NTP for ASBRs?

[kenneth.mcrae at me.com (Kenneth McRae)]

You will also need to add you localhost as a source if you want to show that ntp association status on the router

apply-flags omit;
term allow-ntp {
    from {
        source-prefix-list {
            ntp-server;
            localhost;
        }
        protocol udp;
        port ntp;
    }
    then {
        policer gen-use-1m;
        accept;
    }
}

show policy-options prefix-list localhost 
apply-flags omit;
apply-path "interfaces lo0 unit 0 family inet address <*>â??;



> On May 8, 2019, at 7:22 AM, Vincent Bernat <bernat at luffy.cx> wrote:
> 
> â?¦  8 mai 2019 09:56 +02, Lars Prehn <lprehn at mpi-inf.mpg.de>:
> 
>> do you NTP sync your AS boundary routers? If so, what are incentives
>> for doing so? Are there incentives, e.g. security considerations, not
>> to do it?
> 
> Ensure you have a firewall rule in place to prevent people to use your
> router for NTP amplification. NTP clients are also servers. On Juniper
> devices:
> 
> policy-options {
>    prefix-list ntp-servers {
>        apply-path "system ntp server <*>";
>    }
> }
> firewall {
>    /* ... */
>           term accept-ntp {
>                from {
>                    source-prefix-list {
>                        ntp-servers;
>                    }
>                    protocol udp;
>                    port ntp;
>                }
>                then {
>                    policer management-1m;
>                    accept;
>                }
>            }
> }
> 
> (see
> <https://forums.juniper.net/jnet/attachments/jnet/DayOneArchive/77/5/Securing_RouteEngine_v2.pdf>
> for more details).
> -- 
> Keep it simple to make it faster.
>            - The Elements of Programming Style (Kernighan & Plauger)