nanog mailing list archives
RE: NTP for ASBRs?
From: <adamv0025 () netconsultings com>
Date: Wed, 8 May 2019 17:25:06 +0100
Vincent Bernat Sent: Wednesday, May 8, 2019 3:22 PM ❦ 8 mai 2019 09:56 +02, Lars Prehn <lprehn () mpi-inf mpg de>:do you NTP sync your AS boundary routers? If so, what are incentives for doing so? Are there incentives, e.g. security considerations, not to do it?Ensure you have a firewall rule in place to prevent people to use your router for NTP amplification. NTP clients are also servers. On Juniper devices: policy-options { prefix-list ntp-servers { apply-path "system ntp server <*>"; } } firewall { /* ... */ term accept-ntp { from { source-prefix-list { ntp-servers; } protocol udp; port ntp; } then { policer management-1m; accept; } } } (see <https://forums.juniper.net/jnet/attachments/jnet/DayOneArchive/77/5/S ecuring_RouteEngine_v2.pdf> for more details). --
You mean in addition to iACLs allowing only BGP and ICMP to your "infrastructure" IP address block(s) right? ;) adam
Current thread:
- NTP for ASBRs? Lars Prehn (May 08)
- Re: NTP for ASBRs? Job Snijders (May 08)
- Re: NTP for ASBRs? Christopher Morrow (May 08)
- Re: NTP for ASBRs? Vincent Bernat (May 08)
- Re: NTP for ASBRs? Kenneth McRae via NANOG (May 08)
- Re: NTP for ASBRs? Mark Tinka (May 08)
- RE: NTP for ASBRs? adamv0025 (May 08)
- Re: NTP for ASBRs? Mark Tinka (May 08)
- Re: NTP for ASBRs? Radu-Adrian Feurdean (May 08)
- <Possible follow-ups>
- Re: NTP for ASBRs? John Kristoff (May 08)
- Re: NTP for ASBRs? Scott Weeks (May 08)
- Re: NTP for ASBRs? Bryan Holloway (May 08)
- Re: NTP for ASBRs? Valdis Klētnieks (May 08)
- Re: NTP for ASBRs? Christopher Morrow (May 08)
- Re: NTP for ASBRs? Randy Bush (May 08)
- Re: NTP for ASBRs? Andy Smith (May 09)
- Re: NTP for ASBRs? Christopher Morrow (May 09)
- Re: NTP for ASBRs? Job Snijders (May 08)