Vincent Bernat Sent: Wednesday, May 8, 2019 3:22 PM
❦ 8 mai 2019 09:56 +02, Lars Prehn <lprehn@mpi-inf.mpg.de>:
do you NTP sync your AS boundary routers? If so, what are incentives for doing so? Are there incentives, e.g. security considerations, not to do it?
Ensure you have a firewall rule in place to prevent people to use your router for NTP amplification. NTP clients are also servers. On Juniper devices:
policy-options { prefix-list ntp-servers { apply-path "system ntp server <*>"; } } firewall { /* ... */ term accept-ntp { from { source-prefix-list { ntp-servers; } protocol udp; port ntp; } then { policer management-1m; accept; } } }
(see <https://forums.juniper.net/jnet/attachments/jnet/DayOneArchive/77/5/S ecuring_RouteEngine_v2.pdf> for more details). --
You mean in addition to iACLs allowing only BGP and ICMP to your "infrastructure" IP address block(s) right? ;) adam