nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: NTP for ASBRs?

From: Kenneth McRae via NANOG <nanog () nanog org>
Date: Wed, 8 May 2019 07:31:28 -0700

You will also need to add you localhost as a source if you want to show that ntp association status on the router

apply-flags omit;
term allow-ntp {
    from {
        source-prefix-list {
            ntp-server;
            localhost;
        }
        protocol udp;
        port ntp;
    }
    then {
        policer gen-use-1m;
        accept;
    }
}

show policy-options prefix-list localhost 
apply-flags omit;
apply-path "interfaces lo0 unit 0 family inet address <*>”;




On May 8, 2019, at 7:22 AM, Vincent Bernat <bernat () luffy cx> wrote:

❦  8 mai 2019 09:56 +02, Lars Prehn <lprehn () mpi-inf mpg de>:


do you NTP sync your AS boundary routers? If so, what are incentives
for doing so? Are there incentives, e.g. security considerations, not
to do it?


Ensure you have a firewall rule in place to prevent people to use your
router for NTP amplification. NTP clients are also servers. On Juniper
devices:

policy-options {
   prefix-list ntp-servers {
       apply-path "system ntp server <*>";
   }
}
firewall {
   /* ... */
          term accept-ntp {
               from {
                   source-prefix-list {
                       ntp-servers;
                   }
                   protocol udp;
                   port ntp;
               }
               then {
                   policer management-1m;
                   accept;
               }
           }
}

(see
<https://forums.juniper.net/jnet/attachments/jnet/DayOneArchive/77/5/Securing_RouteEngine_v2.pdf>
for more details).
-- 
Keep it simple to make it faster.
           - The Elements of Programming Style (Kernighan & Plauger)
Previous By Date Next
Previous By Thread Next

Current thread: