqcbYDh4lMw202urmBtp925gaWWKOGa+ZLLjSvUGS6uIuJemMeJEauCz7K/c7+/7ik2U1lkEAcqm0jtMrbyXyBfltPl+YfWupndgpEGEWsxA4QfCwzlCOTHQbM22/VL8m5y0qTZ2pJYbFWo23hrGdhmG2EoAANU5cDVXZW1LheIKeWv4KLGq+K8lgnzhMe/7rA9sN3BfokQb1zKBmJ+z8+C0FvIrnktV5+ruAxlkJ6TVoApHFgCm2RGZukzZQSg==
PTP is a lot of work to get going and synced campus-wide, also overkill for
most applications that don't really need uS timing. It's not really a
drop-in replacement, more like apples and oranges. Dan

-----Original Message-----
From:


[mailto:]
On Behalf Of Michael H Lambert
Sent: Wednesday, July 26, 2017 10:12 AM
To:

Subject: Re: [Security-WG] I2 - Turning off NTP?

Would PTP be an option and, if so, does it expose the same risks as NTP?

Michael

> On 26 Jul 2017, at 09:16, gcbrowni
> <>
> wrote:
>
> Great points in the discussion.
>
> *) Accurate clock is convenient for looking at local logs
> *) More than Syslog timestamps, and third-party stamping can suffer from
> delays almost certainly resulting in out of order messages in some
> situations. (Corner? Common? Corner but when you need it most?)
> *) A potential impact to RPKI & route validation
> *) A Juniper website that turns up EX switch docs more than real JunOS
> docs. :)
>
>
> And on the risk
> *) Being forced to run a server. I find this decision from Juniper
> puzzling. There’s lots of filter/acl options, but "just don’t listen on the
> port" doesn’t seem to one of them, beyond turning the entire NTP system off.
> *) There’s some cost in man-hours to this, from getting the filters on the
> loop and edge and NTP correct, maintaining them, and dealing with anomalous
> message sin the syslog about xntpd … which STILL seem to occur. IE: you
> have to do everything you should do when running a server.
> *) The … risk? of running a server that is a known vector if misconfigured,
> as well as yet another server for a "if the packet reaches the loopback
> filter it is too late" security advisory from Juniper.
>
>
> I don’t think I2 has the "personalized support person" maintenance option
> anymore; does anyone else? It might be worth it to see what Juniper
> response is to "why do have to have a server to have correct time?" … and
> then of course the associated coordinated feature request. :)

-----
Michael H Lambert, GigaPoP Manager Phone: +1 412 268-4960
Pittsburgh Supercomputing Center/3ROX FAX: +1 412 268-5832
300 S Craig St, Pittsburgh, PA 15213 USA



Attachment: smime.p7s
Description: S/MIME cryptographic signature


Archive powered by MHonArc 2.6.19.

Top of Page