Hi everyone, do you NTP sync your AS boundary routers? If so, what are incentives for doing so? Are there incentives, e.g. security considerations, not to do it? Best regards, Lars
Dear Lars, On Wed, May 08, 2019 at 09:56:33AM +0200, Lars Prehn wrote:
do you NTP sync your AS boundary routers?
yes
If so, what are incentives for doing so? Are there incentives, e.g. security considerations, not to do it?
The major advantage of NTP syncing your routers is that it allows you to more effectively correlate any log messages that these devices emit to log messages other devices generated. Did two events happen at separate times, or was it perhaps the same event at the same time? the incentive is ease of troubleshooting. on this topic, i strongly recommend to operate all devices in the Etc/UTC timezone, this makes coordination with external entities much easier. Kind regards, Job
On Wed, May 8, 2019 at 8:38 AM Job Snijders <job@ntt.net> wrote:
Dear Lars,
On Wed, May 08, 2019 at 09:56:33AM +0200, Lars Prehn wrote:
do you NTP sync your AS boundary routers?
yes
If so, what are incentives for doing so? Are there incentives, e.g. security considerations, not to do it?
The major advantage of NTP syncing your routers is that it allows you to more effectively correlate any log messages that these devices emit to log messages other devices generated.
Note that if you step into the wonderful world of streaming telemetry you MAY need to worry about certificate validation and time becomes important for that. Similarly any other usages of certificates on the devices will bring with it a stricter time regime.
❦ 8 mai 2019 09:56 +02, Lars Prehn <lprehn@mpi-inf.mpg.de>:
do you NTP sync your AS boundary routers? If so, what are incentives for doing so? Are there incentives, e.g. security considerations, not to do it?
Ensure you have a firewall rule in place to prevent people to use your router for NTP amplification. NTP clients are also servers. On Juniper devices: policy-options { prefix-list ntp-servers { apply-path "system ntp server <*>"; } } firewall { /* ... */ term accept-ntp { from { source-prefix-list { ntp-servers; } protocol udp; port ntp; } then { policer management-1m; accept; } } } (see <https://forums.juniper.net/jnet/attachments/jnet/DayOneArchive/77/5/Securing_RouteEngine_v2.pdf> for more details). -- Keep it simple to make it faster. - The Elements of Programming Style (Kernighan & Plauger)
You will also need to add you localhost as a source if you want to show that ntp association status on the router apply-flags omit; term allow-ntp { from { source-prefix-list { ntp-server; localhost; } protocol udp; port ntp; } then { policer gen-use-1m; accept; } } show policy-options prefix-list localhost apply-flags omit; apply-path "interfaces lo0 unit 0 family inet address <*>”;
On May 8, 2019, at 7:22 AM, Vincent Bernat <bernat@luffy.cx> wrote:
❦ 8 mai 2019 09:56 +02, Lars Prehn <lprehn@mpi-inf.mpg.de>:
do you NTP sync your AS boundary routers? If so, what are incentives for doing so? Are there incentives, e.g. security considerations, not to do it?
Ensure you have a firewall rule in place to prevent people to use your router for NTP amplification. NTP clients are also servers. On Juniper devices:
policy-options { prefix-list ntp-servers { apply-path "system ntp server <*>"; } } firewall { /* ... */ term accept-ntp { from { source-prefix-list { ntp-servers; } protocol udp; port ntp; } then { policer management-1m; accept; } } }
(see <https://forums.juniper.net/jnet/attachments/jnet/DayOneArchive/77/5/Securing_RouteEngine_v2.pdf> for more details). -- Keep it simple to make it faster. - The Elements of Programming Style (Kernighan & Plauger)
On 8/May/19 16:22, Vincent Bernat wrote:
Ensure you have a firewall rule in place to prevent people to use your router for NTP amplification. NTP clients are also servers. On Juniper devices:
Yep, that's a nasty little situation in Junos that took me a week to figure out back in the day :-). Mark.
Vincent Bernat Sent: Wednesday, May 8, 2019 3:22 PM
❦ 8 mai 2019 09:56 +02, Lars Prehn <lprehn@mpi-inf.mpg.de>:
do you NTP sync your AS boundary routers? If so, what are incentives for doing so? Are there incentives, e.g. security considerations, not to do it?
Ensure you have a firewall rule in place to prevent people to use your router for NTP amplification. NTP clients are also servers. On Juniper devices:
policy-options { prefix-list ntp-servers { apply-path "system ntp server <*>"; } } firewall { /* ... */ term accept-ntp { from { source-prefix-list { ntp-servers; } protocol udp; port ntp; } then { policer management-1m; accept; } } }
(see <https://forums.juniper.net/jnet/attachments/jnet/DayOneArchive/77/5/S ecuring_RouteEngine_v2.pdf> for more details). --
You mean in addition to iACLs allowing only BGP and ICMP to your "infrastructure" IP address block(s) right? ;) adam
On 8/May/19 09:56, Lars Prehn wrote:
Hi everyone,
do you NTP sync your AS boundary routers? If so, what are incentives for doing so? Are there incentives, e.g. security considerations, not to do it?
Yes. There are probably a lot of technical reasons you will receive from folk, but ultimately, if you can get all your devices in sync. re: time, simply, why not? Mark.
On Wed, May 8, 2019, at 14:21, Lars Prehn wrote:
Hi everyone,
do you NTP sync your AS boundary routers? If so, what are incentives for doing so? Are there incentives, e.g. security considerations, not to do it?
Hi, We (and I suppose a lot of others) do sync the border routers like any other network device : to our internal NTP servers that are in their turn synchronized to other time source. I don't see a reason to treat them differently.
participants (8)
-
adamv0025@netconsultings.com
-
Christopher Morrow
-
Job Snijders
-
Kenneth McRae
-
Lars Prehn
-
Mark Tinka
-
Radu-Adrian Feurdean
-
Vincent Bernat