[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

NTP for ASBRs?

Subject: NTP for ASBRs?
From: adamv0025 at netconsultings.com (adamv0025 at netconsultings.com)
Date: Wed, 8 May 2019 17:25:06 +0100
In-reply-to: <[email protected]>
References: <[email protected]> <[email protected]>

> Vincent Bernat
> Sent: Wednesday, May 8, 2019 3:22 PM
> 
>  â?¦  8 mai 2019 09:56 +02, Lars Prehn <lprehn at mpi-inf.mpg.de>:
> 
> > do you NTP sync your AS boundary routers? If so, what are incentives
> > for doing so? Are there incentives, e.g. security considerations, not
> > to do it?
> 
> Ensure you have a firewall rule in place to prevent people to use your router
> for NTP amplification. NTP clients are also servers. On Juniper
> devices:
> 
> policy-options {
>     prefix-list ntp-servers {
>         apply-path "system ntp server <*>";
>     }
> }
> firewall {
>     /* ... */
>            term accept-ntp {
>                 from {
>                     source-prefix-list {
>                         ntp-servers;
>                     }
>                     protocol udp;
>                     port ntp;
>                 }
>                 then {
>                     policer management-1m;
>                     accept;
>                 }
>             }
> }
> 
> (see
> <https://forums.juniper.net/jnet/attachments/jnet/DayOneArchive/77/5/S
> ecuring_RouteEngine_v2.pdf>
> for more details).
> --

You mean in addition to iACLs allowing only BGP and ICMP to your "infrastructure" IP address block(s) right? ;)

adam

References:
- NTP for ASBRs?
  - From: lprehn at mpi-inf.mpg.de (Lars Prehn)
- NTP for ASBRs?
  - From: bernat at luffy.cx (Vincent Bernat)

Prev by Date: NTP for ASBRs?
Next by Date: Spoofer Report for NANOG for Apr 2019
Previous by thread: NTP for ASBRs?
Next by thread: NTP for ASBRs?
Index(es):
- Date
- Thread